In previous posts, Datonomy has suggested a definition of informational privacy based on autonomy, in other words, the ability to control who has access to personal information, and for what reasons. This approach does not tell us, though, how we distinguish between different kinds of personal data; this distinction will obviously play a big part in which data we worry about other people having access to. And presumably we do worry about access to sensitive personal data, as defined in Directive 95/46/EC.
But what are sensitive data? What does sensitivity amount to? And do we get a better sense of that if we think of it as Cultural Identity data?
Identity is a concept that goes well beyond the instrumental sense we are accustomed to in our field, as in the Identity Card. Today, Identity is the way to talk about the key cultural meanings in an individual’s life, which give that life significance and importance, perhaps of an absolute kind. It is a form of belonging. Hence ethnic or religious identity; or sexual orientation. Manuel Castells (see below) gives a strong reading of Identity, as a form of belonging to a community, and as resistance to the turbulent globalised and networked world that constantly threatens settled identities. Cultural identities are often contested sites of meaning.
Does the category of sensitive data in the Directive really mean Cultural Identity data of these kinds? The Directive states: “Article 8 The processing of special categories of data. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”
It does sounds like it, in the main. But it is silent on why sensitive data are sensitive
But sensitive data as Cultural Identity data, if you put it like that, are likely to be intrinsically sensitive, have significant political valencies, or (though not inevitably) relate to matters on moral boundaries; and thus for the data subject there are very urgent concerns about the terms on which the data can be processed.
Yet the terms set out in Article 8 permitting the processing of sensitive data & overriding the prohibition simply roll over on that point and provide no special protection , mainly by allowing Member States the discretion to add further exemptions from the Article 8 prohibition – for the result, see the wholly permissive Schedule 3 of the UK Data Protection Act 1998, which provides a very wide range of permissive conditions relevant to the fair and lawful processing requirement of the first data protection principle, and overiding the prohibition in the first principle.
Here we run into a contradiction, because informational privacy as autonomy must work in this category of Cultural Identity data because of the nature and qualities of these data.
But what we have at the moment, in the area of sensitive data, is autonomy for the data controller rather than the data subject; and an inadequate distinction between the conditions for processing this kind of personal data, and the conditions for processing any other kind.
Manuel Castells. The Information Age: Economy, Society and Culture (Three vols). Volume 2 “The Power of Identity”, Blackwell 2004.