Data Collection
What data is collected about you? And how is it collected?
The data collection
This category is where it all starts: what data is collected about you? We distinguish four different types of data that an organization can collect about you: aggregated data, personal data, sensitive personal data and special categories of personal data.
This category of the label also describes how the different types of data are being collected.
How data is collected
In the label we distinguish five ways of data collection.
- 'We receive from you’: This is data an organisation receives from a user or customer itself.
- 'We receive from others’: This is data an organisation receives from another organisation.
- ‘We observe’: This is personal data an organisation observes, for instance by surveillance or tracking.
- 'We created’: This is data an organisation creates, for instance by scoring someone or gaining new insights by combining information.
- 'We purchase’: This is data an organisation purchases or ‘rents’ from another organisation. For instance, when a dataset is purchased or when the organisation pays for access to personal data.
Four different types of data
In the Privacy Label we distinguish four different sorts of data.
Aggregated Data
This is non personal data or pseudonymised personal data derived from, or could become, personal data with more information
Personal Data
This is any and all information relating to an identified or identifiable natural person.
Sensitive Personal Data
Some personal data is more sensitive than others. Sensitive data could lead to stigmatisation or exclusion of the data subject.
Special Categories of Personal Data
Special categories of personal data have a separate status within the GDPR. There are strict rules attached to processing these kinds of personal data.
Aggregated Data
Aggregated data is generalised or pseudonymised data which doesn't not connect directly to you but does describe you in a manner. For example: the first two digits of your area code, the general level of education within your company or a chart of spending patterns in your supermarket.
Personal data is usually aggregated in order to protect your privacy. The first to digits of your area code are less likely to invade your privacy than your whole address. However, by combining different sorts of aggregated personal information, someone might still identify you.
Examples:
- Pseudonymised medicine usage of patients - A table with information on when patients took certain medicine, however the patient's name is changed to a random number.
- Crime statistics per neighborhood - A map which tells you where most crimes are committed and by what group of people.
Personal Data
In the General Data Protection Regulation (GDPR) personal data is described as any information (1), relating or related to (2), an identified or identifiable (3) natural person (4). But, what does this mean?
1 - Any information: not only written down or digital, but anything that provides information.
2 - Relating or related to: which tells you something about someone.
3 - An identified or identifiable: someone who can be pointed out in any way.
4 - Natural person: a living human being.
In conclusion, personal data is all information that makes you, you.
In Privacy Label we call all non-sensitive information about you (normal) personal data. Non-sensitive personal data is data which is not likely to harm or embarrass you when it is out in the open. For instance, information about who you are, where you live, your (online) behaviour or what you like and don’t like.
Examples:
- Who you are - For instance, your name, information about where you live, where you work or your favourite colour.
- Things you like - Think of your hobbies, who your friends are, which websites you like to visit or if you like to be in nature or in a more urban area.
Sensitive Personal Data
Some personal data is more sensitive than others. Sensitive data could lead to stigmatisation or exclusion of the data subject.
Examples of sensitive data:
- usernames, passwords and other login details
- data concerning a financial or economic situation relationship problems, school performance of children
- data which can be used for (identity) fraud
How the information can be misused:
- Your income - You might not want others to know if you have a high or low income, since that might lead to embarrassing or awkward situations.
- Relationship problems - You might not want to air you dirty laundry on the street and want others to know you have relationship problems.
Special categories of personal data
Special categories of personal data have a separate status within the GDPR. There are strict rules attached to processing these kinds of personal data.
A hack or a data breach of this data can pose a major risk to the person(s) involved. This is why, in principle, there is a general prohibition on the processing of these data. The data may only be processed if there is a specific exception in the law. One of these exceptions is when someone has given his or her explicit consent.
The GDPR specifies a strict list of what are special categories of personal data.
These special categories of personal data are: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, medical data, data concerning someone’s sex life or sexual orientation and criminal records.
Examples:
- Your fingerprint - Maybe you can unlock your smart phone with your fingerprint. Your fingerprint is unique is a form of biometric personal data.
X-- An x-ray of a broken bone - An x-ray scan tells something about your health and is therefore a form of medical personal data.