Module 4 Handbook
Site: | CABI Academy |
Course: | Data Sharing Toolkit Learning Materials |
Book: | Module 4 Handbook |
Printed by: | Guest user |
Date: | Sunday, 29 September 2024, 12:20 PM |
Introduction
This handbook is designed to help you to answer the Module 4 activity questions.
You may find data is unable to reach those who need it because of fears over collecting, using and sharing personal data.
This module will enable you to:
- identify personal, sensitive personal and sensitive commercial data
- understand ownership and rights relating to personal data
- understand the role of data protection regulations
- master techniques to reduce the risks of handling personal data
Definitions
Personal data
Information relating to an identified or identifiable natural person.
Sensitive personal data
Personal data that affords extra protection due to its nature.
For example:
- genetic data
- health records
- data that can potentially be used to discriminate
Sensitive commercial data
Non-personal data. It may be deemed sensitive as use and sharing may result in harmful impacts.
For example:
- business income
- locations of things
It is your responsibility as a data handler to:
- minimise hamrful impacts of data use and sharing
- investigate country-specific definitions and categories of data type and sensitivity according to data protection regulations
Who owns personal data?
3 key points you should remember:
1: You own work and have certain intellectual property rights when you put intellectual effort (thought) into its creation
2: Not all data about you is your data. But because it is about you, you have rights over it.
3: You must engage with data protection regulations to protect the rights of individuals.
The importance of understanding who owns personal data
You will need to engage with in-country and international data protection regulations.
This is guidance that:
- accounts for significant growth in online interaction
- identifies what individuals' rights are over data about them
- makes clear the lawful basis for using, storing and retaining personal data
- protects the privacy and rights of the people the data is about
The rights of individuals over personal data
As a data handler, you should be able to engage with the following rights, which are emerging globally. Some are based in data protection regulations, other are best practice.
Right to be informed
Individuals have the right to be informed about how personal data about them is collected and used.
This information should be
- presented in a privacy notice
- presented to the individual when data is collected
- specific
- written in clear, concise language and easily accessible
Right to access (subject access requests)
People have the right to request a copy of the personal information about them.
Exceptions include:
- information used for criminal proceedings
- other sensitive legal obligations
Right to rectification
Individuals have the right to have personal data corrected if it is inaccurate or incomplete.
The data controller also has responsibilities to ensure the data is corrected if it is shared with others.
Right to be forgotten
The right to be forgotten (or the right to data erasure) entitles an individual to direct the controller to:
- erase personal data about them
- cease further sharing of the data
- potentially halt processing of the data by third parties
Right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data.
Such rights can be exercised when the:
- accuracy of the personal data is contested
- individual has objected to the processing (only in the case of performance of a public task or legitimate interest)
- processing is unlawful
- data is needed for future reference but should no longer be processed
Right to data portability
Individuals can request that personal data about them be transferred directly to another controller.
For example, the global open banking initiative allows customers to directly transfer personal data between financial service providers, meaning you can change bank without having to fill in endless forms.
Right to object or withdraw consent
If the lawful basis for processing is based on having consent, the individual has the right to withdraw that consent at any time.
The process of withdrawing consent must be as easy as giving consent in the first place.
If a different lawful basis - other than consent - is being used as the basis for processing personal data, individuals may have the right to object to that processing.
Right to not be subject solely to automated decision making
Individuals have the right to not be subject to a decision based solely on automated processing, including profiling. Individuals must be:
- informed about the automated processing
- able to request human intervention or challenge a decision
The role of data protection regulations
You will need to take guidance on the following areas from in-country data protection regulations:
- Definitions of personal and sensitive personal data
- Geographic restrictions relating specifically to personal data
- The lawful basis under which personal data can be processed
- The rights of individuals over personal data about them
- The responsibilities of data controllers in relation to personal data
You must remember that:
- personal data cannot be collected, held or processed without a lawful basis
- data protection laws apply where an organisation has its principal place of business, regardless of where data is stored
You should:
- detail the lawful basis as part of the data governance and privacy impact assessments
- make it clear to individuals as part of the privacy notice
Techniques to reduce risk
If you don’t need it, don’t collect it!
You should only collect and store personal data if it is absolutely necessary.
If it is necessary, consider these techniques to reduce risk of re-identification when handling:
Anonymisation
You can remove or alter any data that can identify a specific individual.
Create a synthetic dataset
You can create a synthetic dataset which contains many of the statistical patterns of an original dataset, but does not refer to identifiable individuals.
What regulations apply to anonymised or synthetic data?
Data protection regulations no longer apply and data can be shared with others safely, even outside of geographical boundaries that may be imposed by data protection regulations.
Tools, checklists and case studies
You may find the following supporting tools and resources useful in your next steps working with personal data:
Tools and checklists
- Guide: Managing risk with personal data
- Guide: Anonymising data in agriculture
- Guide: Agricultural data country briefing on data policy, legal and regulatory context
- The Data Ethics Canvas
Case studies
You can see how others have navigated the collection, use and sharing of personal data in the Worldwide Antimalarial Resistance Network (WWARN) case study.
Specialist support
You can find a list of external support organisations and individuals that can help with protecting the rights of individuals and all aspects of delivering data transformative investments in the Toolkit.
Summary
You can find all the key points from this Module in the Cheat Sheet: Protecting individual's rights when sharing data
Don't forget to complete Module 4 activity questions to review your knowledge of this topic.