An Introduction to Privacy #3:        Let the Fun Begin ????

An Introduction to Privacy #3: Let the Fun Begin ????

You've all been incredibly patient, and here's where it starts to pay off. We can leave that pure theory aside (well, as long as you remember it) and have some fun playing with the rules by practically applying them. The first thing we'll look at, and have a tinker with, are those troubling terms in the extremely loose definition of Personal Data.

Context is King

The reason these things have to be applied to be understood is that they're all context dependent. I mentioned that things phase in and out of being personal data all the time, and that can change between one process and another and one department and another. That's because the context surrounding the processing changes.

You'll hear people saying things like "Context is key" or "Context is king", and you're bound to have already heard the famous answer given by DPOs everywhere "it depends...". The reason "it depends" isn’t because we like playing coy, it’s because you asked what seemed a simple question, but the DPO hasn't spent an hour grilling you about the smallest details of the processing yet, so everything is still up in the air.

To explore how all of this works when you put it into in practice let's start with a simple scenario:

No alt text provided for this image

Examples

No alt text provided for this image

If I say to you "the person with blonde hair" that could identify anyone in the room, so hair colour is not Personal Data as it doesn't identify one individual.

If I say to you "the person with the Hawaiian shirt" (assuming there is only 1) then that is Personal Data as you can single out one person.

If a person with black hair walks into the room, then "the person with black hair" or "the person who doesn't have blonde hair" is Personal Data, because one person is easily identified. The description "blonde hair" is still not Personal Data though, so hair colour simultaneously is and is not Personal Data depending on what colour it is.

If another person, this time with red hair, joins the room neither of the phrases "blonde hair" or "not blonde hair" are Personal Data, but the phrase "black hair" or "red hair" are both Personal Data.

Are you still with me? Hopefully you can see how the context of who is in the room, something you probably can't control, is changing not only what is and isn’t personal data, but also the level of risk and required controls over time.

The results could also phase in and out of being Personal Data if we changed the scope of the question, for example asking about the whole building rather than one room. Would you know the hair colour of everyone in the building? What if there was 1 person with pink hair? Now you're processing Personal Data on them but potentially nobody else. Does the fact that it's only a single case of Personal Data amongst hundreds of non-Personal Data change what you need to do to comply? How could you handle situations where you have data, but you don't know whether or not any of it singles out one person?

If you've got any thoughts share them in the comments ? If you'd like some feedback on your thoughts and you prefer not to do it in the comments, then you can direct message to me as well. I promise to be supportive and positive, there's no reason to feel nervous ?? I always say that play is the best form of learning, so take a crack at it.

No alt text provided for this image

Direct and Indirect Identifiers

Direct Identifiers

This seems a good place to talk about direct and indirect identifiers, because they're very much tied to context. Indirect identifiers share the ability to both be and not be Personal Data simultaneously depending on how you look at it them.

A direct identifier is something that can cleanly and definitively identify a Data Subject by itself, without anything else. It doesn't have to be physical or exist in the real world (like an address), it could be your passport number or your driver’s license number. Both of those numbers are unique, only one person has them. Fingerprints and retinal scans are other examples. In many cases direct identifiers are more risky than their indirect cousins, you only need that single piece of Personal Data to begin digging for other information that's linked to it and perhaps not as well protected. These are the types of identifiers identity thieves want, they're a first powerful step in pretending to be you.

Indirect Identifiers

Indirect identifiers are less risky, at least they are until you start combining them. An indirect identifier is something that can’t identify a unique individual by itself, they need more information to do that. The more indirect identifiers you stack together, and the more of that all-important context you add into the equation, the more precise the identification becomes though, and you start to head towards a full identification. Remember in the previous episode where a team had figured out how to identify someone to 90% accuracy with only 4 pieces of information?

Examples of indirect identifiers include your race, place of birth, eye colour, hair colour, even your date of birth. They're not unique to you, many other people share one or more of the same characteristics. However, if someone knows your race, your place of birth, and your date of birth, they might be able to figure out who you are, because not many people have the same combination of these three things.

