Tuesday, May 17, 2011

Trying to define “sensitive” data

Privacy laws need to ensure that there is a higher level of privacy protection for everyone’s sensitive personal data. There's universal consensus on that. So, it’s very important for laws to do a good job defining what should be considered “sensitive personal data”. It’s quite instructive to compare Europe’s definition (from 1995) with India’s (from 2011).

The European Data Protection Directive defines them as:

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”

As I read this list, and having worked with its concepts for years, I find it quite unsatisfying. It is both far too broad, and far too narrow, at the same time. It’s far too broad, because it seems to extend exceptional privacy legal protection to banal and often public things, like “political opinions”, or “racial origin” when any photo of me will show I’m a white dude. And things like “trade union membership” or “racial origins” probably should not be protected by privacy laws, but rather by labor laws or anti-discrimination laws, as they generally already are. But it’s also far too narrow, because the European definition of sensitive personal data fails to include something as strikingly sensitive as, say, genetic data, or biometrics. Granted, the laws in some individual European countries got this right, like France, which already treats biometrics as sensitive. In my opinion, in the future, genetic/biometric data will become the most important category of what should be treated as sensitive, so laws that don’t include biometrics in the category of sensitive data have a big gap. Strangely, European law also does not include sensitive personal financial information in its list of “sensitive” categories.

Now, for comparison, here is India’s just revised categories of “sensitive” data:

unless freely available in the public domain or otherwise available under law, SPDI under the Rules is personal information which consists of information relating to:


financial information such as bank account, credit or debit card details as well as other payment instrument details,

physical, physiological and mental health condition,

sexual orientation,

medical records and history,

Biometric information (a defined term including fingerprints, eye retinas and irises, voice and facial patterns, hand measurements and DNA),

Any detail relating to the above when supplied for providing service, and

Any of the information described above received by an organization for processing, stored or processed under lawful contract or otherwise. “

When India drafted its privacy laws, it looked to Europe’s Directive, both for inspiration and to protect its out-sourcing industry. But Europe would do well to look to India for inspiration about how to modernize our data protection concepts. India's list of "sensitive personal data" strikes me as much more modern and relevant to privacy than the legacy of what we have in Europe.

1 comment:

gus said...


Thanks for digging up a useful comparison of the EU and Indian laws. We are doing what we can to draw attention to the developments in law across Asia (at least industry types are no longer arguing that Asians don't care about privacy because it isn't within their so-called culture).

But of course I have to disagree with you, just a little bit. Your own analysis is overly broad and too narrow.

Why claim 'racial origin' belongs only in discrimination law and not sexual orientation? As ever, corporate privacy folks seem to forget that we are using these same laws to fight against government surveillance which over the years, has made use of this type of information for data mining, even as they claim it is not discriminatory.

I agree entirely with your assessment of biometrics, and yet I think it is too narrow: any unique identifier that is able to bring together various characteristics of an individual is hazardous. And in a modern society and setting, as the Information Commissioner's Office noted in their response to the EC consultation, it is almost impossible to separate personal and non-personal information because of linkability. So if you extend your argument regarding biometrics, then nearly every form of personal information is linkable to another form of information, and thus deserves greater protection.