Data & Personal Data

concepts in Data Privacy Vocabulary (DPV)

Final Community Group Report

This version:
https://www.w3.org/community/reports/dpvcg/CG-FINAL-dpv-20240128/
Latest published version:
https://w3id.org/dpv/dpv/modules/personal_data
Latest editor's draft:
https://dev.dpvcg.org/dpv/modules/personal_data
Editor:
Harshvardhan J. Pandit (ADAPT Centre, Dublin City University)
Feedback:
GitHub w3c/dpv (pull requests, new issue, open issues)
This Release
https://w3id.org/dpv/2.0
Previous Release
https://w3id.org/dpv/1.0
Key Publications
Data Privacy Vocabulary (DPV) -- Version 2 (2024)

Abstract

This document provides additional details and examples for data and personal data concepts in the Data Privacy Vocabulary [DPV], and is a companion to the [DPV] specification.

Status of This Document

This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Final Specification Agreement (FSA) other conditions apply. Learn more about W3C Community and Business Groups.

Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.

GitHub Issues are preferred for discussion of this specification.

Data Privacy Vocabulary (DPV) Specification: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH], and [AI]. Specific [LEGAL] extensions are also provided which model jurisdiction specific regulations and concepts - see the complete list of extensions. To support understanding and applications of [DPV], various guides and resources [GUIDES] are provided, including a [PRIMER]. A Search Index of all concepts from DPV and extensions is available.

[DPV] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [DPVCG], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.

The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here. The article Data Privacy Vocabulary (DPV) - Version 2, accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024), describes the changes made in DPV v2.

2. Introduction

Figure 1 Indicating Data and Personal Data using DPV
Figure 2 Indicating Data and Personal Data using DPV

DPV provides the concept Data and relation hasData to indicate involvement or association of any data. The concept PersonalData and the relation hasPersonalData are provided to indicate what categories or instances of personal data are being processed. The DPV specification only provides a structure for describing personal data, e.g. as being sensitive. For specific categories of personal data for use-cases, Personal Data categories for DPV provides additional concepts that extend the DPV's personal data taxonomy. This separation is to enable adopters to decide whether the extension's concepts are useful to them, or to use other external vocabularies, or define their own.

In addition to Personal Data, there may be a need to represent Non-Personal Data within the same contextual use-cases. For this, DPV provides the concepts NonPersonalData and SyntheticData.

To indicate data categorised based on DataSource, e.g. as "collected personal data", DPV provides: CollectedPersonalData, DerivedPersonalData, InferredPersonalData, GeneratedPersonalData, and ObservedPersonalData.

For indicating personal data which is sensitive, the concept SensitivePersonalData is provided. For indicating special categories of data, the concept SpecialCategoryPersonalData is provided. In this, the concept sensitive indicates that the data needs additional considerations (and perhaps caution) when processing, such as by increasing its security, reducing usage, or performing impact assessments. Special categories, by contrast, are a 'special' type of sensitive personal data requiring additional considerations or obligations defined in laws (or through other forms) that regulate how they should be used or prohibit their use until specific obligations are met.

To specify data is anonymised, DPV provides two concepts. AnonymisedData for when data is completely anonymised and cannot be de-anonymised, which is a subtype of NonPersonalData. And, PseudonymisedData for when data has only been partially anonymised or de-anonymisation is possible, which is a subtype of PersonalData.

DPV defines the following concepts for expressing information about data:

3. Personal Data

The Personal Data categories for DPV extension provides a taxonomy of personal data categories to represent commonly used categories such as 'Email Address' and 'Birth Date'. These concepts are organised in a hierarchical taxonomy where the super/parent concept is a broader form of the sub/child concept, and where these concepts act as sets i.e. everything in the sub/child concept is present in the super/parent concept. For example, consider the concept 'Email' - it can refer to email addresses, actual emails, metadata or attachments associated with emails, and so on. To distinguish between these, the 'Email' concept must be further 'extended' or 'refined' with subclasses or child concepts such as 'Email Address', 'Email Contents', etc. The [PD] taxonomy categories are modelled with such interpretations in mind. This helps align the use of DPV with practical use-cases where such ambiguous use of terms can be identified and rectified by choosing a more specific concept from the taxonomy (e.g. Email Address instead of Email above).

