An Introduction to Privacy #3: Let the Fun Begin ????

You've all been incredibly patient, and here's where it starts to pay off. We can leave that pure theory aside (well, as long as you remember it) and have some fun playing with the rules by practically applying them. The first thing we'll look at, and have a tinker with, are those troubling terms in the extremely loose definition of Personal Data.

Context is King

The reason these things have to be applied to be understood is that they're all context dependent. I mentioned that things phase in and out of being personal data all the time, and that can change between one process and another and one department and another. That's because the context surrounding the processing changes.

You'll hear people saying things like "Context is key" or "Context is king", and you're bound to have already heard the famous answer given by DPOs everywhere "it depends...". The reason "it depends" isn’t because we like playing coy, it’s because you asked what seemed a simple question, but the DPO hasn't spent an hour grilling you about the smallest details of the processing yet, so everything is still up in the air.

To explore how all of this works when you put it into in practice let's start with a simple scenario:

Examples

If I say to you "the person with blonde hair" that could identify anyone in the room, so hair colour is not Personal Data as it doesn't identify one individual.

If I say to you "the person with the Hawaiian shirt" (assuming there is only 1) then that is Personal Data as you can single out one person.

If a person with black hair walks into the room, then "the person with black hair" or "the person who doesn't have blonde hair" is Personal Data, because one person is easily identified. The description "blonde hair" is still not Personal Data though, so hair colour simultaneously is and is not Personal Data depending on what colour it is.

If another person, this time with red hair, joins the room neither of the phrases "blonde hair" or "not blonde hair" are Personal Data, but the phrase "black hair" or "red hair" are both Personal Data.

Are you still with me? Hopefully you can see how the context of who is in the room, something you probably can't control, is changing not only what is and isn’t personal data, but also the level of risk and required controls over time.

The results could also phase in and out of being Personal Data if we changed the scope of the question, for example asking about the whole building rather than one room. Would you know the hair colour of everyone in the building? What if there was 1 person with pink hair? Now you're processing Personal Data on them but potentially nobody else. Does the fact that it's only a single case of Personal Data amongst hundreds of non-Personal Data change what you need to do to comply? How could you handle situations where you have data, but you don't know whether or not any of it singles out one person?

If you've got any thoughts share them in the comments ? If you'd like some feedback on your thoughts and you prefer not to do it in the comments, then you can direct message to me as well. I promise to be supportive and positive, there's no reason to feel nervous ?? I always say that play is the best form of learning, so take a crack at it.

Direct and Indirect Identifiers

Direct Identifiers

This seems a good place to talk about direct and indirect identifiers, because they're very much tied to context. Indirect identifiers share the ability to both be and not be Personal Data simultaneously depending on how you look at it them.

A direct identifier is something that can cleanly and definitively identify a Data Subject by itself, without anything else. It doesn't have to be physical or exist in the real world (like an address), it could be your passport number or your driver’s license number. Both of those numbers are unique, only one person has them. Fingerprints and retinal scans are other examples. In many cases direct identifiers are more risky than their indirect cousins, you only need that single piece of Personal Data to begin digging for other information that's linked to it and perhaps not as well protected. These are the types of identifiers identity thieves want, they're a first powerful step in pretending to be you.

Indirect Identifiers

Indirect identifiers are less risky, at least they are until you start combining them. An indirect identifier is something that can’t identify a unique individual by itself, they need more information to do that. The more indirect identifiers you stack together, and the more of that all-important context you add into the equation, the more precise the identification becomes though, and you start to head towards a full identification. Remember in the previous episode where a team had figured out how to identify someone to 90% accuracy with only 4 pieces of information?

Examples of indirect identifiers include your race, place of birth, eye colour, hair colour, even your date of birth. They're not unique to you, many other people share one or more of the same characteristics. However, if someone knows your race, your place of birth, and your date of birth, they might be able to figure out who you are, because not many people have the same combination of these three things.

The difference between a direct identifier and an indirect identifier is important for risk assessments and choosing the most appropriate, cost effective, controls where required. A direct identifier is more risky than an indirect identifier, so you need more controls for your direct identifiers, such as encryption and a strictly applied retention policy.

An indirect identifier is, in isolation, less risky than a direct identifier, because it can only reveal your identity when combined with other information. Therefore, you may not require the same level of controls over the storage and use of indirect identifiers. Common controls for indirect identifiers include aggregation and limiting who can access them.

