Hopp til hovedinnhold
Go to front page
Back
Chapter 3 / Part 2 of 2 / Topic 3

Data Protection Principles and Sensitive Information

When you process personal data, there are some fundamental principles that always must be considered. Sometimes, these principles need to be balanced against each other. What is most important in the specific situation?
Let's quickly go through these data protection principles.

Data protection principles

Legality

The processing must comply with the law, i.e. the Constitution, the GDPR and other relevant laws, and a basis for processing must be in place.

Fairness

The processing must be predictable and expected; it cannot be unreasonable or pose a significant risk to the data subject. You would expect medical information from your doctor to be shared with a hospital, but you should not find them being handed over to commercial entities that proceed to send you medication advertisements or want to sell insurance.

Transparency

We should always be informed about what personal data is being processed, why, by whom, for how long, who has access and on what basis for processing.

Purpose limitation

The purpose of processing must be clearly defined before the processing begins. You cannot simply collect personal data and decide later what you will use it for. Once you define a purpose, you know what personal data you need to achieve this purpose.

Data minimisation

Data minimisation means that we are not allowed to process more data than what is necessary to achieve the specified purpose.

Accuracy

Accuracy simply means that the personal data must be correct. If applicable, it must be kept up-to-date, and if there are errors, these must be corrected.

Storage limitation

You are not allowed to store the information longer than necessary to achieve the purpose. However, there can be exceptions. For instance, if you buy a pair of shoes online, the company selling the shoes must collect your address and phone number to send you the goods. Once the purchase has been completed, one might think that the purpose has been achieved and the personal data should be deleted. However, there is still a possibility that you might want to make a complaint or return the goods. This means that the store must retain the data until the complaint period and return rights have expired.

Integrity and confidentiality

The final principle is that the data controller must ensure adequate information security. This means that you must take the necessary measures to minimise the risk of inaccurate changes, loss of or unauthorised access to personal data.

Sensitive data

It is never open season for processing personal data, but some personal data have special protection. The following categories apply:
  • information about racial or ethnic origin
  • information about political beliefs
  • information about religion
  • information about philosophical beliefs
  • information about trade union membership
  • genetic data
  • biometric data (when the purpose of processing is to uniquely identify someone)
  • health information
  • information about sexual relations
  • information about sexual orientation
This is what we informally call sensitive information. In the law, it is called “special categories of personal data”, or special category data. As a rule, such data should not be processed at all. However, there are several exceptions—such as when you have explicit and valid consent, or the law states that it is important that they are processed.
There are also other exceptions—ranging from the data subject having disclosed the data themselves, to the processing potentially being in the public interest, for example, political viewpoints in connection with elections.
If your business is in a situation where you need to process sensitive data, it is important to study the regulations in detail and investigate if there is an exception you can use to make the processing legal.

Take information security seriously!

Remember that security—and particularly information security—is also very important in the context of the GDPR.
If personal data (and in the worst case sensitive data) gets lost—due to for instance data breaches, lack of encryption or failing procedures—this will not only affect the data subjects, but also the data controller, who in the worst case risks large fines.

What is legal—and what is acceptable

In addition to following laws and regulations, you can and should also make ethical assessments of the services and technology you are considering using. There can be a difference between what is legal and what is ethical.
A specific way to ethically assess a service is to ask three questions:
  • What type of technology is used and how? This question does not require you to be a technology expert, but it requires you to question the service. How is data collected, when, and so on.
  • What are the potential consequences in using the technology? This question is about identifying the values at stake, for example, surveillance versus privacy, which in turn involves assessing safety and freedom. To identify the values you have to choose between, you can look at possible consequences. What can the service do for individuals and for society? What could the effect be over time? Also, remember to assess environmental consequences. Here, it's important to identify both positive and negative effects.
  • Would I use this service, and if so, how? It's only after you've assessed questions 1 and 2 that you can truly assess if the service seems ethically justifiable.
You can ask yourself these three questions, but they are also well suited for discussion. This might be discussions with colleagues or your boss, and of course, with users of the solution.
It is beneficial that these conversations involve people who have different knowledge and experience than you. Digital technology is complex, and its impacts are difficult to overview. We cannot make completely accurate predictions, but the more angles we consider, and the more perspectives that have been discussed, the greater the chance of making sound and well-founded decisions will be.