The relation hasPersonalData can be used to indicate both the category and instance of personal data. For example, to indicate the personal data being collected is of category 'Email Address', or to specify a particular email address. We recommend using rdf:value to represent such 'values' of personal data associated with a category. Alternatively, other vocabularies such as [FOAF] or [schema-org] can also be used to further specify the contents of personal data. Through we strongly recommend always using a DPV concept and a [PD] taxonomy concept for interoperability.

Note: Clarity on Personal Data concepts being Categories and Instances

Real-world and common usage of personal data is at both an abstract level as well as specific level. For example, consider the sentence "We use your Email information...", which uses "Email" to represent a reference to what personal data is involved. Here, one may interpret Email as representing only the email address, or as a broad set of possible information related to emails, such as email address, email senders and recipients list, email service provider, email usage statistics and so on.

For ensuring clarity and resolving any potential ambiguity, DPV recommends being as specific as possible. This means where there is ambiguity as to what the information may be associated with or within a concept, it is advisable to resolve that ambiguity - either by choosing a more accurate concept from the taxonomy and/or by creating one through extension of an existing concept.

Note: Challenges in representing Personal Data concepts accurately

In addition to above, it is also challenging to accurately represent how concepts function within real-world use in terms of their encapsulation within one another. For example, when establishing the DPV, we discussed the modelling of personal data categories based on the scenario where a picture of passport is initially collected, and from it various categories are extracted, such as - name, address, and photo. For representing this, merely stating the personal data as ‘passport photograph’ would not be entirely accurate as there is additional information within the photograph.

A solution was established whereby the use-case is expected to declare explicitly what information it intends to collect or use with sufficient details and clarity. For the passport photograph scenario, the use-case would use the concept PassportPhoto as the data it collects, and indicate that it extracts or derives Name and Age from it. Or, it directly declares that it collects all three concepts. This is necessary to ensure the interpretation that using PassportPhoto means having access to and using all of its subsequent personal data categories.

While this is one possible solution, other methods exist, such as explicitly declaring the data categories and their encapsulation within one another, such as by reusing hasPersonalData or creating additional properties (e.g. containsData) to indicate a personal data concept, i.e. the passport photo, contains information associated through the relation, i.e. name, age, etc. We welcome discussions regarding both these methods.

4. Sensitive & Special Data

Some personal data categories are sensitive. To indicate this, the concept SensitivePersonalData is used. It is important to recognise and document data when it is sensitive as it can require additional considerations such as enhanced technical and organisational measures, and appropriate privacy and data protection impact assessments.

Note

DPV currently categorises personal data as sensitive based on existing research and literature, and as special categories based on [GDPR] Article 9. Both are subject to expansion in the future based on requirements and technological progress, and we welcome well-formed proposals for the same.

SpecialCategoryPersonalData represents those sensitive categories which are regulated by law i.e. their use is regulated and requires additional considerations and obligations, such as under [GDPR] Article 9 which prohibits their use unless specific conditions are met, and also requires conducting a data protection impact assessment (DPIA) for certain cases where they are involved.

The PD taxonomy uses the GDPR Article 9 definition to denote specific concepts as belonging to special categories of personal data, and due to the way the taxonomy is hierarchical in nature, all concepts extending such concepts are also considered (sensitive and) special categories. For example, Biometric is a special category, which is further extended as FacialPrint - which is also considered as a special category due to being biometric data.

Note: PII and Sensitivity of Data

PII (Personally Identifiable Information) and Sensitivity of data are common concepts in relation to use of personal data. PII is a term with variable definitions depending on the particular interpretation of personal and identifiable. While ISO standards define PII as a concept closer to the personal data definition within DPV, this term can still result in confusion and ambiguity. DPV therefore defines IdentifyingPersonalData

to explicitly denote that some data 'identifies' a person.

DPV provides the SensitivePersonalData concept, and to indicate the degree of sensitivity, we recommend using the SensitivityLevel concept and associate it with hasSensitivityLevel.

The sensitivity of personal data can be universal, where that data is always sensitive, or contextual, which means a use-case needs to declare it as such. For indicating personal data is sensitive (or special), it is sub-typed or declared as an instance of SensitivePersonalData, as shown in the example below.

