Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Privacy Riskiness for Access Management

Wednesday, June 6, 2012 - 13:45

On a privacy course I teach for system and network managers I suggest a scale of "privacy riskiness", the idea there being that if you can achieve an objective using information from lower down the scale then you run less risk of upsetting your users and/or being challenged under privacy law. That scale is very much a rule of thumb, derived by a kind of reverse engineering from various bits of European and UK telecommunications law by assuming that the more conditions a law places on a particular type of information, the more privacy invasive it is.

A recent discussion on access management suggested that a similar rule of thumb for that application might be useful, so here it is, with very much the same caveat that it is derived by reverse engineering from multiple sources of varying authority. Those sources, and the reason I have interpreted them as I have, are in the notes below the table:

  Type Example Notes Legally
0 Attributes that do not identify a unique user eduPersonScopedAffiliation 1 Non-Personal Data
1 Indirect identifiers designed for privacy eduPersonTargetedID 1,2,3 Personal Data
2 Indirect identifiers not designed for privacy IP Address 1,2,3
3 Direct identifiers Name, Address 1,2
4 E-mail address & fax number   1,2,4
5 Location information Mobile phone cell 1,5
6 Sensitive personal data Health, race, religion, etc. 1 Sensitive Personal Data

Notes

  1. The European Data Protection Directive (DPD) only defines personal data (classes 1-5, DPD Article 2) and sensitive personal data (class 6, Article 8); since it doesn't mention non-personal data I have put that in class 0.
  2. The DPD (Article 2) mentions both information that can itself identify an individual (classes 3&4, sometimes referred to as "direct identifiers") and information that is unique to an individual but where additional information is required to actually identify the individual (classes 1&2, sometimes called "indirect identifiers"). The DPD doesn't distinguish between those types, but the Article 29 Working Party's Opinion on the Concept of Personal Data does, and suggests that in some cases (e.g. Example 17) indirect identifiers may represent less of a privacy risk than direct identifiers. Case law across Europe differs on whether IP addreses (the only indirect identifier to be mentioned in court cases, as far as I know) are personal data or not, but this does not affect their position in the riskiness scale.
  3. The Article 29 Working Party Opinion also recognises the difference between indirect identifiers that deliberately make it hard to make the link (e.g. using "cryptographic, irreversible hashing", p.20) and those that do not.
  4. The e-Privacy Directive (Article 13) awards additional protection to e-mail and fax addresses by requiring that consent be obtained before these can be used for direct marketing; for postal addresses the law allows an opt-out regime where marketing can be sent until the recipient objects.
  5. The e-Privacy Directive (Article 9) requires prior consent, and the ability to temporarily opt-out, of processing of location data. Since these requirements are specified in greater detail than for e-mail addresses, I have put them in a (slightly) more privacy-invasive class.