The difference between a direct identifier and an indirect identifier is important for risk assessments and choosing the most appropriate, cost effective, controls where required. A direct identifier is more risky than an indirect identifier, so you need more controls for your direct identifiers, such as encryption and a strictly applied retention policy.

An indirect identifier is, in isolation, less risky than a direct identifier, because it can only reveal your identity when combined with other information. Therefore, you may not require the same level of controls over the storage and use of indirect identifiers. Common controls for indirect identifiers include aggregation and limiting who can access them.

No alt text provided for this image

Alone or In Combination

Another part of the definition of personal data says that Personal Data may identify a person 'alone or in combination' with other information. We've actually already discussed this above, direct identifiers and indirect identifiers are perfect examples of what these terms mean and how to apply them.

That one was easy ????

Identified or Identifiable

It's the same story here, direct and indirect identifiers are great examples.

A direct identifier categorically identifies a unique individual, and at that point they've been 'identified'. Indirect identifiers make it possible to identify someone if enough of the rights ones are combined. Even if you don't plan to combine information in a way that results in an identification it may be possible to do it with the information you have, in this situation the Data Subject is 'identifiable'.

Having information that makes Data Subjects 'identifiable' is less risky than having direct identifiers, but they still require controls around them to ensure they are accessed and used appropriately.

The Joys of Aggregation

Using the same situation above let's imagine I'm now a door-to-door shampoo salesman (always my secret dream job). My shampoo is great for blonde hair, but absolutely awful for any other colour, it just makes it fall out.

No alt text provided for this image

I'm tired, it's been a long day, and I'm trying to determine whether it's worth knocking on the door to that room or whether I'll just go home. To make that evaluation do I really need to know that there is one person in the room with black hair,and one with red? Or do I just care about whether there are blonde people in the room? Just talking about blonde hair wouldn't require Personal Data.

I could go more detailed and ask what percentage of people in the room have blonde hair, and if I didn't know how many people were in the room then that stands no chance of processing Personal Data either.

What we've just done is "aggregate" the data, rounded it up into groups to the point where it no longer identifies individuals. Aggregated data is wonderful for businesses and analytics, because as long as you're careful with the questions you ask, and especially so if you start cross-referencing data sets, there is still a broad range of analytics you can get done without ever processing Personal Data.

That's the beauty of aggregated data. Its usefulness shouldn't be underestimated.

No alt text provided for this image

Living People Only?

And to end our discussion today, a bit of a curveball.

If you remember the details of our scenario, you'll remember that there was a large portrait of a man in the room. We don't know whether the man is still living or not, but for the sake of this let's say it's a very old portrait so that's unlikely. The portrait is well done and quite capable of singling the person out in a crowd, just like a photograph or CCTV footage.

Under the GDPR it's clear, something can only be Personal Data if the Data Subject it relates to is alive. That's not the end of it though, wouldn't it be lovely if it was?

Other privacy laws like the CCPA in California don't have that limitation captured in the text of the law. So, a lot might depend here on what jurisdiction we're in. That's a little bit of context creeping in again ????

The CCPA protects anyone that meets the definition of a "consumer" under the act, and a consumer is defined as "a natural person who is a California resident". The California Code of Regulations steps in and defines a resident as

  1. every individual who is in the State for other than a temporary or transitory purpose, and
  2. every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.

It fails to mention whether they need to be alive. Point 1 above doesn't say "living in the State", only that they must be present in the State.

There are no known cases where the CCPA has been cited where a Data Subject is not alive, it’s mostly a thought experiment, but the black letter of the law does remain unclear. We're left asking whether a deceased person can be a “resident” of California? Does it matter whether the individual is buried or cremated?

Feel free to leave your thoughts on this one in the comments as well, or direct message me. I want to be clear though, I'm not telling you that the CCPA does or doesn't apply to a deceased person, I don't know the answer for sure, I'm just raising questions.

This is only one example of where the various laws have grey areas, and sometimes open conflict between parts of themselves, and no guidance has been given. As privacy professionals we’re left to interpret and apply the principles on our own, with the company ultimately answering to the regulators for our decisions. It can be nerve-wracking.

See You Next Time

We've covered a lot in this instalment, and I hope I managed to bring everyone through it together. Your head may be swimming but that's fine if it is, if you're completely new to Privacy then it should be at this stage. You don’t have to understand everything right now, that will come with time and conversations with your mentor.

