The Low-Down On The Concept Of Personal Data

Most people think of personal data as a self-explanatory term denoting any information that allows you to identify a specific individual. This couldn’t be truer, but with the caveat that numerous subtleties of this concept may complicate the categorization.

For instance, a combination of a full name, date of birth, and gender may provide sufficient context to attribute an action to a particular person. Still, in some scenarios, it’s a far cry from being enough for sure-shot identification. To get the bigger picture, let’s zoom into what pieces of information can be labeled as personal data and under what circumstances.

Mixing things up makes a difference

There is a cluster of fundamental “raw” information that gives you unambiguous clues for identifying a person. This data may include passport details, a Social Security number (SSN), a fingerprint, or in some cases, the above-mentioned mixture of a name, date of birth, and gender.

Another type of “raw” data comprises fragments of information that don’t clearly point to an individual when analyzed in isolation from other details. The typical examples include a place of work, a favorite meal, the number of kids, and personal qualities. None of these is personal data per se.

However, if you combine some info from the first and the second group, those “breadcrumbs” will lead to a specific person with close to 100% accuracy. That’s personal data in its purest form. A few examples of such a verbose fusion are as follows:

● Medical diagnosis + favorite meal + photo

● SSN + place of work

● Name + date of birth + gender + ZIP code

The degree of exposure stemming from different types of information may depend on who is in charge of the analysis. Some chunks of data don’t allow the average layman to determine someone else’s identity, but a law enforcement agency may be able to do it in a snap.

The precision of the identification process is also a matter of who the data carrier is. In the case of an individual, for example, a phone number is often tied to their name and ID. When combined with virtually any other facts about the person, it is a classic instance of personal data. The same goes for insurance numbers, credit card details, and many other types of information.

However, a phone number used by an enterprise entity doesn’t fit the mold of personal data. The reason is that it doesn’t allow a third party to identify a particular employee of the organization that uses this phone number.

An equation with multiple variables

The fact that a dataset incorporates several different types of information doesn’t necessarily make it a meaningful source of identification. Sometimes an extra piece is required to fill the puzzle. If a set contains, among other things, a medical diagnosis but doesn’t include a name, it can’t be linked to a particular individual.

Race, gender, and place of work, when stripped of additional context, aren’t personally identifiable information either. But a fusion of a medical diagnosis, race, gender, and place of work becomes personal data when, for example, it’s known that only one Thai woman with physical disabilities works at a library. Interestingly, in this hypothetical situation, if two disabled Thai residents used to work at the library and one of them retired, then this array of data originally wasn’t personal but became such later on.

Case law can also help you figure out whether or not an assembly of information pieces is personal data. If there have been precedents in which court decisions interpreted a dataset that way, then you can refer to such rulings for clear-cut categorization.

In many jurisdictions, you have a minuscule chance to obtain an official expert verdict that specifies if a collection of details about an individual is considered personal data or not. You can, of course, contact authorities with a request like that, but the answer will be along the lines of “it all depends on whether the dataset allows you to identify a person.” Well, duh! Again, the ultimate truth is a court decision, but you are always better off sifting through all the facts on your own.

In routine scenarios, you don’t have to immerse yourself in the murky waters of legal procedures to understand how to categorize a specific set of data. However, things may get entangled in unorthodox instances that involve biometrics and some marginal types of data about individuals. Let’s illustrate this based on several offbeat situations.

Unusual cases

There is no denying that a photocopy of a person’s passport is a piece of personal data since it contains a headshot, full name, date of birth, and other sensitive information. Ambiguity arises when you separately analyze a passport photo and, say, an image or video that was taken by a CCTV camera.

The controversy relates to whether the resolution of a specific photograph is enough to identify someone. It’s hard to define the criteria regarding the quality of a graphical object. If it’s a standardized 600x600 pixels image in a passport, then it’s undoubtedly personal data. Suppose you have a fuzzy photo with a lower resolution. In that case, it may be problematic to discern its elements, even more so if it’s taken in outdoor conditions from a relatively big distance.

By the way, security systems at stadiums and in some other public places frequented by lots of people come with face recognition features that can automatically identify a previously blacklisted visitor based on images of moderate quality. In most real-life situations, though, things are usually opaquer.

When crossing a border, the standard procedure is as follows: an officer looks at your face and decides whether what he sees matches the photo in your passport or visa. If they conclude that there are plenty of similar traits, then you get the green light to cross the border. The identification workflow in court follows the same logic: the judge engages an unbiased expert who is supposed to deduce if it’s possible to identify a person using a specific photo.

In most countries, citizens have the right to file official requests so that their data isn’t collected and processed without their consent. Theoretically, you can go the extra mile and use publicly available online sources to try and extract photos of you taken by surveillance systems outdoors. The next move is to insist that this is an act of unauthorized data storage and analysis. Yet, such a request may be declined in quite a few situations – for instance, when the photo is used for national security purposes. The same goes for scenarios where the image was taken during public events, such as concerts, conferences, and sports contests.

Is an email address an example of personal data? It depends. A string like info@domain.com conveys no sensitive information as long as it doesn’t include a person’s name. Its owner can be anyone, even a bot. Does anything change if it’s RobertSmith@gmail.com or WillGartner@microsoft.com? As a rule, none of these is personal data unless combined with additional identifiers that enrich it with context and eliminate ambiguity.

Furthermore, as with a phone number, the classification depends on who owns the email account: an individual or an organization. Another thing to consider is that the process of signing up for a service like that doesn’t require passport information.

IP addresses might give away your identity under certain circumstances, too. This is especially likely if you use a dedicated IP address. The silver lining is that you can leverage a reliable VPN service to surf the web anonymously and thereby steer clear of unwanted surveillance.

Most biometric characteristics can be considered personal data for a good reason. The patterns of one’s iris, the shape of the skull and ears, as well as a handful of other traits, are just as unique as fingerprints. On a side note, this fact imposes major limitations on face recognition systems from an ethical perspective. Even storing a hash of someone’s biometric data may require the person’s approval.

Final thoughts

Since privacy laws are increasingly stringent, handling personal data properly should be top of mind for enterprises. Every company’s best interest is to understand whether it stores and processes such information. If it does, the next step is to categorize that data. This will help IT professionals prioritize the protection of specific assets while providing actionable insights into the particular cyber threats those records are susceptible to. From there, the appropriate security controls need to be implemented across the network infrastructure. Compliance with local privacy-related legislation is an essential part of this workflow.

At the end of the day, it all boils down to knowing if particular bits and pieces of information are personal. The considerations above should point you in the right direction. If you are in doubt, resort to the assistance of lawyers who can perform an audit of your data and send requests to authorities for clarification if necessary.

Comments are closed.