Open personal data: how to work with it

What open data is about

Let’s start from the reverse. The idea of open data is not to publish something somewhere and make it open forever, so that anyone can use it as they wish. And it`s not even about posting on Facebook or X to a public audience. 

Open data is when the government has a lot of public data about its processes and projects and decides to make it available for free. It is about data that is disclosed to civil society to promote innovation, anti-corruption, and to engage society in governance and awareness of the problems that exist in the state. 

There is even the International Open Data Charter, an optional document that is joined by states that are ready to disclose data in a certain way and maintain it in a high-quality manner. Since 2015, 96 governments have joined the International Charter, and Ukraine has been among them since 2016.

What has evolved from this? The Ukrainian Open Data Portal https://data.gov.ua/ with a bunch of open registries, which have been the basis for hundreds of journalistic investigations and dozens of cool products, such as OpenDataBot or Vkursi. Thanks to open data, we have new administrative services that can be accessed online, and we can protect ourselves from fraud in business or when buying real estate. Open registers contain data on legal entities and individual entrepreneurs, notaries and lawyers, real estate and municipal property, vehicles and their owners, lost passports, and debtors. The data is presented in a form that can be used for business or personal use, processed manually or automatically. Imagine, for example, what a high-quality product based on artificial intelligence could do with open data!

But the openness of data in registries has also given rise to side effects, such as an unexpected brochure about a legal tech product for lawyers in my personal mailbox. Open data collided with personal data, and the businesses that worked with it did not realize it.

What personal data is about

There is an opinion that if the data is personal, it is secret. But this is a logical fallacy.

Personal data is data about a person who is identified or can be specifically identified. It does not matter whether it is oral or written (electronic) information, whether a person keeps it to themself or tells everyone. This does not make the information personal data.

This is information of any kind about a person: their personal life, work, hobbies, marital status, health status, where they live, what they like, with whom they spend time and when, information about their device, when this data can be linked to a specific person. We’re talking about a photo, email address, phone number. And the list goes on. The EU, for example, explicitly recognizes IP addresses and cookie identifiers as personal data, which help analyze the behavior of a particular product user (where they clicked, what they sat on for a long time, what language they browse in, where they came from). The more advanced the technology, the easier it is to connect some seemingly trivial detail from Oksana’s life with a specific person, Oksana Zadniprovska, partner at Axon Partners.

Thus, open data can easily contain information about a person, such as their full name, phone number, address, position, and the city where they work. Sometimes this information is cleaned up by the open data manager (the person who uploads and keeps the open data base up to date). But in most situations, if it is information about entrepreneurs or people with a special status (civil servants, lawyers, notaries), it still ends up in the registers.

So, open data may or may not be personal data. What to do if it is personal?

The Law of Ukraine “On Access to Public Information” defines the rules for personal data processing for processors. There is a rule that personal data must:

1. either be removed from open data,
2. or obtain consent from people to publish it,

or there may be exceptions when consent is not required because

1. publication is required by law,
2. or the law explicitly prohibits concealing the data.

The Law on Access to Public Information does not define how organizations that decide to use public data should handle disclosed personal data. To understand this, we turn to the Law of Ukraine “On Personal Data Protection”. Below are the main requirements and concepts with examples.

Data controller. If an organization decides to use data from open registries, and it contains personal data, then that organization becomes the “controller” – the person who determines the purposes and means of processing personal data. This means that the organization is obliged to protect this data.

For example, the state, as the data controller, has published the registration addresses of private entrepreneurs (PEs). Next, Sweet Tangerine LLC comes along and decides to gather a statistical picture of how many PEs would be interested in distributing tangerines in the city of Kyiv from the names, types of activities, and addresses of these PEs. Since a PE is a person, the name and address of a PE is personal data. This means that Sweet Tangerine LLC becomes the controller of data on PEs.

Data processing. But you may say that Sweet Tangerine LLC takes data about a person as an entrepreneur, not a person in their personal or family life. It also does not store databases for itself, but analyzes them using artificial intelligence and, having received statistics (the number of PEs in different districts of Kyiv), immediately deletes unnecessary data. So maybe it doesn’t process them at all?

Any analysis of data is its use, so it is already “processing” according to our legislation. So, if you want to do something with open personal data, you will most likely be “processing” it. And this is where your responsibilities as a data controller come in, for example:

• The data must be processed lawfully. The controller must use at least 1 of the 6 legal grounds for processing. Consent is a favorite ground for all Ukrainian organizations. But you should not limit yourself to it, because it is very complicated. Consent must be voluntary, informed, and a person must be able to easily withdraw it and disagree without negative consequences. In addition to consent, there is also such a ground as legitimate interest, which is the interest of the business, which must be weighed against the level of interference with a person’s privacy. 

For example, Sweet Tangerine LLC should estimate whether the PEs expect that their data from the register will be used for the statistics of a company, whether the PEs have sufficient information about the processing of data by Sweet Tangerine LLC, or whether they can protect their rights and refuse to process it. If the answer to all of these is “yes,” then you can most likely use legitimate interest.

