Direct and indirect traceability
As you can see, there are many types of personal data. In the case of certain types of personal data, there seems to be little risk when these are shared within a particular context, such as your name and address when ordering on the internet. Other types of personal data are, by definition, far more sensitive, such as your sexual orientation, membership of a political party, or religious affiliation. The disclosure of such sensitive personal data can lead to undesirable or even dangerous situations in several contexts.
What are personal data?
In other words, your personal data deserve
proper protection. The protection of these personal data has been laid down in
the General Data Protection Regulation (GDPR). The GDPR is a European
regulation that standardises the rules for the processing of personal data by
private companies and public authorities across the European Union.
In addition to this protection, the GDPR also serves a second purpose, namely to promote the exchange of personal data within the EU. For researchers, both of these purposes are relevant: for research involving personal data, researchers want to be able to collect, process, and publish the data in the most optimal way. But they must also take appropriate measures to protect the collected personal data as well as possible. This is something we will explore in more detail in Module 2.
To understand whether it is necessary to take certain measures for the protection of personal data in research, it is first important to have a proper understanding of what personal data actually are. The definition used by the GDPR (Article 4.1 Definitions) is as follows:
Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Indirect and direct
There are many types of personal data. An
important distinction can be made between directly and indirectly traceable
personal data. But what exactly are directly and indirectly traceable personal
data? Why is it also relevant to properly protect indirectly traceable personal
data? And how can you identify unique individuals by linking datasets
consisting of indirectly traceable personal data?
The GDPR itself does not distinguish between directly or indirectly traceable personal data; both are regarded as personal data. As soon as someone can be identified as a unique individual in any way via certain directly or indirectly traceable data, these data are regarded as personal data. As research support staff it is therefore very important to be aware that the scope of personal data is broader than just a first and last name or your BSN.
Therefore, indirectly traceable personal data can be almost anything: as long as links can be established between databases – thus allowing for the identification of a unique individual by combining indirectly traceable personal data with other traceable personal data – it is imperative that such indirectly traceable personal data be protected under the GDPR to the same extent as directly identifiable personal data that are more quickly recognised as personal data. For researchers, this is all the more relevant since many research projects are set up precisely with the objective to collect ‘quasi-identifiers’, such as emotions, opinions, disorders, etc. But at any rate, these are also personal data, albeit indirectly traceable.
Identifiable
In the parliamentary history of the Dutch Personal Data Protection Act (in Dutch only) (Wet bescherming persoonsgegevens (WBP)), the provision containing the same definition explains that directly identifiable data are those that can be used to unequivocally establish the identity of an individual in a straightforward manner. These include data such as name, address, and date of birth which, when combined, are so unique and therefore specific to a particular individual that they can be broadly identified with certainty or with a high degree of probability.
Such data are also used in social and economic life to distinguish individuals from one another. It is different when the data cannot be used to identify a particular individual directly but can be linked to a particular individual by taking a few further steps. This type of data is called indirectly identifiable data. Even if the name of the individual is removed from this type of data, a particular individual’s identity can still be derived under certain circumstances by combining these with other data. As stated in Parliamentary Papers II 1997/98, 25892, 3, p. 14-15 (in Dutch only); see also WP29, Opinion 4/2007 on the concept of personal data, (WP136) 20 June 2007, p. 13-14.
Source: Text & Commentary Privacy and Data Protection Law, Definitions in: Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Article 4, Definitions.
