Feeds

ICO: How 'sensitive' is personal data? Depends what it's used for...

It's all about context, says the data protection watchdog

Security for virtualized datacentres

The sensitivity of personal information should be determined by the reasons behind why the information is to be processed, the UK's data protection watchdog has said.

The Information Commissioner's Office (ICO) outlined its view in a new paper in which it analysed the European Commission's proposed new EU Data Protection Regulation "article-by-article".

Under the Commission's proposed new regime the processing of sensitive personal data, that reveals individuals' "race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures" would generally be prohibited wherever the individual had not consented to processing or where one of three specifically listed circumstances allowing processing relating to employment, protecting the "vital interests" of individuals and the activities of non-profit seeking bodies, had not been met.

The ICO said that it has "reservations" about categorising data as 'sensitive' by default, and said that a new reformed data protection law framework should account for the "purpose" of processing instead.

"We believe that the wording should be narrower than [proposed] so that the processing would only be caught if its purpose was to reveal, analyse etc. a person’s ethnic origin, race and the like," the ICO said in its analysis paper. (82-page / 495KB PDF) "It is also very difficult to define political opinions, religion or beliefs."

"We have always had reservations about the general concept of non-contextual sensitive data categories. However, this approach is a part of the European mainstream and is unlikely to be dropped. We do think though that sensitivity ought to reflect as far as possible the ‘average citizen’s’ conception of what is sensitive – it is odd therefore that financial details are excluded from the definition. However, a record of trade union membership or a note in an HR file saying that an individual has been ill with a cold is sensitive. One possibility would be for the category to be narrowed to include only genuinely sensitive personal data, such as health records, and combine this with some notion of context and risk posed to individuals," it said.

In its paper the ICO called for 'pseudonymised' data to be considered to be personal data, but it said that organisations should not be required to adhere to all the rules set out in the draft reforms in relation to the treatment of every piece of information that can be labelled as identifiable data.

"There is clearly considerable debate about whether certain forms of information are personal data or not," the ICO said. "This is particularly the case with individual-level but non-identifiable - or not obviously identifiable data - such as is found in a pseudonymised database. We prefer a wide definition of personal data, including pseudonymised data, provided the rules of data protection are applied realistically, for example security requirements but not subject access."

"If there is to be a narrower definition it is important that it does not exclude information from which an individual can be identified from its scope. However, it is important to be clear that a wide definition plus all the associated rules in full would not work in practice. This is a real issue in contexts as diverse as medical research and online content delivery," the watchdog said.

The paper also detailed the watchdog's concerns that the Commission's proposed data protection regime could present organisations with "onerous" and "pointless" barriers to processing personal data. This is because the rules requiring organisations to obtain individuals' consent to that processing could be construed as too strict in some cases, it said.

"While we welcome the high standard of consent ... it is important that the strengthening of consent does not leave data controllers without a lawful basis for processing which is either necessary or unobjectionable," it said. "Usually, there need to be alternatives to consent."

Organisations operating in the EU would generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data under the European Commission's draft data protection framework. Consent would not be able to be gleaned through silence or inactivity on the part of individuals and instead must be obtained through a statement or "clear affirmative action" before it can be said to have been given.

However, the Commission's plans state that organisations could not claim to have obtained individuals' consent to personal data processing in cases where "there is a significant imbalance between the position of the data subject and the controller".

The ICO said that organisations should still be able to process the personal data of individuals in some cases where there is an "imbalanced relationship" between data subjects and controllers.

"Determining whether there is a ‘significant imbalance’ between an individual and a data controller is difficult to do in practice," the ICO said. "Whilst we fully accept that genuine consent depends on freedom of choice, it is still possible to have genuine consent within a basically ‘imbalanced’ relationship – for example in respect of certain aspects of employer – employee data processing."

The watchdog also raised concerns about the Commission's proposals which would put in place rules whereby organisations would have to notify data protection authorities and the public when they experience personal data breaches. If encrypted data is lost but where the "decryption key remains safe", organisations should not be said to have suffered a 'personal data breach', it said.

In an initial analysis of the Commission's draft Regulation last year, the ICO warned that EU data protection authorities would not be able to hold companies based outside the EU accountable to the proposed regime. It repeated those concerns in its latest publication on the reforms.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Intelligent flash storage arrays

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.