Module 4 Handbook

Site:	CABI Academy
Course:	Data Sharing Toolkit Learning Materials
Book:	Module 4 Handbook

Printed by:	Guest user
Date:	Friday, 19 April 2024, 9:48 PM

Introduction
Definitions
Who owns personal data?
The rights of individuals over personal data
The role of data protection regulations
Techniques to reduce risk
Tools, checklists and case studies
Summary

Introduction

This handbook is designed to help you to answer the Module 4 activity questions.

You may find data is unable to reach those who need it because of fears over collecting, using and sharing personal data.

This module will enable you to:

identify personal, sensitive personal and sensitive commercial data
understand ownership and rights relating to personal data
understand the role of data protection regulations
master techniques to reduce the risks of handling personal data

Definitions

Personal data

Information relating to an identified or identifiable natural person.

Sensitive personal data

Personal data that affords extra protection due to its nature.

For example:

genetic data
health records
data that can potentially be used to discriminate

Sensitive commercial data

Non-personal data. It may be deemed sensitive as use and sharing may result in harmful impacts.

For example:

business income
locations of things

It is your responsibility as a data handler to:

minimise hamrful impacts of data use and sharing
investigate country-specific definitions and categories of data type and sensitivity according to data protection regulations

Graphic indicating personal, sensitive personal and sensitive commercial data

Who owns personal data?

3 key points you should remember:

1: You own work and have certain intellectual property rights when you put intellectual effort (thought) into its creation

2: Not all data about you is your data. But because it is about you, you have rights over it.

3: You must engage with data protection regulations to protect the rights of individuals.

The importance of understanding who owns personal data

You will need to engage with in-country and international data protection regulations.

This is guidance that:

accounts for significant growth in online interaction
identifies what individuals' rights are over data about them
makes clear the lawful basis for using, storing and retaining personal data
protects the privacy and rights of the people the data is about

Graphic representing personal, sensitive personal and sensitive commercial data with key image to show ownership

The rights of individuals over personal data

As a data handler, you should be able to engage with the following rights, which are emerging globally. Some are based in data protection regulations, other are best practice.

Right to be informed

Individuals have the right to be informed about how personal data about them is collected and used.

This information should be

presented in a privacy notice
presented to the individual when data is collected
specific
written in clear, concise language and easily accessible

Right to access (subject access requests)

People have the right to request a copy of the personal information about them.

Exceptions include:

information used for criminal proceedings
other sensitive legal obligations

Right to rectification

Individuals have the right to have personal data corrected if it is inaccurate or incomplete.

The data controller also has responsibilities to ensure the data is corrected if it is shared with others.

Right to be forgotten

The right to be forgotten (or the right to data erasure) entitles an individual to direct the controller to:

erase personal data about them
cease further sharing of the data
potentially halt processing of the data by third parties

Right to restrict processing

Individuals have a right to ‘block’ or suppress processing of personal data.

Such rights can be exercised when the:

accuracy of the personal data is contested
individual has objected to the processing (only in the case of performance of a public task or legitimate interest)
processing is unlawful
data is needed for future reference but should no longer be processed

Right to data portability

Individuals can request that personal data about them be transferred directly to another controller.

For example, the global open banking initiative allows customers to directly transfer personal data between financial service providers, meaning you can change bank without having to fill in endless forms.

Right to object or withdraw consent

If the lawful basis for processing is based on having consent, the individual has the right to withdraw that consent at any time.

The process of withdrawing consent must be as easy as giving consent in the first place.

If a different lawful basis - other than consent - is being used as the basis for processing personal data, individuals may have the right to object to that processing.

Right to not be subject solely to automated decision making

Individuals have the right to not be subject to a decision based solely on automated processing, including profiling. Individuals must be:

informed about the automated processing
able to request human intervention or challenge a decision

Graphic with representative images of rights and ownership

The role of data protection regulations

You will need to take guidance on the following areas from in-country data protection regulations:

Definitions of personal and sensitive personal data
Geographic restrictions relating specifically to personal data
The lawful basis under which personal data can be processed
The rights of individuals over personal data about them
The responsibilities of data controllers in relation to personal data

You must remember that:

personal data cannot be collected, held or processed without a lawful basis
data protection laws apply where an organisation has its principal place of business, regardless of where data is stored

You should:

detail the lawful basis as part of the data governance and privacy impact assessments
make it clear to individuals as part of the privacy notice

Techniques to reduce risk

If you don’t need it, don’t collect it!

You should only collect and store personal data if it is absolutely necessary.

If it is necessary, consider these techniques to reduce risk of re-identification when handling:

Anonymisation

You can remove or alter any data that can identify a specific individual.

Create a synthetic dataset

You can create a synthetic dataset which contains many of the statistical patterns of an original dataset, but does not refer to identifiable individuals.

What regulations apply to anonymised or synthetic data?

Data protection regulations no longer apply and data can be shared with others safely, even outside of geographical boundaries that may be imposed by data protection regulations.

Graphic with three individuals outlined and connections between them

Tools, checklists and case studies

You may find the following supporting tools and resources useful in your next steps working with personal data:

Tools and checklists

Guide: Managing risk with personal data
Guide: Anonymising data in agriculture
Guide: Agricultural data country briefing on data policy, legal and regulatory context
The Data Ethics Canvas

Case studies

You can see how others have navigated the collection, use and sharing of personal data in the Worldwide Antimalarial Resistance Network (WWARN) case study.

Specialist support

You can find a list of external support organisations and individuals that can help with protecting the rights of individuals and all aspects of delivering data transformative investments in the Toolkit.

Summary

You can find all the key points from this Module in the Cheat Sheet: Protecting individual's rights when sharing data

Don't forget to complete Module 4 activity questions to review your knowledge of this topic.