Is it helpful to differentiate between Personal Data and Data of Persons?
Introduction
According the the GDPR Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person. When dealing with personal data, measurements must be in-place that comply to Confidentiality = High.
If you care about your data and don't want to find yourself in the position that a non-authorized person or process tampered with it, the access measurements you want to have in-place are similar to what is required for Confidentiality High; regardless if it is personal data or not.
However, when dealing with personal data, there is the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing. Basically, a data protection impact assessment must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons.
There are several risks that must be addressed, the one discussed in this article is 'personal data breach' and the implications this has.
The argument made in the remainder of this article is:
In relation to
- unauthorised disclosure there is no difference between personal data and data of persons
- the accidental or unlawful destruction, loss, alteration there is a case to be made to differentiate between personal data and data of persons, impacting:
- the measurements required, restrictions on data processing, and costs incurred
- the number of data breaches that must be reported to DPO
- When you do your DPIA and if applicable add:
- The accidental or unlawful destruction, loss, or alternation of the data during the processing and/or analysis does not impact the privacy of people involved.
Personal Data Breach
This is defined in article 4 (12) ‘personal data breach’ means a breach of security leading to
- the accidental or unlawful destruction,
- loss,
- alteration,
- unauthorised disclosure of,
- or access to,
- personal data transmitted,
- stored or otherwise processed;
There is a strong link with Integrity of the Data and the above. (see also: anDREa's CIA (BIV) Classification)
The GDPR is all about respecting and protecting the rights and freedoms of natural persons. To safeguards against the risk to these rights. With this in mind, the measurements needed for #4, #5, #6 are the same for personal data and data of persons. However, the case can be made that for #1 the accidental or unlawful destruction, #2 loss, and #3 alteration it makes a difference if the data is personal data or data of persons.
Let's illustrate this by substituting the word 'personal' with 'patient'. If patient data is compromised this can directly impact the treatment and thus the wellbeing of that patient. However, if the same data is used in a research setting where results do not impact the individual patient, compromising the data of the patient while it may impact the study, will not impact the wellbeing of that patient and thus has no impact on the privacy of that person.
The distinction is important for unlike in the care/cure setting, it is not uncommon in a research setting that data is being processed in all forms and manners.
If the same requirements would apply for personal data and data of persons, this means that every change not only must be documented and verified, but safeguards must be put in place that prevent this. Data storage costs easily double due to backups, significant restriction on what tooling for processing and analysis can be used, and 4-eye audit. While some studies may require this, most do not.
Apart from the above impact, if the distinction between personal data and data of persons cannot be made, any accidental or unauthorized change, according to the GDPR Personal Data Breach definition, must be reported to the DPO (Data Protection Officer) as a data breach. Failure to do so, can result in penalties and legal actions against natural persons or corporate entities.
Topic Participants
Stefan van Aalst