The UK’s data protection watchdog is to audit a University of Cambridge research centre that became linked to the Cambridge Analytica scandal, and it has called for a broader review of academics’ use of personal data.
The moves came as the Information Commissioner’s Office announced that it plans to fine Facebook the maximum £500,000 over lack of transparency and security issues relating to the harvesting of data. The data of an estimated 87 million users of the social network was harvested in an app created by a Cambridge researcher, Aleksandr Kogan.
These data were shared with SCL Elections, the parent company of Cambridge Analytica, and an ICO report says that it is believed that this information was combined with other datasets to target voters in the 2016 US presidential election and, potentially, the UK’s Brexit referendum.
The ICO says that it is still investigating whether Dr Kogan, who has so far refused requests for an interview from the watchdog, has committed a criminal offence.
Times Higher Education has reported how the method used by Dr Kogan – using individuals’ Facebook likes to deduce their personality type – was originally developed by academics at Cambridge’s Psychometrics Centre, among them Michal Kosinski, who is now at Stanford University.
Dr Kogan’s app was “modelled” on the work of the centre. He says that it was originally intended for his academic research, but he was then introduced by a colleague to SCL Elections and subsequently repurposed the app for the use of his commercial venture, Global Science Research.
“The degree to which this was done alongside or separate to his academic work at Cambridge University forms part of our investigation,” the ICO says. The watchdog says that it has evidence that Dr Kogan was already in contact with SCL Elections when he contacted Facebook using his Cambridge credentials.
The ICO says that it is “clear that there is room for improvement in how higher education institutions overall handle data in the context of academic research”. “The portability of datasets, crossover in roles, sharing of premises and common use of students and postgraduates all serve to create a very complex picture for data protection,” the report says.
The ICO is considering whether Cambridge “more broadly has sufficient systems and processes in place to ensure that data collected by academics for research is appropriately safeguarded in its use and not re-used for commercial work”.
In the course of its investigation, the ICO has received a report of a breach in the security of Cambridge’s Psychometrics Centre and one of its apps, and it has launched a separate probe into this.
As a result, the ICO says that it will audit the centre for compliance with the Data Protection Act.
The watchdog also recommends that Universities UK work with the ICO to “consider the risks arising from use of personal data by academics in a university research capacity and where they work with their own private companies or other third parties”. UUK has committed to this work and will convene a working group “to consider the wider privacy and ethical implications of using social media data in research, both within universities and in a private capacity”, the report says.
In relation to its investigations that a company, Eldon Insurance Services, shared customer data obtained for insurance purposes with the pro-Brexit Leave.EU campaign, and that these data were “then used for political campaign purposes” during the European Union referendum campaign, the ICO says that it is “investigating allegations that insurance customer data was sent to the USA and in particular to the University of Mississippi, and whether that was a contravention” of data protection laws.
“We are in contact with the university and this line of enquiry is ongoing,” the ICO says.
A Cambridge spokesman said: "We will continue to cooperate fully with the commissioner and will work with Universities UK as it explores the issues within the higher education sector around the emerging field of research using social media data."
A UUK spokeswoman said: “Today’s report highlights a number of important privacy and ethical concerns around the use of personal data by academics within and outside of universities. We will be working closely with the Information Commissioner’s Office to fully consider these and whether current guidance for academics needs to be strengthened.”