NATIONAL ACADEMY OF SCIENCES OF UKRAINE KYIV UNIVERSITY OF LAW ILONA GAVRONSKA GROUP IL-41 INTERNATIONAL LAW DEPARTMENT KYIV - 2011 Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority. (Charter of Fundamental Rights of the European Union 2007/C 303/01) According to the Directive on the protection of personal data 1995 the data must be: Fairly and lawfully processed; Processed for limited purposes; Adequate, relevant and not excessive; Accurate; Kept no longer than necessary; Processed in accordance with the data subject's rights; Secure; Transferred only to countries with adequate protection. According to the Data Protection Act 1998 data means information which – (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record, or (e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d). Personal data means data which relate to a living individual who can be identified– (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. It is important to note that, where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be “personal data”. Sensitive personal data means personal data consisting of information as to – (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c ) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. DATA PERSONAL DATA SENSITIVE PERSONAL DATA Inaccurate data. Data are inaccurate if they are incorrect or misleading as to any matter of fact. Recipient means any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law. Third party means any person other than – (a) the data subject, (b) the data controller, or (c) any data processor or other person authorized to process data for the data controller or processor. Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB), which defines PII as follows: Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. THE FOLLOWING DATA, OFTEN USED FOR THE EXPRESS PURPOSE OF DISTINGUISHING INDIVIDUAL IDENTITY, CLEARLY CLASS AS PII UNDER THE DEFINITION USED BY THE OMB: Full name (if not common); National identification number; IP address (in some cases); Vehicle registration plate number; Driver's license number; Face, fingerprints, or handwriting; Credit card numbers; Digital identity; Birthday; Birthplace; Genetic information. THE FOLLOWING ARE LESS OFTEN USED TO DISTINGUISH INDIVIDUAL IDENTITY, BECAUSE THEY ARE TRAITS SHARED BY MANY PEOPLE. HOWEVER, THEY ARE POTENTIALLY PII, BECAUSE THEY MAY BE COMBINED WITH OTHER PERSONAL INFORMATION TO IDENTIFY AN INDIVIDUAL: First or last name, if common; Country, state, or city of residence; Age, especially if nonspecific; Gender or race; Name of the school they attend or workplace; Grades, salary, or job position; Criminal record. 19-year-old + female + who studies at KUL (private information which is not PII) + first name (information becomes PII) Another term similar to PII, "personal information" is defined in a section of the California data breach notification law, SB1386 as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: social security number, driver's license number, etc. “Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (1) Social security number (2) Driver's license number or California Identification Card number Individual's first name or first initial and last name (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. PERSONAL INFORMATION PERSONALLY IDENTIFIABLE INFORMATION John Smith Social Security Number 078-05-1120 The Constitution of Ukraine guarantees the right of privacy and data protection. Article 32 states: No one shall be subject to interference in his or her personal and family life, except in cases envisaged by the Constitution of Ukraine. The collection, storage, use and dissemination of confidential information about a person without his or her consent shall not be permitted, except in cases determined by law, and only in the interests of national security, economic welfare and human rights. The Personal Data Protection Act of Ukraine 2011: Personal data - information or complex information about the individual who is identified or can be specifically identified. Under Article 6 of the Personal Data Protection Act of Ukraine only data processed in personal databases shall be protected. The primary sources of information about an individual are: - documents issued to individual’s name; - documents signed by individual ; -data provided by individual about him/herself. Furthermore Article 1 eliminates from the scope of protection personal data processed by following categories: individual - only for personal unprofessional or household purposes; journalist - in connection with his business or profession; professional creative workers - for creative activity. The challenge is to find a way of putting people in control of their own data. The boundaries between what we’re prepared to share and what we want to keep private are ones we should be able to draw for ourselves, not ones that should be drawn for us by a government.