In using these concepts, it is important to note that DPV's modelling of sensitive and special categories is non-exhaustive and as such should not be taken as an authoritative fact or a 'source of truth'. To assist with better identifying sensitive concepts, work is ongoing within DPV to identify and provide a reference list of (potentially) sensitive and special categories, and we welcome contributions for the same.

Note: Enhancing the sensitive & special data taxonomies in PD

5. Anonymised Data

AnonymisedData refers to anonymisation, which is a data de-identification technique whereby any information which can be used to identify the individual, either by itself or in combination with other information - which may be present in the same dataset or outside it, is removed to prevent any possibility of attributing the data to the person it is about. From this, it is clear that the bar for 'true' or 'effective' anonymisation is very high. Anonymised data is no longer considered personal data, and is therefore non-personal data.

To specify data is anonymised, DPV provides two concepts. AnonymisedData for when data is completely anonymised and cannot be de-anonymised, which is a subtype of NonPersonalData. And, PseudonymisedData for when data has only been partially anonymised or de-anonymisation is possible, which is a subtype of PersonalData.

When data undergoes a partial anonymisation process i.e. it is not completely anonymised, and there is a possibility of re-identification, but it is unlikely for this to happen within the use-case, and where the use-case wishes to treat such data as 'contextually anonymised', the concept ContextuallyAnonymisedData is provided. Transferring such data outside the context results in the data no longer being anonymous, and it must be treated as personal data.

PseudonymisedData is data that has gone a partial or incomplete anonymisation process by replacing the identifiable information with artificial identifiers or 'pseudonyms'. Using such pseudonyms (e.g. IP addresses or fingerprinting techniques) does not render the data anonymous, and it still remains personal data as long as re-identification or association with an individual is possible.

Note: Caution when using anonymisation concepts

It is important to note that these definitions can be contextually difficult to apply or interpret. For example, consider the case where some data is indicated as being anonymised by itself without any available information to de-anonymise it. Though this can be considered as anonymised data, if there were to exist an external method or dataset that when combined with the anonymised dataset provides de-anonymised information - then this does not fit the definition of anonymised data.

Therefore, when indicating AnonymisedData, the understanding is that it is completely anonymised. Otherwise, given that regulations targeting PersonalData do not apply over anonymised data, the labelling of anonymised or contextually anonymised data may lead to misleading representation and violating obligations.

5.1 Non-Personal and Synthetic Data

While the focus of DPV is on Personal Data, there may be a need to represent Non-Personal Data within the same contextual use-cases. For example, if the personal data has been fully, completely, and irreversibly anonymised, then it can no longer be said to be personal data. To enable this, and other representations, DPV provides the concept Data to represent any data, with subtypes PersonalData and NonPersonalData. Using these as annotations can assist in clearly indicating which data should be protected, or protected with more severe measures, or to determine the scope of regulations which only apply over operations involving personal data.

Data is further subtyped as SyntheticData - a new concept that represents generated data intended to mimic personal data within a system so as to aid in development and testing without using actual or real personal data. Since such synthetic data may be used in systems that assume it is personal data, it has not been declared as a specific category of personal or non-personal data to permit its use as either.

6. Data Categorised by Source

To specify data in terms of how it was sourced or generated, various concepts are provided that correspond to the processing operations such as collect, derive, infer, observe, generate, and so on. This allows annotating data or indicating how the data was obtained.

CollectedPersonalData denotes the data was collected (from another entity), and ProvidedPersonalData indicates the data was provided by another entity i.e. the other entity knowingly provided this data for collection. For example, a data subject filling out a form to provide data is an example of provided personal data, whereas observation of individuals via CCTV is collected but not provided personal data.

DerivedPersonalData refers to data being derived from another (existing) data - where such data was already present in some form. For example, taking a photograph of a passport and extracting the relevant names and dates from it is considered 'derived data' as the data was already present in the photograph. Where data being derived does not exist i.e. it is 'inferred', the concept InferredPersonalData should be used. For example, if the passport photograph was used in some way to create a risk score for the individual by the immigration office, then such data is considered to be an 'inference' as it was not already present and has been inferred through some algorithmic process.

