The 13th World Congress of Bioethics this year was held, from 14 to 17 June, in Edinburg and various ethical topics were debated during conferences days. I would like to write about a lecture given by Professor Onora O’Neill entitled “Public Goods and Private Data”. This lecture discussed whether the European Union (EU) directive’s regarding data protection requirements is sufficient to protect the rights of privacy when performing research involving data that can be linked to research participants.
The regulation was enacted in April 2016 and will be implemented in May 2018. It introduces some changes in order to improve individuals’ control of data classified as personal. However, this regulation appears to use a data protection approach that doesn’t address the persistent difficulties of data protection. Hence, the question remains: does the data protection plan in the EU directive offers an adequate means of protecting privacy?
Professor O’Neill specified that the regulations are confusing and may be difficult or impossible to implement. The weakness of the new regulation, similar to its predecessor, seeks to regulate and control all nuances of personal data. Its definition of personal data unfortunately is still ambiguous and the regulation omits to draw a distinction between personal data (that need to be regulated) and non-personal data (that does not need to be regulated). The new regulations define personal data as:
« any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; ».
So, I agree that distinction between personal and non-personal data must be resolved, but my questions are: can we effectively, specify what is personal and what is non-personal? Will not “personal data” definition be influenced by the context, religion, conditions…..?
According to the new regulation data processing in defined as
« data processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; ».
However, and according to the lecturer, new technologies make it easier not to “snoop” or “spy”, but to assemble and connect content (personal and no-personal data) and to draw inferences including inferences about matters that people want to keep private or confidential and those that will not be easily discovered. The real question is how to regulate the collection, processing, control and conception of all data not just of utterly personal data? Hence, in order to protect the privacy, more specific control over action on data (personal or non personal) is needed.
Finally, the lecturer recommended that confidentiality offers a better way to protect privacy, since it demands the information of every sort, be it personal or non personal, as it’s received or held. I still wonder if, in practice, this can be a good approach to protect privacy? This requires a broad reflection.