Data Sensitivity: Proposals for Resolving the Conundrum

• Author: Karen McCullagh
• Pages: 190-201

Karen McCullagh¹

Page 190

1. Origins of Protections for Sensitive Data

The concept of 'sensitive' data was first considered for introduction into international law by the expert group drafting the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).²Sweden and the German state of Hesse had already incorporated the concept into national and state law.³Ultimately the drafters of the Guidelines decided not to include extra safeguards for designated categories of sensitive data. The absence of safeguards seems to be partly due to a failure to achieve consensus on which categories of data deserve special protection, as the guidelines state:

...it is probably not possible to define a set of data which are universally regarded as being sensitive.

(para 19 (a)).

Moreover this approach may also reflect the belief that personal data is not categorically deserving of protection, but instead that appropriate protection is dependent upon the context in which the data are used.

Although the Guidelines are not binding on OECD Member States, they have influenced the enactment of data protection legislation in both EU and non-EU member countries, such as Australia, New Zealand and Hong Kong. Recently, the twenty one Asia-Pacific Economic Cooperation (APEC) member economies⁴ adopted the APEC Privacy Framework, which claims that its Framework is 'consistent with the core values' of the Guidelines.⁵ However, since the guidelines were not legally binding on any of the member countries, they did not serve as the international data protection law that they were intended to be (Walczuch & Steeghs, 2001). Indeed, experts opined that the guidelines overemphasised the principle of unrestricted trans-border data flows at the expense of the privacy interest of the data subjects (Ellger, 1987).⁶ Furthermore, Kirby⁷ conducted a review of the Guidelines and suggested that they need to be updated to include new privacy principles appropriate for contemporary technology, such as internet based automatic profiling.

Page 191

Thereafter the concept of sensitive data was introduced into international law through the Council of Europe Convention For The Protection of Individuals With Regard To Automatic Processing Of Personal Data (1981).⁸ Although the Explanatory Report ⁹ advocates a context based approach to determining risk of harm from personal data processing, it recognises exceptional cases where the processing of certain categories of data may encroach on individual rights and privacy interests.¹⁰ These 'sensitive' categories are listed in Article 6 as:

Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions.

Paragraph 44 of the Explanatory Report states that "revealing ... political opinions, religious or other beliefs" also covers activities resulting from such opinions or beliefs. Paragraph 45 indicates that "personal data concerning health" includes information concerning the past, present and future, physical or mental health of an individual. The information may refer to a person who is sick, healthy or deceased. This category of data also covers those relating to abuse of alcohol or the taking of drugs.

The categories listed in Article 6 are not meant to be exhaustive. Rather, the Convention provides that a Contracting State should be free to include other categories of sensitive data. Data sensitivity depends on the legal and sociological context of the country concerned:

Information on trade union membership for example may be considered to entail as such a privacy risk in one country, whereas in other countries it is considered sensitive only in so far as it is closely connected with political or religious views. (para 48)

The Council of Europe Convention, in contrast with the OECD guidelines, had to be incorporated into domestic law by the countries that acceded to it. However, not all the Member States passed data protection laws and in those which did, the laws were not all consistent with one another. For instance, the UK law did not cover any manual data , whereas the Hesse data protection law did. The UK had a detailed system of registration, whereas others did not.¹¹ Hence, the Convention did not succeed in bringing about the full harmonization of data protection laws.

Subsequently, the United Nations issued Guidelines for the Regulation of Computerized Personal Data Files (1990)¹² , which addressed the issue of sensitive data under a Principle of non-discrimination. The Guidelines defined such data as:

...data likely to give rise to unlawful or arbitrary discrimination, including information on racial or ethnic origin, colour, sex life, political opinions, religious, philosophical and other beliefs as well as membership of an association or trade union, should not be compiled.¹³

This international treaty is broader than the Council of Europe convention (discussed above), as it includes the categories ethnic origin and colour. In addition, it includes membership of trade unions or other associations. However, it does not include criminal convictions or health data. Both the convention and the guidelines provided for States provide opportunities to regulate risks stemming from the processing of personal data by applying an internationally approved regulatory model. Indeed, they remained free to enact rules that better fulfilled their requirements, or even to abstain from any legislative action. Table 1 displays the categories of data listed as sensitive in the three international legislation discussed in the preceding section.

Page 192

[NO INCLUYE TABLA]

As time passed, an increasing number of countries introduced data protection laws and tighter restrictions on trans-border data flows across national borders were implemented. Many countries with strong data protection interdicted the transfer of protected data to countries with less strong or no data protection measures. This severely impeded the business of some multinational companies. An example of this occurred in 1989, when French authorities halted the transfer of personnel records from Fiat's French office to the Italian base office because Italy had no data protection legislation at that time, while France had high levels of protection (Mei, 1993).¹⁴

1. 1 Current EU definition of sensitive data

In order to remove obstacles to the free movement of data without diminishing the protection of personal data, the European Commission decided to harmonize data protection and proposed Directive 95/46/EC (the Directive).¹⁵The Directive includes a provision that sensitive data must be more stringently protected.¹⁶ Such data is defined in Article 8 (1) as:

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade- union membership, and ... data concerning health or sex life.

Article 8(5) also makes special provision for criminal records and the like:

Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable safeguards...

Thus, the principle of sensitivity holds that the processing of eight types of data should be subject to stricter controls than other types of personal data. The Directive differs from the Council of Europe's approach in two main respects: 1) it includes the trade union membership as a specific category of sensitive data; 2) the list is considered exhaustive, whereas the Council of Europe list is merely indicative. The Directive differs from the UN Guidelines as it lacks a category of data on colour or membership of association, but includes a category of

Page 193

criminal convictions. A more radical difference exists between the Directive and the OECD guidelines, in which drafters adopt a contextual approach and do not specifically enumerate special categories of sensitive data.

It is important to review the continuing relevance of existing categories of sensitive data in the Directive in the light of changes in societal structures and advances in technology. In the pre-computer era, data processing was not automatic and large-scale, uncontrolled surveillance was costly, thus providing natural barriers for privacy protection. These natural barriers disappeared gradually in the mid 1960s because computerized technology for processing an increasing amount of information needed to develop social welfare-states was available at faster speeds and lower costs.¹⁷ Also, business organizations owning large amounts of records started to use computers. By the 21st-century, businesses are such that customers expect them to operate at all times. It is not only the e- commerce world that experiences this situation. All types of organizations - including health care, financial, manufacturing, and services operate around the clock, or at least their computer systems do. Even when no humans are around, computers are available to take and place orders, send orders to the warehouse, and manage financial...