Today we are going to take a short interlude before we go back to the story of Jeff and how he almost wandered into very unsure waters in regards to “Data Flow” and “Special Category Data”. Before we go on I want to briefly discuss identifiable data so that we have a better understanding of what it is.

What do we mean by identifiable data, and what the legislation says is identifiable is something that confuses a lot of people(1) because there are different definitions, and terminology, for data types that vary across regions. In terms of legislation we are going to use as an example some of those that are commonly prevalent: UK’s GDPR, EU’s GDPR, US’s NIST/OBR, Switzerland’s Federal Act and Australia’s Privacy Act.

Digital Breadcrumbs and the “Us-Shaped” Jigsaw

A digital existence, often related to the digital footprint people leave as they navigate our heavily inter-connected existence, is like a trail left by a modern day net-running Hansel and Gretel in the cyber forests. When we click “accept” or “submit” or other interactive elements; scroll through a feed filled with adverts and hyperlinks with their insistent calls to like and dislike; buy a quirky object online; save a link to a note-app or repost to our own feeds; we drop a digital breadcrumb to say where we have been and what we did there.

On their own a single crumb, like a preference for spicy sausages, is just an ambivalent data point. A flotsam of information with no relative value or indication. But like a woodcutter searching for his missing children, or more like the wolf filling up on breadsticks before the main meal of the same tasty children, organisations gather all of these crumbs. The crumbs are like jigsaw pieces that build a picture, a startling recreation of pieces each on their own nonsensical but together they make an image that is us.

We are assembled as a “me-shaped”, “you-shaped” or “us-shaped” puzzle. This is the amalgam, the construct from all the personal data that is available. In some regions each individual piece of this puzzle is controlled, or legislated, and considered personal; in others it is only when you have enough of the jigsaw to identify the final image, or a very distinct bit of edge, that it is personal. Broadly speaking we can say that this is the difference between an item of personally related information and the data that is personally identifiable information. For example, in the case of your name and date of birth the individual datum can be enough to recognise you, even more so if it is biometric data; in the case of your preference for ketchup over brown sauce you would need several other pieces of data to identify you. Like a game of Guess Who there could be lots of people with glasses but only one of them may wear a pink shirt.

In legislation such as the UK GDPR’s Article 4(1) this jigsaw piece is defined as any information relating to an “identified or identifiable natural person” who is also known as the “data subject.” If the information can be used to pluck you out of a crowd, either directly by your name or indirectly by combining crumbs/jigsaw pieces, it counts as personal data.

The puzzle that is us comes together quickly. Research states that 87% of the US population can be identified by knowing just three simple things. Children in a school in the UK could be identified by hair colour, month of birth and the initial of their last name, if they are red heads you don’t even need the initial from their last name. Identifiable data is affected by the statistical likelihood of a biological feature. For instance, people with orange/red hair and blue eyes in the UK occur in fewer than 1 in a thousand, so those two data points can be used to identify them easily from their peers even in large gatherings.

Alphabet Soup

Personally Identifiable Information (PII), Personal Information (PI) and Personal Data are used as if they are interchangeable but often they are not. The legislative impact differs depending on which passport control you walk through, or which region you call home.

In the United States the acronym of choice is PII, championed by NIST and the OMB. It is typically split into two flavours: Linked, which is direct identifiers such as a Social Security Number; Linkable, which are indirect identifiers like your job title or geographic area that can identify you when paired with other data.

Personal Data reigns supreme under the EU and UK legislation, and it is a much broader net. It doesn’t just look for your name as it covers “online identifiers” such as cookies and IP addresses. The Australian laws prefer to use the term Personal Information which covers any data where you are “reasonably identifiable”.

A Legal Safari

Laws governing data are strengthening in many regions. Some countries are way ahead of others, some are more permissive, but it is a landscape that every business that has a globally accessible service needs to be aware about. Here’s a quick safari through the current regional highlights we already mentioned:

  • In the European Union the GDPR (General Data Protection Regulation) is considered the “Gold Standard” for privacy. It evolved from a previous directive 95/46/EC (Data Protection Directive). It ensures that the definition of personal data(2) remains expansive and protective. They also use the PECR which is being revised.
  • The UK operates under the Data Protection Act 2018 and the UKGDPR. They UK also uses the Privacy and Electronic Communications Regulations (PECR) the (in)famous “Cookie Law” and is currently implementing the revision for the UKGDPR which is the Data Use and Access Act (DUAA).
  • While there is no single federal “umbrella” law in the US, the Privacy Act of 1974 governs federal agencies. Specific sectors have their own rules, like HIPAA for health data, or State Law such as California’s SB1386.
  • Switzerland takes a firm stance via the Federal Act on Data Protection, which prohibits processing your data without explicit authorization. This matches, and maps, to the EU’s GDPR.
  • In Australia the Privacy Act sets out a principles-based model to protect anyone who is “reasonably identifiable.”

Many Degrees of “Ouch”

As shown above not all data is equal; some info is louder, or “noisier”, than others. Protecting, or exposing, it causes a much bigger pain point. Also data is not always automatically classifiable just by a single type as context and relationships are relevant and we will cover that below. Hair colour and eye colour might be innocuous until statistics lends a hand in making it a needle jab.

