Sergey Nivens - Fotolia

Singapore and UK researchers investigate privacy in big data era

Academic organisations in Singapore and the UK collaborate on the privacy questions raised by big data and the cloud

Researchers in Singapore and the UK are working together to explore challenges posed by threats to cyber security and privacy in the cloud.

A proposal has been submitted for a joint big data project between Singapore and UK industries and government agencies to collaborate on privacy-preserving data analytics. This has applications for healthcare, homeland security and genomic data. If approved, the project will commence in 2016.

Muttukrishnan Rajarajan, professor of security engineering and lead of the Information Security Group at City University London, said a cross-border partnership and multi-disciplinary approach is needed. Technologies, researchers and academics with backgrounds that range from social sciences, computer science, engineering and mathematics need to collaborate to counter these challenges, he said. 

Despite the obvious benefits, there are significant privacy and security issues surrounding big data analytics and the cloud.  

“Big data provides immense benefits ranging from innovative business models to new ways of treating deadly diseases,” said Rajarajan.

“However, challenges to privacy arise because technologies collect a lot of data from embedded sensors available in devices and analyse them so efficiently that it is possible to infer new knowledge without the user being aware of it.”

Rajarajan said existing privacy-preserving techniques do not provide the necessary data controls to safeguard the individual’s privacy.

While large organisations have the financial resources to invest in powerful private computers and servers to process data, the reality is most companies lack such capabilities and need infrastructure such as the cloud to process big data, said Lu Rongxing, assistant professor, School of Electrical and Electronic Engineering at Nanyang Technological University in Singapore.

Technology to anonymise data may work well for plain text, but it is not sufficient to de-personalise data that comes in a variety of formats.

“If the data is not authentic, newly mined knowledge will be unconvincing; while if privacy is not well addressed, people may be reluctant to share their data,” said Lu.

The team at Nanyang Technological University has been working on efficient and privacy-preserving computing for big data.

Rajarajan gave an example of a challenge that privacy-preserving data analytics can help resolve. He said it could pick up suspicious discussions about fluctuating trading prices among traders without knowing the identity of the individuals involved in these discussions. Then the bank could be alerted to take action.

What is personal data?

An example of multi-disciplinary collaboration was the International Workshop on Cloud and Big Data Security, sponsored by the US Office of Naval Research, UK Engineering and Physical Sciences Research Council, Nanyang Technological University and City University London.

The workshop took place in September 2015 at Nanyang Technological University, with participants from Asia, Europe and the US.

The speakers represented many disciplines and countries, mirroring the multi-disciplinary approach Rajarajan said is needed to solve the challenges thrown up by big data analytics and the cloud.

This includes understanding what constitutes personal data, said Alison Knight, senior researcher at the Law School of the University of Southampton.

Data that is not personal data may be processed in the cloud free of data protection law requirements. However, the question is whether commonly encountered data in the cloud is personal data. This includes fragmented data, as well as data that has been through an anonymisation process prior to its use in the cloud, such as key-coded or pseudonymised data, as well as encrypted data.

Another challenge for cloud organisations and customers is that it is very hard to guarantee data that has been through an anonymisation process is sufficiently de-personalised to ensure its processing would not attract legal obligations under data protection law. This is because there is always the residual risk of re-identification of the subjects from data where it is analysed in combination with other information that may be available.

Other challenges include determining which laws apply to data processed in the cloud, which partly depends on determining the location of personal data processing and its storage and deciding who is responsible for personal data in the cloud.

“Addressing privacy issues in cloud computing is not a straightforward issue and legal rules change over time worldwide,” said Knight.

“Now, policymakers are pushing for major change – fast-tracking concepts of fairness of personal data processing, placing more emphasis on organisation accountability and driving increased awareness and enforcement of data protection.”

Individuals not protected by Singapore PDPA

Europe is regarded as having the pre-eminent data privacy legal model, while countries in the Asia-Pacific are grappling with data privacy issues, having recently seen the most rapid development in privacy laws.

Even though Singapore has enacted its data privacy regulations with the Singapore Personal Data Protection Act 2012 (PDPA), which became effective as of 2 July 2014, it remains to be seen if it will be strongly enforced, said Knight.

The data privacy rules in Singapore and the Asia-Pacific are generally less stringent than European Union (EU) standards. Singapore’s PDPA does not link data protection with a fundamental right to privacy, as the laws in the EU do. Singapore has made it clear the PDPA applies to businesses, not private individuals.

The UK’s Data Protection Act has forged ahead in some areas, said Rajarajan. For instance, it has differentiated between different variants of personal data – so-called personally identifiable information (PII) – to encompass any data from which an individual can be identified.

The UK is also working on big data analytics by bringing different languages together to enable data mining on multiple languages, suitable for the government in terms of intelligence and defence. This technology could be highly relevant for a multi-lingual society such as Singapore, said Rajarajan.

In the area of data privacy, the UK has set up 14 controls or principles for data protection in the cloud.  

“Anyone who wants to be a cloud provider in the UK has to comply with these controls from UK government,” said Rajarajan.

However, it is not all one way, with Rajarajan saying Singapore has made some new ground. For example, consent is required before organisations can process personal data and it is mandatory for every organisation that collects personal data to have a data protection officer, but this is not yet the case in Europe.

Read more about privacy in the cloud

  • Big data can improve decision making, reduce time to market and increase profits, but it can also raise privacy and compliance concerns.
  • Businesses that overlook privacy in the age of big data do so at their own peril.
  • When Facebook bought online messaging service WhatsApp, it raised some unexpected concerns about big data and privacy.

Read more on Privacy and data protection