Cambridge University’s Psychometrics Centre will become one of the first British organisations to be audited by the Information Commissioner’s Office following the introduction of GDPR.
The ICO unveiled plans on Wednesday (11 July 2018) for a consensual audit of the centre in the wake of revelations about its role in the Facebook privacy scandal.
The Psychometrics Centre came under the spotlight earlier this year after it was revealed that Dr Aleksandr Kogan, a researcher in a different department, had developed an app modelled on work at the centre, to harvest up to 87 million Facebook users’ data before allegedly passing it on to the political consultancy Cambridge Analytica.
It was thrust into the limelight again in May when the New Scientist published an investigation claiming researchers at the centre had failed to properly secure data harvested by an online personality quiz that had inspired Kogan.
On a call with reporters yesterday, Elizabeth Denham, the Information Commissioner, raised concerns about the work carried out at the centre and other universities. “We are concerned about data negligence at the Psychometrics Centre,” she said. “But we’re also concerned about the lack of boundaries and the lack of due diligence and accountability around the use of data for research.”
The ICO’s report, which provides an update on its investigation into digital political advertising, suggests the regulator has concerns about the ongoing use of data at the centre.
“The evidence we have gathered alongside the further [New Scientist] breach report identifies a need to look carefully at the Psychometrics Centre at the University and we will audit the Centre for this, so we can audit their compliance with the DPA 2018,” the report states.
“Following [the audit] we will then make any specific recommendations required to address any data protection issues in the context of the new Data Protection legislation, based, as it is, on the GDPR.”
Under the the General Data Protection Regulations, which came into effect in May, the ICO has the power to fine organisations up to four per cent of their annual turnover for breaching the law.
The ICO is now urging Universities UK to draw up guidance for research centres across the UK to ensure proper governance rules are put in place, amid concerns the issue is not confined to Cambridge.
A spokesperson for the university told NS Tech: “We acknowledge the interim report from the Information Commissioner’s Office. We will continue to cooperate fully with the Commissioner and will work with Universities UK as it explores the issues within the Higher Education sector around the emerging field of research using social media data.”
The ICO’s report also proposes a £500,000 fine for Facebook over its handling of the Cambridge Analytica scandal. The ICO claims that Facebook failed to safeguard people’s personal information and disclose how it had been harvested. Facebook has been invited to respond to the report before the ICO finalises it decision.
Detailed findings of the next stage of the ICO’s investigation are expected to be published in October.
This article was updated shortly after publication to clarify that Dr Aleksandr Kogan did not work at the Psychometrics Centre. It was updated again in February 2019 to acknowledge that the ICO’s audit was consensual.