Alone or In Combination

Another part of the definition of personal data says that Personal Data may identify a person 'alone or in combination' with other information. We've actually already discussed this above, direct identifiers and indirect identifiers are perfect examples of what these terms mean and how to apply them.

That one was easy ????

Identified or Identifiable

It's the same story here, direct and indirect identifiers are great examples.

A direct identifier categorically identifies a unique individual, and at that point they've been 'identified'. Indirect identifiers make it possible to identify someone if enough of the rights ones are combined. Even if you don't plan to combine information in a way that results in an identification it may be possible to do it with the information you have, in this situation the Data Subject is 'identifiable'.

Having information that makes Data Subjects 'identifiable' is less risky than having direct identifiers, but they still require controls around them to ensure they are accessed and used appropriately.

The Joys of Aggregation

Using the same situation above let's imagine I'm now a door-to-door shampoo salesman (always my secret dream job). My shampoo is great for blonde hair, but absolutely awful for any other colour, it just makes it fall out.

I'm tired, it's been a long day, and I'm trying to determine whether it's worth knocking on the door to that room or whether I'll just go home. To make that evaluation do I really need to know that there is one person in the room with black hair,and one with red? Or do I just care about whether there are blonde people in the room? Just talking about blonde hair wouldn't require Personal Data.

I could go more detailed and ask what percentage of people in the room have blonde hair, and if I didn't know how many people were in the room then that stands no chance of processing Personal Data either.

What we've just done is "aggregate" the data, rounded it up into groups to the point where it no longer identifies individuals. Aggregated data is wonderful for businesses and analytics, because as long as you're careful with the questions you ask, and especially so if you start cross-referencing data sets, there is still a broad range of analytics you can get done without ever processing Personal Data.

That's the beauty of aggregated data. Its usefulness shouldn't be underestimated.

Living People Only?

And to end our discussion today, a bit of a curveball.

If you remember the details of our scenario, you'll remember that there was a large portrait of a man in the room. We don't know whether the man is still living or not, but for the sake of this let's say it's a very old portrait so that's unlikely. The portrait is well done and quite capable of singling the person out in a crowd, just like a photograph or CCTV footage.

Under the GDPR it's clear, something can only be Personal Data if the Data Subject it relates to is alive. That's not the end of it though, wouldn't it be lovely if it was?

Other privacy laws like the CCPA in California don't have that limitation captured in the text of the law. So, a lot might depend here on what jurisdiction we're in. That's a little bit of context creeping in again ????

The CCPA protects anyone that meets the definition of a "consumer" under the act, and a consumer is defined as "a natural person who is a California resident". The California Code of Regulations steps in and defines a resident as

1. every individual who is in the State for other than a temporary or transitory purpose, and
2. every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.

It fails to mention whether they need to be alive. Point 1 above doesn't say "living in the State", only that they must be present in the State.

There are no known cases where the CCPA has been cited where a Data Subject is not alive, it’s mostly a thought experiment, but the black letter of the law does remain unclear. We're left asking whether a deceased person can be a “resident” of California? Does it matter whether the individual is buried or cremated?

Feel free to leave your thoughts on this one in the comments as well, or direct message me. I want to be clear though, I'm not telling you that the CCPA does or doesn't apply to a deceased person, I don't know the answer for sure, I'm just raising questions.

This is only one example of where the various laws have grey areas, and sometimes open conflict between parts of themselves, and no guidance has been given. As privacy professionals we’re left to interpret and apply the principles on our own, with the company ultimately answering to the regulators for our decisions. It can be nerve-wracking.

See You Next Time

We've covered a lot in this instalment, and I hope I managed to bring everyone through it together. Your head may be swimming but that's fine if it is, if you're completely new to Privacy then it should be at this stage. You don’t have to understand everything right now, that will come with time and conversations with your mentor.

If I’ve helped you to build a basic frame around what Personal Data is and isn’t, how it’s impacted by context, and how all of that begins to affect risk then I’ve achieved what I hoped too today. As we move forward together, we’ll hang more and more on this framework, filling it out until you have the understanding as well as the tools needed to apply it.

Next time we'll cover topics including what 'reasonable', 'fair', and 'accountable' might mean in practice, and how to actively demonstrate you're considering them in everything you do. It’s all real world application from here on out!

??

#theaccidentaldpo