The Information Commissioner's Office (ICO) outlined its view in a new paper in which it analysed the European Commission's proposed new EU Data Protection Regulation "article-by-article".
Under the Commission's proposed new regime the processing of sensitive personal data, that reveals individuals' "race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures" would generally be prohibited wherever the individual had not consented to processing or where one of three specifically listed circumstances allowing processing relating to employment, protecting the "vital interests" of individuals and the activities of non-profit seeking bodies, had not been met.
The ICO said that it has "reservations" about categorising data as 'sensitive' by default, and said that a new reformed data protection law framework should account for the "purpose" of processing instead.
"We believe that the wording should be narrower than [proposed] so that the processing would only be caught if its purpose was to reveal, analyse etc. a person’s ethnic origin, race and the like," the ICO said in its analysis paper. (82-page / 495KB PDF) "It is also very difficult to define political opinions, religion or beliefs."
"We have always had reservations about the general concept of non-contextual sensitive data categories. However, this approach is a part of the European mainstream and is unlikely to be dropped. We do think though that sensitivity ought to reflect as far as possible the ‘average citizen’s’ conception of what is sensitive – it is odd therefore that financial details are excluded from the definition. However, a record of trade union membership or a note in an HR file saying that an individual has been ill with a cold is sensitive. One possibility would be for the category to be narrowed to include only genuinely sensitive personal data, such as health records, and combine this with some notion of context and risk posed to individuals," it said.
In its paper the ICO called for 'pseudonymised' data to be considered to be personal data, but it said that organisations should not be required to adhere to all the rules set out in the draft reforms in relation to the treatment of every piece of information that can be labelled as identifiable data.
"There is clearly considerable debate about whether certain forms of information are personal data or not," the ICO said. "This is particularly the case with individual-level but non-identifiable - or not obviously identifiable data - such as is found in a pseudonymised database. We prefer a wide definition of personal data, including pseudonymised data, provided the rules of data protection are applied realistically, for example security requirements but not subject access."
"If there is to be a narrower definition it is important that it does not exclude information from which an individual can be identified from its scope. However, it is important to be clear that a wide definition plus all the associated rules in full would not work in practice. This is a real issue in contexts as diverse as medical research and online content delivery," the watchdog said.
The paper also detailed the watchdog's concerns that the Commission's proposed data protection regime could present organisations with "onerous" and "pointless" barriers to processing personal data. This is because the rules requiring organisations to obtain individuals' consent to that processing could be construed as too strict in some cases, it said.
"While we welcome the high standard of consent ... it is important that the strengthening of consent does not leave data controllers without a lawful basis for processing which is either necessary or unobjectionable," it said. "Usually, there need to be alternatives to consent."
Organisations operating in the EU would generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data under the European Commission's draft data protection framework. Consent would not be able to be gleaned through silence or inactivity on the part of individuals and instead must be obtained through a statement or "clear affirmative action" before it can be said to have been given.
However, the Commission's plans state that organisations could not claim to have obtained individuals' consent to personal data processing in cases where "there is a significant imbalance between the position of the data subject and the controller".
The ICO said that organisations should still be able to process the personal data of individuals in some cases where there is an "imbalanced relationship" between data subjects and controllers.
"Determining whether there is a ‘significant imbalance’ between an individual and a data controller is difficult to do in practice," the ICO said. "Whilst we fully accept that genuine consent depends on freedom of choice, it is still possible to have genuine consent within a basically ‘imbalanced’ relationship – for example in respect of certain aspects of employer – employee data processing."
The watchdog also raised concerns about the Commission's proposals which would put in place rules whereby organisations would have to notify data protection authorities and the public when they experience personal data breaches. If encrypted data is lost but where the "decryption key remains safe", organisations should not be said to have suffered a 'personal data breach', it said.
In an initial analysis of the Commission's draft Regulation last year the ICO warned that EU data protection authorities would not be able to hold companies based outside the EU accountable to the proposed regime. It repeated those concerns in its latest publication on the reforms.