The Privacy Lawyer - What is Sensitive Data?
What is “Sensitive Data?”
“Sensitive Data” includes, but is not limited to, data related to an individual’s health or medical condition, sexual behavior or orientation, or detailed personal finances, information that appears to relate to children under 13, racial or ethnic origin, political opinions, religious or philosophical opinions or beliefs and trade union membership. What is considered "sensitive" in the US is different from that which is considered "sensitive" in Europe.
Differing Definitions of “Sensitive Data”
There has been a difference in what “sensitive data” means among marketers and privacy advocates in the current push to regulate online advertising. For the most part, the government has had a hands-off approach toward online marketing, giving companies relatively free rein in how they use tools that track what people do online and then use the data gathered to deliver tailored marketing messages.
On July 2, 2009, advertising/marketing industry groups proposed a set of guidelines for self-regulation (http://www.ana.net/news/content/1801) in which they proposed the following definition of “sensitive data”:
The Principle calls for entities not to collect financial account numbers, Social Security numbers, pharmaceutical prescriptions, or medical records about specific individuals for Online Behavioral Advertising purposes without Consent.
The government has not yet shaped any regulation but should it do so, it will likely turn to the FTC to negotiate a compromise definition. The FTC is currently engaging in a series of roundtables focusing on privacy and behavioral advertising.
At the FTC's December 2009 privacy roundtable, panelists raised concerns that collection and third party use of browsing data invades private space by:
- Revealing a user's innermost thoughts, such as a search history that reflect a user's explorations of his/her sexual identity;
- Taking away a user's control over his/her identity, such as by broadcasting compromising photos of a user at a Cancun Spring Break party to a potential employer;
- Revealing sensitive identity or financial information that can be misused by third parties to perpetrate fraud;
- Or intruding on a user's seclusion by serving targeted ads during a browsing session that reveal that outsiders are listening in.
These closely track the common law privacy rights available in several states. These include:
- Intrusion on seclusion;
- False light (true facts combined in such a way to lead other to a false conclusion);
- Public disclosure of private facts; and
- Right of publicity (or identity).
They were always recognized as the core privacy rights because of the likelihood of harm caused by their violation. They are a good place to start when considering sensitive data classifications and its treatment.
Parry Aftab identifies sensitive data in two different ways. She identifies sensitive data as “kids, cash and kidneys,” referring to the three categories of data regulated within the US – children’s data, financial data and health data – which are most commonly abused commercially.
She also identifies sensitive data as relating to vulnerable groups whose data is most commonly abused by individuals in harassment, reputational attacks and in provocation of physical harm. These include gays, lesbians, bi-sexuals and trans-sexuals, victims of crime, medical patients and those with special medical or addiction issues, mental health patients or those suffering from mental health issues, those with special needs such as the physically or mentally-challenged and disabled, children, religious and ethnic groups, racial and nationality classifications, litigants and those within the criminal justice system and, in certain cases, senior citizens.
In the former case, regulations already exist to handle the increased risk of disclosure of this information. However, individuals often carelessly or intentionally disclose this information about themselves and others. Once shared, that information is often gathered and used in social engineering, targeted marketing and in building dossiers for multiple purposes. The law typically only protects against the first disclosure and allows consensual disclosure that removes the information from special legal protection.
Vulnerable groups often do not understand their vulnerability online. They often seek support and help online in public forums, or forums that can be easily accessed by third parties. They tend to be less security savvy online and far more trusting of individuals and networks. They either do not use privacy settings or use them ineffectively. And their information can be gathered, combined with offline and other online data to create risk-profiles or used by stalkers, harassers and hate groups to provoke them online and offline. Physical assaults, crimes against their persons or property and reputational attacks are common.
Aftab’s Socially Safe Seal™, offered through her new risk-management consulting firm, WiredTrust, requires seal holders to create special processes and policies to handle both sensitive data and better protect the vulnerable groups. Her holistic approach includes education, user tutorials and help and specially trained moderators and customer service professionals, and involves the charity, the consulting firm and industry working together to create awareness and implement the best practice standards she has developed over the years.