Note: Caution when using Derivation and Inference concepts

These concepts are analogous to their processing counterparts, as well as helpful in indicating the source of data i.e. the data source concepts. They are helpful to 'tag' or 'annotate' data, such as in databases or other systems, to indicate or categorise which data has been collected, or derived, or inferred. They can also be used to check or verify the information documented about processing and data sources is accurate and up to date.

7. Vocabulary Index

7.1 Classes

7.1.1 Anonymised Data

Term AnonymisedData Prefix dpv
Label Anonymised Data
IRI https://w3id.org/dpv#AnonymisedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:NonPersonalDatadpv:Data
Object of relation dpv:hasData
Definition Personal Data that has been (fully and completely) anonymised so that it is no longer considered Personal Data
Usage Note It is advised to carefully consider indicating data is fully or completely anonymised by determining whether the data by itself or in combination with other data can identify a person. Failing this condition, the data should be denoted as PseudonymisedData. To indicate data is anonymised only for a specified entity (e.g. within an organisation), the concept ContextuallyAnonymisedData (as subclass of PseudonymisedData) should be used instead of AnonymisedData.
Date Created 2022-01-19
Contributors Piero Bonatti
See More: section PERSONAL-DATA in DPV

7.1.2 Collected Data

Term CollectedData Prefix dpv
Label Collected Data
IRI https://w3id.org/dpv#CollectedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data that has been obtained by collecting it from a source
Date Created 2023-12-10
See More: section PERSONAL-DATA in DPV

7.1.3 Collected Personal Data

Term CollectedPersonalData Prefix dpv
Label Collected Personal Data
IRI https://w3id.org/dpv#CollectedPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:CollectedDatadpv:Data
Broader/Parent types dpv:PersonalDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Personal Data that has been collected from another source such as the Data Subject
Usage Note To indicate the source of data, use the DataSource concept with the hasDataSource relation
Examples dex:E0046 :: Indicating data being collected and derived
Date Created 2022-03-30
Date Modified 2023-12-10
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DEX

7.1.4 Commercially Confidential Data

Term CommerciallyConfidentialData Prefix dpv
Label Commercially Confidential Data
IRI https://w3id.org/dpv#CommerciallyConfidentialData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data protected through Commercial Confidentiality Agreements
Source
Date Created 2024-02-14
See More: section PERSONAL-DATA in DPV

7.1.5 Confidential Data

Term ConfidentialData Prefix dpv
Label Confidential Data
IRI https://w3id.org/dpv#ConfidentialData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data deemed confidential
Source
Date Created 2024-02-14
See More: section PERSONAL-DATA in DPV

7.1.6 Contextually Anonymised Data

Term ContextuallyAnonymisedData Prefix dpv
Label Contextually Anonymised Data
IRI https://w3id.org/dpv#ContextuallyAnonymisedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:PseudonymisedDatadpv:PersonalDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Data that can be considered as being fully anonymised within the context but in actuality is not fully anonymised and is still personal data as it can be de-anonymised outside that context
Usage Note To distinguish between partially anonymised data that can be effectively treated as anonymised data (e.g. in processing) within a context (e.g. an organisation), the concept ContextuallyAnonymisedData should be used instead of AnonymisedData. Transfer of this data outside of the context should consider that it is not fully anonymised and that it is still personal data
Date Created 2024-06-11
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.1.7 Data

Term Data Prefix dpv
Label Data
IRI https://w3id.org/dpv#Data
Type rdfs:Class, skos:Concept
Object of relation dpv:hasData
Definition A broad concept representing 'data' or 'information'
Date Created 2022-01-19
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.1.8 Derived Data

Term DerivedData Prefix dpv
Label Derived Data
IRI https://w3id.org/dpv#DerivedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data that has been obtained through derivations of other data
Date Created 2023-12-10
See More: section PERSONAL-DATA in DPV

