55/72 111972/2020/CL&ES
Appendix 2: Examples of Non-Personal Data 1. Data can be categorised in many ways; the subject of data (e.g. personal data); in relation to its purpose (e.g. AI training data, e-Commerce data); the sector to which it belongs (e.g. health data); the source of data (e.g. soil data); level of processing (raw / factual versus derived data); or the collector of data (e.g. public / Government or private data); or based the extent of involvement of stakeholders in the creation of data (provided, observed, derived, or inferred). 2. A mixed dataset, which represent a majority of datasets used in the data economy, consists of both personal and Non-Personal Data.
i. In the European Union context, the Non-Personal Data Regulation applies to the Non-Personal Data of mixed datasets; if the Non-Personal Data part and the personal data parts are ‘inextricably linked’, General Data Protection Regulation apply to the whole mixed dataset. 3. Categorisation of data based on its creation35 – A categorisation of data can help assess the extent to which different stakeholders are involved in the creation of data, including cases where users (consumers and businesses) interact with a data product (good or service) such as an e-government service, a social networking service, etc.
i. One approach includes four categories of data: i) provided (applications registrations, survey responses, social network postings etc.); ii) observed (cookies on a website, data from sensors etc.); iii) derived (computational scores, classification based on common attributes etc.); and iv) inferred data (scores developed using statistical, advanced analytical techniques, or AI/ML).
i. Such a categorization helps in framing regulation & policy. For example, in the European Union, the right to data portability under the GDPR would include ‘provided’ as well as ‘observed’ data. It would however exclude data ‘derived’ (& ‘inferred’) from additional processing – data that are often considered proprietary. 4. Anonymised Data
i. Anonymisation allows data to be shared, whilst preserving privacy. The process of anonymising data requires that identifiers (both direct identifiers like names and indirect identifiers like age or occupation) are changed in some way such as being removed, substituted, distorted, generalised or aggregated36. 35 OECD, “Enhancing Access to and Sharing of Data : Reconciling Risks and Benefits for Data Re-use across Societies”, 2019, https://www.oecd-ilibrary.org/science-and-technology/enhancing-access-to-and-sharing-of-data_276aaca8-en 36 https://www.ukdataservice.ac.uk/manage-data/legal-ethical/anonymisation.aspx
55