Generally speaking we can categorize data using an “Information Sensitivity” framework as highlighted on a rather useful Wikipedia page.(3)

We start with the least sensitive which is Public Information or publicly available information. This is usually records held by government that might be released under specific formal request, these are items such as voting registration records. But it might also be census, criminal or sexual offender records that are released when needed for the public safety or trust. This type of information also includes data that the individual releases themselves, however that does not infer automatic consent to use it.

Then we have Routine Business Information, day-to-day data shared within companies that doesn’t need a secret decoder ring to access. This can be data that the subject has shared with a company. Businesses often share this information between each other and ask for consent to do so, it is important to know what you hold and who you share it with, and also to ensure that data in this category cannot be used for criminal or social manipulation.

Classified Information is usually identified by having a specific security restriction. This is legal, financial, and even medical information that is separate to, or beyond special category data (covered below) Generally this data is heavily restricted and should not be stored, or seen, by anyone without specific authorisation or permission.

Things are serious when we deal with Special Category Data, referred to this way by UK/EU GDPR or as Sensitive Data in other regions. This is information that requires stronger protection and has consequences for using it under the various legislations.

Special Category Data

  • Race or ethnic origin – this is a person’s heritage and may include birth or geographical affiliation.
  • Political opinions – this varies by country with the US having some permissive natures and some aggressively restrictive by State, but in most parts of the world voting intention/acts are private, privileged or secret.
  • Religious or philosophical beliefs – your worldview is protected and private unless you choose to share it.
  • Union or group membership and affiliation – your affiliations are strictly private and again cannot be held against you, or without your explicit consent.
  • Genetic data – your biological blueprint is reserved usually for government statistics and medical staff.
  • Biometric data – fingerprints or facial recognition used for ID. It may include your likeness recorded without your knowledge, the legislation regarding organisations keeping images recorded on CCTV is a hotly debated topic.
  • Health data – your medical history and records, and a political hot potato in the UK at this moment with the legality of a private organisation having full access to residents medical records.
  • Sexual life and/or sexual orientation – Considered an essential part of your private life and not to be used without specific consent.
  • Criminal offence data – convictions and allegations except where it is required under legislation concerning employment activities and social conditions (such as register information that has to be made known to protect others).
  • Confidential Business Information (CBI). Not usually a part of a specific piece of legislation, however is a special category data type. Businesses often treat this like a “trade secret”, it might be a sales plan or patent notes, where a leak could cause substantial financial injury or harm to private individuals.

When Colours Become Personal Data, Why Context and Relationships Reign Supreme

Here is a whimsical thought: is the name of a colour personal data? The obvious answer is absolutely not, and on its own that’s correct. It’s just a colour, or a type of wine if it is white, red or pink. But almost paradoxically context is a magic wand that can transform data. So if a database stores the colour with no relationship it’s just an iota of insignificance, a datum of no consequence. The moment that value is stored in a record with a relationship to a named individual such as: “Mark Keating’s favourite colour”(4) it instantly transforms into a piece of personal data. With that relationship it becomes a quasi-identifier, with two or three small pieces of data such as this we can identify an individual who hasn’t been named or is known to us.

Much like the percentage of people who can be identified by just a few non-unique facts, these “harmless” bits of data become powerful tools for identification when they are linked. This is why data protection is so tricky, almost any datum can become personal if it’s attached to your digital shadow.

Guarding the Shadow Self

Navigating the world of personal data can feel like trying to keep up in a race where the goal is forever changing. But you have more control than you think, careful planning, knowledge, and communication can help you tremendously.

Guarding a digital shadow is an active responsibility for both individuals and the organizations they interact with and the most important factor is trust. Having an understanding of what data is automatically personal, and how data can be linked to a person, the context and relationship, can help you devise appropriate safeguards and policies.

As always it helps to have people who have a love for both data and protection. But if you need to discuss this more then we at Shadowcat would be delighted to help. Want to talk to us? Drop us a comment or use the contact form on our website (https://www.shadowcat.co.uk/#contact) to get in touch.

(1) Including me, though a lot of things confuse me which is why always double check that my head’s on straight.
(2) https://gdpr-info.eu/issues/personal-data/
(3) https://en.wikipedia.org/wiki/Information_sensitivity
(4) It’s Fuchsia if you wanted to know.

Sources to Consider

(A) What is Personal Data from the ICO: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-is-personal-data/
(B) What is PII: https://piwik.pro/blog/what-is-pii-personal-data/
(C) Tackling Misconceptions (ICO): https://ico.org.uk/about-the-ico/what-we-do/our-work-on-artificial-intelligence/response-to-the-consultation-series-on-generative-ai/tackling-misconceptions/
(D) Personal Data – Wikipedia: https://en.wikipedia.org/wiki/Personal_data
(E) Key Data Protection Concepts – ICO: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/biometric-data-guidance-biometric-recognition/key-data-protection-concepts/
(F) Data Protection and PECR Training Supporting Notes – ICO: https://ico.org.uk/media2/3ocphn2a/module-1-data-protection-definitions.pdf
(G) Information Sensitivity – Wikipedia: https://en.wikipedia.org/wiki/Information_sensitivity

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

No responses yet