7.1.9 Derived Personal Data

Term DerivedPersonalData Prefix dpv
Label Derived Personal Data
IRI https://w3id.org/dpv#DerivedPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:DerivedDatadpv:Data
Broader/Parent types dpv:PersonalDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Personal Data that is obtained or derived from other data
Usage Note Derived Data is data that is obtained through processing of existing data, e.g. deriving first name from full name. To indicate data that is derived but which was not present or evident within the source data, InferredPersonalData should be used.
Examples dex:E0009 :: Derivation and inference of personal data
dex:E0046 :: Indicating data being collected and derived
Source DPVCG
Related svd:Derived
Date Created 2019-05-07
Date Modified 2023-12-10
Contributors Elmar Kiesling; Harshvardhan J. Pandit, Fajar Ekaputra
See More: section PERSONAL-DATA in DEX

7.1.10 Generated Data

Term GeneratedData Prefix dpv
Label Generated Data
IRI https://w3id.org/dpv#GeneratedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data that is generated or brought into existence without relation to existing data i.e. it is not derived or inferred from other data
Date Created 2023-12-10
See More: section PERSONAL-DATA in DPV

7.1.11 Generated Personal Data

Term GeneratedPersonalData Prefix dpv
Label Generated Personal Data
IRI https://w3id.org/dpv#GeneratedPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:PersonalDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Personal Data that is generated or brought into existence without relation to existing data i.e. it is not derived or inferred from other data
Usage Note Generated Data is used to indicate data that is produced and is not derived or inferred from other data
Date Created 2022-03-30
Date Modified 2023-12-10
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.1.12 Identifying Personal Data

Term IdentifyingPersonalData Prefix dpv
Label Identifying Personal Data
IRI https://w3id.org/dpv#IdentifyingPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:PersonalDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Personal Data that explicitly and by itself is sufficient to identify a person
Usage Note DPV does not use PII ('Personally Identifiable Information') as it has varying and conflicting definitions across sources. Instead the concept 'identifying personal data' is intended to provide a clear categorisation of its interpretation. Where multiple data categories can be combined to create an 'identifying' category e.g. fingerprinting, this concept represents the combined category.
Date Created 2024-02-14
See More: section PERSONAL-DATA in DPV

7.1.13 Incorrect Data

Term IncorrectData Prefix dpv
Label Incorrect Data
IRI https://w3id.org/dpv#IncorrectData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data that is known to be incorrect or inconsistent with some requirements
Date Created 2022-11-02
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.1.14 Inferred Data

Term InferredData Prefix dpv
Label Inferred Data
IRI https://w3id.org/dpv#InferredData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:DerivedDatadpv:Data
Object of relation dpv:hasData
Definition Data that has been obtained through inferences of other data
Date Created 2023-12-10
See More: section PERSONAL-DATA in DPV

7.1.15 Inferred Personal Data

Term InferredPersonalData Prefix dpv
Label Inferred Personal Data
IRI https://w3id.org/dpv#InferredPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:DerivedPersonalDatadpv:DerivedDatadpv:Data
Broader/Parent types dpv:DerivedPersonalDatadpv:PersonalDatadpv:Data
Broader/Parent types dpv:InferredDatadpv:DerivedDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Personal Data that is obtained through inference from other data
Usage Note Inferred Data is derived data generated from existing data, but which did not originally exist within it, e.g. inferring demographics from browsing history.
Examples dex:E0009 :: Derivation and inference of personal data
Date Created 2022-01-19
Date Modified 2023-12-10
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DEX

7.1.16 Intellectual Property Data

Term IntellectualPropertyData Prefix dpv
Label Intellectual Property Data
IRI https://w3id.org/dpv#IntellectualPropertyData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:ConfidentialDatadpv:Data
Object of relation dpv:hasData
Definition Data protected by Intellectual Property rights and regulations
Source
Date Created 2024-02-14
See More: section PERSONAL-DATA in DPV

7.1.17 Non-Personal Data

Term NonPersonalData Prefix dpv
Label Non-Personal Data
IRI https://w3id.org/dpv#NonPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data that is not Personal Data
Usage Note The term NonPersonalData is provided to distinguish between PersonalData and other data, e.g. for indicating which data is regulated by privacy laws. To specify personal data that has been anonymised, the concept AnonymisedData should be used as the anonymisation process has a risk of not being fully effective and such anonymous data may be found to be personal data depending on circumstances.
Date Created 2022-01-19
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.1.18 Observed Data

