Feeds

ICO: How 'sensitive' is personal data? Depends what it's used for...

It's all about context, says the data protection watchdog

Reducing the cost and complexity of web vulnerability management

The sensitivity of personal information should be determined by the reasons behind why the information is to be processed, the UK's data protection watchdog has said.

The Information Commissioner's Office (ICO) outlined its view in a new paper in which it analysed the European Commission's proposed new EU Data Protection Regulation "article-by-article".

Under the Commission's proposed new regime the processing of sensitive personal data, that reveals individuals' "race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures" would generally be prohibited wherever the individual had not consented to processing or where one of three specifically listed circumstances allowing processing relating to employment, protecting the "vital interests" of individuals and the activities of non-profit seeking bodies, had not been met.

The ICO said that it has "reservations" about categorising data as 'sensitive' by default, and said that a new reformed data protection law framework should account for the "purpose" of processing instead.

"We believe that the wording should be narrower than [proposed] so that the processing would only be caught if its purpose was to reveal, analyse etc. a person’s ethnic origin, race and the like," the ICO said in its analysis paper. (82-page / 495KB PDF) "It is also very difficult to define political opinions, religion or beliefs."

"We have always had reservations about the general concept of non-contextual sensitive data categories. However, this approach is a part of the European mainstream and is unlikely to be dropped. We do think though that sensitivity ought to reflect as far as possible the ‘average citizen’s’ conception of what is sensitive – it is odd therefore that financial details are excluded from the definition. However, a record of trade union membership or a note in an HR file saying that an individual has been ill with a cold is sensitive. One possibility would be for the category to be narrowed to include only genuinely sensitive personal data, such as health records, and combine this with some notion of context and risk posed to individuals," it said.

In its paper the ICO called for 'pseudonymised' data to be considered to be personal data, but it said that organisations should not be required to adhere to all the rules set out in the draft reforms in relation to the treatment of every piece of information that can be labelled as identifiable data.

"There is clearly considerable debate about whether certain forms of information are personal data or not," the ICO said. "This is particularly the case with individual-level but non-identifiable - or not obviously identifiable data - such as is found in a pseudonymised database. We prefer a wide definition of personal data, including pseudonymised data, provided the rules of data protection are applied realistically, for example security requirements but not subject access."

"If there is to be a narrower definition it is important that it does not exclude information from which an individual can be identified from its scope. However, it is important to be clear that a wide definition plus all the associated rules in full would not work in practice. This is a real issue in contexts as diverse as medical research and online content delivery," the watchdog said.

The paper also detailed the watchdog's concerns that the Commission's proposed data protection regime could present organisations with "onerous" and "pointless" barriers to processing personal data. This is because the rules requiring organisations to obtain individuals' consent to that processing could be construed as too strict in some cases, it said.

"While we welcome the high standard of consent ... it is important that the strengthening of consent does not leave data controllers without a lawful basis for processing which is either necessary or unobjectionable," it said. "Usually, there need to be alternatives to consent."

Organisations operating in the EU would generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data under the European Commission's draft data protection framework. Consent would not be able to be gleaned through silence or inactivity on the part of individuals and instead must be obtained through a statement or "clear affirmative action" before it can be said to have been given.

However, the Commission's plans state that organisations could not claim to have obtained individuals' consent to personal data processing in cases where "there is a significant imbalance between the position of the data subject and the controller".

The ICO said that organisations should still be able to process the personal data of individuals in some cases where there is an "imbalanced relationship" between data subjects and controllers.

"Determining whether there is a ‘significant imbalance’ between an individual and a data controller is difficult to do in practice," the ICO said. "Whilst we fully accept that genuine consent depends on freedom of choice, it is still possible to have genuine consent within a basically ‘imbalanced’ relationship – for example in respect of certain aspects of employer – employee data processing."

The watchdog also raised concerns about the Commission's proposals which would put in place rules whereby organisations would have to notify data protection authorities and the public when they experience personal data breaches. If encrypted data is lost but where the "decryption key remains safe", organisations should not be said to have suffered a 'personal data breach', it said.

In an initial analysis of the Commission's draft Regulation last year, the ICO warned that EU data protection authorities would not be able to hold companies based outside the EU accountable to the proposed regime. It repeated those concerns in its latest publication on the reforms.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Security and trust: The backbone of doing business over the internet

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.