• The purpose of processing is limited to consent. Here, the lawyer of Sweet Tangerine LLC will ask: why do we need consent or legitimate interest if a person has agreed to have their data published in the registry? They realize that this is open data! 

This is true, but the person did not agree to the following:

1. the data will be processed by Sweet Tangerine LLC,
2. the purposes would go beyond the goals of the state (to support the publicity of data under open data legislation).

Our legislation has a rule on limiting the purpose of processing. If the data was collected for one purpose, it can only be processed for the purpose that the person was informed about or agreed to. Other purposes require a different basis (consent for each purpose separately, consent to transfer data to third parties).

• Data should be processed transparently. When Sweet Tangerine LLC received data about PEs not directly from these PEs, it must inform people about its intentions: who will process the data, what data, why, to whom the data will be transferred, and what rights the person has. If the data was not collected directly from a person, there is an obligation to notify people within 30 days of receiving the data.

In the case of open data, this is a difficult task if you don’t have contact information for each person – you have to look for creative approaches, such as publishing your policies in obvious places, disseminating information about your practices in the media. Or accept the risk that you will not be able to inform people about the processing of their data objectively.

• Minimization of processing. Data must be relevant, adequate and not excessive in relation to the purpose for which it is used. Sweet Tangerine LLC will do the right thing if it deletes all the data it does not need as soon as it receives the statistics.
• Data protection. The controller must protect data from errors and interference. While performing its statistical things, Sweet Tangerine LLC cannot allow anyone to interfere with its processes, which would lead to data loss or illegal access. Pseudonymization, encryption, and limited access to data and algorithms that analyze it for only a limited number of people from the LLC will help here.
• Human rights. If you have already started using personal data, you must ensure that every individual entrepreneur whose data you work with for your own purposes can access their data, correct it, and refuse to process it. A person should be notified about these rights from Sweet Tangerine LLC within 30 days of receiving the data. At the very least, it should be written in the privacy policy on the company’s website.

How businesses should NOT use open personal data

Here are a few examples of what organizations should not do with open personal data:

• Illegitimate sale of databases. Building your own databases on the basis of personal data from open registers and sell these databases to other companies without consent or other grounds. Similarly, companies that have bought databases will not be able to legally use them if they do not have a legal ground for processing, have not informed people that they have their data, and do not have policies on processing such data.
• Illegitimate mailing. Sending promotional brochures to personal addresses of attorneys without the consent of these attorneys, without additional explanations of who the organization is, where the data was obtained, and how the attorney can easily refuse.
• Illegitimate marketing calls. Calling PEs who have just registered and whom these banks have never seen before without consent with a proposal to open a bank account in their bank. Especially if this happens without additional explanations of who the organization is, where it got the data, and how to refuse these calls.
• Artificial intelligence in action without risk analysis. Processing data from registries using artificial intelligence without first analyzing the risks of how this processing will affect the rights of people whose data will be processed and without implementing good practices, such as

1. privacy policy,
2. a way to inform people about the processing of their data,
3. determining the ground for data processing,
4. how you will exercise the rights of people whose data you process,
5.  how you will protect people’s data from errors and inaccuracies, unauthorized access or loss.

And how businesses should do it

To put it simple, by researching the legal requirements and their application to your specific processing. There are common practices in Ukraine that can be set up correctly in accordance with personal data protection legislation:

• KYC and background checks on businesses. Background checks on employees in Ukraine are risky. It is illegal to refuse to hire a person on the grounds that they have a criminal record or other black marks on their reputation, as this is a sign of discrimination. But it’s okay to check companies and their beneficiaries in terms of their ability to pay bills or their non-involvement with the aggressor country. 
• Marketing mailings and calls. It is possible to collect data from open databases for marketing purposes. You just need to investigate each specific case. The biggest problem is to find the right legal ground, because legitimate interest is not suitable for every marketing activity. It is also necessary to work out a mechanism for working with people whose data will be included in the databases for marketing activities – what to inform them and how, what to document within the company.
• Selling access to a product that may contain databases with personal data. In addition to investigating whether the owner of the product has a legal ground and can exercise people’s rights regarding personal data, you need to inform your customers about the nature of the product. 

For example, a product offers organizations to request certain information for KYC through a user-friendly interface based on data from the Ukrainian Open Data Portal. If the organization uses open data databases that include personal data in this product, the product owner should inform its customers that the product contains databases with personal data. Customers should be made aware that they become independent data controllers under the personal data protection law, with certain responsibilities.

Why bother?

“Why do all this,” you might ask, organizations that know that in Ukraine the maximum fine for violating personal data protection laws is less than $1,000.

To be better than others. To be guided by European quality standards. And to prepare for the adoption of the draft law on personal data protection, which the Verkhovna Rada of Ukraine is actively working on. And to avoid doing everything at the last minute.