On a privacy course I teach for system and network managers I suggest a scale of “privacy riskiness”, the idea there being that if you can achieve an objective using information from lower down the scale then you run less risk of upsetting your users and/or being challenged under privacy law. That scale is very much a rule of thumb, derived by a kind of reverse engineering from various bits of European and UK telecommunications law by assuming that the more conditions a law places on a particular type of information, the more privacy invasive it is.
A recent discussion on access management suggested that a similar rule of thumb for that application might be useful, so here it is, with very much the same caveat that it is derived by reverse engineering from multiple sources of varying authority. Those sources, and the reason I have interpreted them as I have, are in the notes below the table:
Type | Example | Notes | Legally | |
0 | Attributes that do not identify a unique user | eduPersonScopedAffiliation | 1 | Non-Personal Data |
1 | Indirect identifiers designed for privacy | eduPersonTargetedID | 1,2,3 | Personal Data |
2 | Indirect identifiers not designed for privacy | IP Address | 1,2,3 | |
3 | Direct identifiers | Name, Address | 1,2 | |
4 | E-mail address & fax number | 1,2,4 | ||
5 | Location information | Mobile phone cell | 1,5 | |
6 | Sensitive personal data | Health, race, religion, etc. | 1 | Sensitive Personal Data |
Notes
1. The European Data Protection Directive (DPD) only defines personal data (classes 1-5, DPD Article 2) and sensitive personal data (class 6, Article 8); since it doesn’t mention non-personal data I have put that in class 0.
2. The DPD (Article 2) mentions both information that can itself identify an individual (classes 3&4, sometimes referred to as “direct identifiers”) and information that is unique to an individual but where additional information is required to actually identify the individual (classes 1&2, sometimes called “indirect identifiers”). The DPD doesn’t distinguish between those types, but the Article 29 Working Party’s Opinion on the Concept of Personal Data does, and suggests that in some cases (e.g. Example 17) indirect identifiers may represent less of a privacy risk than direct identifiers. Case law across Europe differs on whether IP addreses (the only indirect identifier to be mentioned in court cases, as far as I know) are personal data or not, but this does not affect their position in the riskiness scale.
3. The Article 29 Working Party Opinion also recognises the difference between indirect identifiers that deliberately make it hard to make the link (e.g. using “cryptographic, irreversible hashing”, p.20) and those that do not.
4. The e-Privacy Directive (Article 13) awards additional protection to e-mail and fax addresses by requiring that consent be obtained before these can be used for direct marketing; for postal addresses the law allows an opt-out regime where marketing can be sent until the recipient objects.
5. The e-Privacy Directive (Article 9) requires prior consent, and the ability to temporarily opt-out, of processing of location data. Since these requirements are specified in greater detail than for e-mail addresses, I have put them in a (slightly) more privacy-invasive class.