DEFINITION OF PERSONAL DATA

advertisement
NATIONAL ACADEMY OF SCIENCES OF UKRAINE
KYIV UNIVERSITY OF LAW
ILONA GAVRONSKA
GROUP IL-41
INTERNATIONAL LAW DEPARTMENT
KYIV - 2011
Everyone has the right to the protection of personal data
concerning him or her.
Such data must be processed fairly for specified purposes and
on the basis of the consent of the person concerned or some other
legitimate basis laid down by law. Everyone has the right of access to
data which has been collected concerning him or her, and the right to
have it rectified.
Compliance with these rules shall be subject to control by an
independent authority.
(Charter of Fundamental Rights of the European Union 2007/C 303/01)
According to the Directive on the protection
of personal data 1995 the data must be:








Fairly and lawfully processed;
Processed for limited purposes;
Adequate, relevant and not excessive;
Accurate;
Kept no longer than necessary;
Processed in accordance with the data subject's rights;
Secure;
Transferred only to countries with adequate protection.
According to the Data Protection Act 1998
data means information which –





(a) is being processed by means of equipment operating
automatically in response to instructions given for that
purpose,
(b) is recorded with the intention that it should be
processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with
the intention that it should form part of a relevant filing
system,
(d) does not fall within paragraph (a), (b) or (c) but forms
part of an accessible record, or
(e) is recorded information held by a public authority and
does not fall within any of paragraphs (a) to (d).
Personal data means data which relate to a living
individual who can be identified–
(a) from those data, or
(b) from those data and other information which
is in the possession of, or is likely to come into
the possession of, the data controller,
and includes any expression of opinion about the
individual and any indication of the intentions
of the data controller or any other person in
respect of the individual.
It is important to note that,
where the ability to
identify an individual
depends partly on the data
held and partly on other
information (not
necessarily data), the data
held will still be “personal
data”.
Sensitive personal data means personal data consisting
of information as to –
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c ) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning
of the Trade Union and Labour Relations (Consolidation) Act
1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence,
or
(h) any proceedings for any offence committed or alleged to have
been committed by him, the disposal of such proceedings or
the sentence of any court in such proceedings.


DATA
PERSONAL
DATA
SENSITIVE
PERSONAL DATA

Inaccurate data. Data are inaccurate if they are incorrect or misleading as to
any matter of fact.
Recipient means any person to whom the data are disclosed, including any
person to whom they are disclosed in the course of processing the data
for the data controller, but does not include any person to whom
disclosure is or may be made as a result of, or with a view to, a particular
inquiry by or on behalf of that person made in the exercise of any power
conferred by law.
Third party means any person other than –
(a) the data subject,
(b) the data controller, or
(c) any data processor or other person authorized to process data for the data
controller or processor.
Data Controller is a person who (either alone or jointly or in common with
other persons) determines the purposes for which and the manner in
which any personal data are, or are to be, processed.
The U.S. government used the term "personally
identifiable" in 2007 in a memorandum from the Executive
Office of the President, Office of Management and
Budget (OMB), which defines PII as follows:
Information which can be used to distinguish or trace an
individual's identity, such as their name, social security
number, biometric records, etc. alone, or when combined
with other personal or identifying information which is
linked or linkable to a specific individual, such as date
and place of birth, mother’s maiden name, etc.
According to the OMB, it is not always the case that PII is
"sensitive", and context may be taken into account in
deciding whether certain PII is or is not sensitive.
THE FOLLOWING DATA, OFTEN
USED FOR THE EXPRESS PURPOSE
OF DISTINGUISHING INDIVIDUAL
IDENTITY, CLEARLY CLASS AS PII
UNDER THE DEFINITION USED BY
THE OMB:











Full name (if not common);
National identification
number;
IP address (in some cases);
Vehicle registration plate
number;
Driver's license number;
Face, fingerprints, or
handwriting;
Credit card numbers;
Digital identity;
Birthday;
Birthplace;
Genetic information.
THE FOLLOWING ARE LESS OFTEN
USED TO DISTINGUISH
INDIVIDUAL IDENTITY, BECAUSE
THEY ARE TRAITS SHARED BY
MANY PEOPLE. HOWEVER, THEY
ARE POTENTIALLY PII, BECAUSE
THEY MAY BE COMBINED WITH
OTHER PERSONAL INFORMATION
TO IDENTIFY AN INDIVIDUAL:







First or last name, if
common;
Country, state, or city of
residence;
Age, especially if nonspecific;
Gender or race;
Name of the school they
attend or workplace;
Grades, salary, or job
position;
Criminal record.
19-year-old + female + who studies at KUL
(private information which is not PII)
+ first name
(information becomes PII)
Another term similar to PII, "personal information" is
defined in a section of the California data breach
notification law, SB1386 as an individual's first name or
first initial and last name in combination with any one
or more of the following data elements, when either the
name or the data elements are not encrypted: social
security number, driver's license number, etc.
“Personal information" does not include publicly
available information that is lawfully made available to
the general public from federal, state, or local
government records.
(1) Social security number
(2) Driver's license number or
California Identification Card
number
Individual's
first name or
first initial and
last name
(3) Account number, credit or
debit card number, in combination
with any required security code,
access code, or password that
would permit access to an
individual's financial account.
PERSONAL
INFORMATION
PERSONALLY
IDENTIFIABLE
INFORMATION
John Smith
Social Security
Number
078-05-1120
The Constitution of Ukraine guarantees the right of
privacy and data protection.
Article 32 states: No one shall be subject to
interference in his or her personal and family life,
except in cases envisaged by the Constitution of
Ukraine.
The collection, storage, use and dissemination of
confidential information about a person without his
or her consent shall not be permitted, except in cases
determined by law, and only in the interests of
national security, economic welfare and human rights.
The Personal Data Protection Act of Ukraine 2011:
Personal data - information or complex information
about the individual who is identified or can be
specifically identified.
Under Article 6 of the Personal Data Protection Act
of Ukraine only data processed in personal
databases shall be protected.
The primary sources of information about an
individual are:
- documents issued to individual’s name;
- documents signed by individual ;
-data provided by individual about him/herself.
Furthermore Article 1 eliminates from the scope of
protection personal data processed by following categories:
 individual - only for personal unprofessional or
household purposes;
 journalist - in connection with his business or
profession;
 professional creative workers - for creative activity.

The challenge is to find a way of putting
people in control of their own data. The
boundaries between what we’re prepared to
share and what we want to keep private are
ones we should be able to draw for
ourselves, not ones that should be drawn for
us by a government.
Download