If I’ve helped you to build a basic frame around what Personal Data is and isn’t, how it’s impacted by context, and how all of that begins to affect risk then I’ve achieved what I hoped too today. As we move forward together, we’ll hang more and more on this framework, filling it out until you have the understanding as well as the tools needed to apply it.

Next time we'll cover topics including what 'reasonable', 'fair', and 'accountable' might mean in practice, and how to actively demonstrate you're considering them in everything you do. It’s all real world application from here on out!

??

#theaccidentaldpo

Gabriela McGavock

Privacy Program Manager | CIPM | CIPP/US | CIPP/E

1 年

Again, a great post! I really like the use of real examples, it makes it so much easier to understand! Can't wait for the next one!

Facu A. Reyna, Biologist ?? ?????

People Connector ?? | Team Builder Extraordinaire ?? | Referrals Only ???????? | Nerd Enthusiast ??

1 年

And the fun continues! This is a great 3rd chapter of the series. Easy to read, easy to understand, great facts and explanations.

Nice highlight of the right partnership between Privacy, Data Protection and Legal stakeholders in helping navigate through this foggy area of regulation.

Cheryl Dean

?? Global AI & ML Talent Specialist | Tech Community Builder | AI for Good Advocate | Market Insights & Career Navigation | Re-humanising Hiring | Let's set up a call 07542030405

1 年

As ever Dan C. what an exhilarating journey through the vast world of privacy! I love how your use of scenarios really helps to open up the endless possibilities to us mere mortals!! Never again will I frown when I DPO says "it depends" #respect

Jaroslaw R.

?? Entrepreneur ???? Engineer ?? Geek ???? Father ??♀? Husband ?? Dog owner (order: random)

1 年

This is a great, approachable write-up. Cheers, Dan.

要查看或添加评论,请登录

Dan C.的更多文章

  • What Is Personal Data?

    What Is Personal Data?

    Everything Well, more or less. A touch flippant perhaps, probably not what you expected, and I’m pretty sure it wasn’t…

    17 条评论
  • Introduction To Privacy #1

    Introduction To Privacy #1

    Module 1: Foundations Lesson: Thinking Styles and What is a Data Subject? Introduction Now Introductions are out of the…

    17 条评论
  • Compliance 3.0: Taking Care of Business

    Compliance 3.0: Taking Care of Business

    Well, here we are at the final part of my introduction to Compliance 3.0, just takin' care of business ?? The previous…

    2 条评论
  • Cooking Up Compliance 3.0: The Cost/Benefit

    Cooking Up Compliance 3.0: The Cost/Benefit

    As my dad always says, “cooking is an art, baking is a science” and Compliance 3.0 is most definitely cooking ????…

    11 条评论
  • Mastering Compliance 3.0 to Achieve Business Goals

    Mastering Compliance 3.0 to Achieve Business Goals

    Compliance is often seen as a restrictive, thankless function that at best adds no business value, and at worst…

    7 条评论
  • Huzzah for Pack Rats!

    Huzzah for Pack Rats!

    I'm a pack rat, mostly of nuts and bolts, but also data. You heard me, also data! There's nothing wrong at all with…

    1 条评论
  • Ransomware Pirates Want Your Data!

    Ransomware Pirates Want Your Data!

    Ransomware attacks are a sad reality of life these days, they can strike out of the (deep) blue (sea) and affect your…

  • Ripping out ROT: Improving Your Privacy Governance

    Ripping out ROT: Improving Your Privacy Governance

    Data ROT removal is a skill that we can master. It can help us protect our data privacy, comply with regulations, and…

  • Why DPO's Make Good Beer

    Why DPO's Make Good Beer

    How being a DPO makes me a better brewer (and vice versa) ?? #theaccidentaldpo ?? Do you know what I love to do in my…

    5 条评论
  • The Impact in Impact Assessments

    The Impact in Impact Assessments

    'Impact' isn't a new term as far as business risk assessments go, it's central to the whole thing, everyone knows what…

    3 条评论

社区洞察

其他会员也浏览了