The principle types of personal data
Directly identifiable data are data that have a name or personal identification number attached to them; de-identified data are data which enable indirect identification using a serial number or other information as an identifier.
Indirectly identifiable data are data that make it possible to identify otherwise anonymised data through a combination of the descriptive data provided in the data set. Indirect identification can occur randomly or systematically. If the data set makes it possible to systematically re-identify all or essential parts of the data, the data should be treated as identifiable personal data.
Indirectly identifiable data correspond to anonymised data, except that the data set either contains a key that points back to a personal identifier, or the data set is so comprehensive that the data as a whole enables the identification of individuals.
Despite this distinction, anonymised data are not personal data, strictly speaking, because it should not be possible to trace the data back to individuals.
De-identification removes directly identifiable data (name, personal identification number) and sufficient additional data as to render the data set not re-identifiable. Be aware of 'small numbers': a combination of data can mean that these point back to such a small number of people that in practice they appear to be identifiable. For example, 'school+class+gender' might constitute a sufficiently low number. In this case, the parameters must be changed to increase the number. A group of this type should not normally be fewer than five persons.
Anonymised data may contain enough information for the data to be indirectly identifiable nevertheless. For example, the birth dates of a mother, father and child may together be enough to identify the family if one has access to either the Norwegian Central Population Register or the Medical Birth Registry of Norway. The reason for this is that the combination of these birth dates will in all likelihood be unique to this family.
Further legal aspects
Anonymised data is not covered by laws governing personal data. However, because the process leading to anonymised data often requires personally identifiable data, the process itself is covered by the regulations, such as for approval, exemption from the duty of confidentiality etc., even though the result is not. If you wish to establish an anonymised research registry, you must therefore consider whether personal data are included at any stage of the process.
If the totality of otherwise anonymised data still renders the person indirectly identifiable, then the data is not anonymous in legal terms, but must be treated as identifiable data.
If you intend to conduct research on directly or indirectly personally identifiable information, you require approval from the Norwegian National Research Ethics Committees (REK). If you intend to conduct research on anonymised data, permission from REK is not necessary unless you need personally identifiable data in the process of producing an anonymised registry.
Research should be conducted on data sets from which personally identifiable data has been removed or replaced by a key figure that can be retrieved from a key registry, so that identifiable and descriptive data are separated. If your research involves directly or indirectly identifiable information, you must implement measures to protect the data (cf. Norwegian Directorate of Health 2008).
Personal data may be sensitive in a number of contexts in which the data are worthy of protection. We normally refer to sensitivity in relation to the harm or inconvenience that can arise for the person that the data concerns ‒ as a variant of confidentiality: the data must be protected because there is a potential for harm if they fall into the hands of unauthorised persons. (See also Protection of privacy and Confidentiality.)
It is descriptive data that have the potential to render data 'sensitive', see Personal Data Act, Section 2, No. 8.
Sensitive data entail particular rules with regard to their handling:
- The data are subject to the duty of confidentiality
- The storage medium must be protected (information security)
- Handling of data must normally receive prior approval by the Norwegian National Research Ethics Committees or the Norwegian Data Protection Authority/Data Protection Official for Research.
This article has been translated from Norwegian by Jane Thompson, Akasie språktjenester AS.