Data brokers face security probe in Govt consultation

The Government has launched a major consultation on the UK data broking industry as part of a “call for views” to gauge the potential security risks the sector faces from “hostile actors” such as cyber criminals.

Led by the Department for Science, Innovation & Technology (DSIT), the move is designed to ensure that new and existing technologies are safely developed and deployed across the UK, amid claims that the benefits of this should be widely shared, “kick-starting economic growth that is underpinned by secure digital activity”.

For the purposes of this call for views, DSIT refers to any organisation conducting data broking as a data broker, and in scope of responding.

DSIT also welcomes views from organisations that engage in data broking but may not ordinarily describe themselves as a data broker. For example, a supermarket that sells customer data to a third party is engaging in data broking but would not ordinarily be described as a data broker, as data broking is not the primary product or service they offer.

DSIT considers data brokers to be distinct entities from data intermediaries. Data intermediaries have a direct relationship with data subjects as they are engaged by them specifically, for the purpose of sharing their data, with their own terms, for their benefit.

This is distinct from data broking where data is sourced from consumers with which they have a direct relationship. It does not consider data intermediaries to be in scope of this call for views.

The Government is interested in how data brokers protect and secure data beyond what is already required by UK legislation.

While it says it recognises that data brokers are already in scope of a range of security and privacy legislation, such as UK GDPR, the Data Protection Act 2018 and the Privacy & Electronic Communications Regulations (PECR), these exist in a privacy context and are designed to protect individuals’ personal data rights.

They were not designed to mitigate potential national security risks, and, as UK GDPR applies to personal data, not all types of UK data fall within scope of this legislation.

The Government is considering what tools, beyond existing legislation, may be appropriate to strengthen the UK against emerging data-related national security risks. To do this, DSIT is seeking to understand what other international legislation UK data brokers comply with, and what processes, practices or policies the UK data broker industry, or individual organisations have in place to ensure data is only accessed by trusted “actors” and used for the legitimate purposes for which it is sold or otherwise made available.

The “call for views” concludes: “The data broker industry is a complex ecosystem, and there is a lack of publicly available information profiling the industry’s customers and main beneficiaries. Therefore, the Government would like to learn more about the customers buying UK data. This is to better understand who is benefiting from the UK data broking industry and how commercially available data is being used.

Interested parties have until May 12 to respond.