The University of Southampton
University of Southampton Institutional Repository

A new approach to categorising personal data to increase transparency under the obligation to inform

A new approach to categorising personal data to increase transparency under the obligation to inform
A new approach to categorising personal data to increase transparency under the obligation to inform
This thesis contributes to the field of privacy and data protection law, within both Law and Computer Science, by helping to better understand how to increase the transparency of personal data processing and to categorise personal data. To counter the threat to the privacy of individuals which increasing advancements in Information Technology have created, Data Protection laws have been introduced, which include the key principle of transparency. However, as the de facto method of compliance with the obligation to inform (which mandates the provision of certain information about personal data processing to individuals), Privacy Policies have continuously been criticised in their ability to make processing transparent. This problem makes the study of how to increase the transparency of personal data in the context of providing information to individuals about the processing of their personal data a key research area in both Law and Computer Science. In researching this problem, this thesis begins by highlighting a gap in the current literature due to the assumption that the problem lies in how information about processing is presented, summarised or communicated, rather than questioning what information is required for processing to be transparent. The finding that Social Networking Sites provided information about the specific personal data they processed in their Privacy Policies, despite the UK data protection Regulator not making this a recommendation led to the next contribution, a critical analysis of the previous and current data protection law of the EU and the UK on when it is a requirement to inform individuals about the specific personal data being processed. This analysis highlighted that despite its benefits in increasing transparency, organisations are not always required to provide information about the specific personal data they process under the obligation to inform and where they are, the term ‘category’ is used to differentiate between personal data, without a complete categorisation or sufficient guidance on how to do this beyond the categorisation of ‘Special Categories’ of personal data. This gap has led to various parties inferring categorisations from the law, or creating their own, without following a categorisation methodology or taking a consistent approach. The result is inconsistent approaches to categorisation of personal data, which fail to achieve the aims of the principle of transparency. The final contribution of this thesis is a proposed categorisation of personal data, based on categorisation methodology and the Data Information Knowledge Wisdom model in Computer Science, which aims to support organisations in increasing the transparency of their personal data processing and can be built upon in the future to support compliance with the Framework’s wider compliance requirements.
University of Southampton
Cradock, Emma, Rebecca
e87236fe-f425-4162-977d-5a3f9065ea71
Cradock, Emma, Rebecca
e87236fe-f425-4162-977d-5a3f9065ea71
Millard, David
4f19bca5-80dc-4533-a101-89a5a0e3b372

Cradock, Emma, Rebecca (2022) A new approach to categorising personal data to increase transparency under the obligation to inform. University of Southampton, Doctoral Thesis, 242pp.

Record type: Thesis (Doctoral)

Abstract

This thesis contributes to the field of privacy and data protection law, within both Law and Computer Science, by helping to better understand how to increase the transparency of personal data processing and to categorise personal data. To counter the threat to the privacy of individuals which increasing advancements in Information Technology have created, Data Protection laws have been introduced, which include the key principle of transparency. However, as the de facto method of compliance with the obligation to inform (which mandates the provision of certain information about personal data processing to individuals), Privacy Policies have continuously been criticised in their ability to make processing transparent. This problem makes the study of how to increase the transparency of personal data in the context of providing information to individuals about the processing of their personal data a key research area in both Law and Computer Science. In researching this problem, this thesis begins by highlighting a gap in the current literature due to the assumption that the problem lies in how information about processing is presented, summarised or communicated, rather than questioning what information is required for processing to be transparent. The finding that Social Networking Sites provided information about the specific personal data they processed in their Privacy Policies, despite the UK data protection Regulator not making this a recommendation led to the next contribution, a critical analysis of the previous and current data protection law of the EU and the UK on when it is a requirement to inform individuals about the specific personal data being processed. This analysis highlighted that despite its benefits in increasing transparency, organisations are not always required to provide information about the specific personal data they process under the obligation to inform and where they are, the term ‘category’ is used to differentiate between personal data, without a complete categorisation or sufficient guidance on how to do this beyond the categorisation of ‘Special Categories’ of personal data. This gap has led to various parties inferring categorisations from the law, or creating their own, without following a categorisation methodology or taking a consistent approach. The result is inconsistent approaches to categorisation of personal data, which fail to achieve the aims of the principle of transparency. The final contribution of this thesis is a proposed categorisation of personal data, based on categorisation methodology and the Data Information Knowledge Wisdom model in Computer Science, which aims to support organisations in increasing the transparency of their personal data processing and can be built upon in the future to support compliance with the Framework’s wider compliance requirements.

Text
Final Thesis_Emma Cradock_2022a - Version of Record
Available under License University of Southampton Thesis Licence.
Download (4MB)
Text
Permission to deposit thesis - form copy
Restricted to Repository staff only
Available under License University of Southampton Thesis Licence.

More information

Submitted date: March 2022

Identifiers

Local EPrints ID: 457216
URI: http://eprints.soton.ac.uk/id/eprint/457216
PURE UUID: 747c122d-adda-4b11-b24b-78d9a5c4efeb
ORCID for David Millard: ORCID iD orcid.org/0000-0002-7512-2710

Catalogue record

Date deposited: 26 May 2022 16:50
Last modified: 27 May 2022 01:35

Export record

Contributors

Author: Emma, Rebecca Cradock
Thesis advisor: David Millard ORCID iD

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×