Term ObservedData Prefix dpv
Label Observed Data
IRI https://w3id.org/dpv#ObservedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:CollectedDatadpv:Data
Object of relation dpv:hasData
Definition Data that has been obtained through observations of a source
Date Created 2023-12-10
See More: section PERSONAL-DATA in DPV

7.1.19 Observed Personal Data

Term ObservedPersonalData Prefix dpv
Label Observed Personal Data
IRI https://w3id.org/dpv#ObservedPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:CollectedPersonalDatadpv:CollectedDatadpv:Data
Broader/Parent types dpv:CollectedPersonalDatadpv:PersonalDatadpv:Data
Broader/Parent types dpv:ObservedDatadpv:CollectedDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Personal Data that has been collected through observation of the Data Subject(s)
Date Created 2022-08-24
Date Modified 2023-12-10
Contributors Georg P. Krog
See More: section PERSONAL-DATA in DPV

7.1.20 Personal Data

Term PersonalData Prefix dpv
Label Personal Data
IRI https://w3id.org/dpv#PersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Data directly or indirectly associated or related to an individual.
Usage Note This definition of personal data encompasses the concepts used in GDPR Art.4-1 for 'personal data' and ISO/IEC 2700 for 'personally identifiable information (PII)'.
Examples dex:E0044 :: Specifying personal data
Source GDPR Art.4-1g
Related spl:AnyData
Date Created 2019-04-05
Date Modified 2022-01-19
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DEX

7.1.21 Provided Data

Term ProvidedData Prefix dpv
Label Provided Data
IRI https://w3id.org/dpv#ProvidedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:CollectedDatadpv:Data
Object of relation dpv:hasData
Definition Data that has been provided by an entity
Usage Note Provided data involves one entity explicitly providing the data, which the other entity then collects
Date Created 2024-04-20
Contributors Harshvardhan J. Pandit, Paul Ryan
See More: section PERSONAL-DATA in DPV

7.1.22 Provided Personal Data

Term ProvidedPersonalData Prefix dpv
Label Provided Personal Data
IRI https://w3id.org/dpv#ProvidedPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:CollectedPersonalDatadpv:CollectedDatadpv:Data
Broader/Parent types dpv:CollectedPersonalDatadpv:PersonalDatadpv:Data
Broader/Parent types dpv:ProvidedDatadpv:CollectedDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Personal Data that has been provided by an entity such as the Data Subject
Usage Note Provided personal data involves one entity (e.g. data subject) explicitly providing the data, which the other entity (e.g. data controller) then collects
Examples dex:E0046 :: Indicating data being collected and derived
Date Created 2024-04-20
Contributors Harshvardhan J. Pandit, Paul Ryan
See More: section PERSONAL-DATA in DEX

7.1.23 Pseudonymised Data

Term PseudonymisedData Prefix dpv
Label Pseudonymised Data
IRI https://w3id.org/dpv#PseudonymisedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:PersonalDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Pseudonymised Data is data that has gone a partial or incomplete anonymisation process by replacing the identifiable information with artificial identifiers or 'pseudonyms', and is still considered as personal data
Date Created 2022-01-19
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.1.24 Sensitive Data

Term SensitiveData Prefix dpv
Label Sensitive Data
IRI https://w3id.org/dpv#SensitiveData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data deemed sensitive
Date Created 2024-02-14
See More: section PERSONAL-DATA in DPV

7.1.25 Sensitive Non Personal Data

Term SensitiveNonPersonalData Prefix dpv
Label Sensitive Non Personal Data
IRI https://w3id.org/dpv#SensitiveNonPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:SensitiveDatadpv:Data
Object of relation dpv:hasData
Definition Non-personal data deemed sensitive
Source
Date Created 2024-02-14
See More: section PERSONAL-DATA in DPV

7.1.26 Sensitive Personal Data

Term SensitivePersonalData Prefix dpv
Label Sensitive Personal Data
IRI https://w3id.org/dpv#SensitivePersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:PersonalDatadpv:Data
Broader/Parent types dpv:SensitiveDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Personal data that is considered 'sensitive' in terms of privacy and/or impact, and therefore requires additional considerations and/or protection
Usage Note Sensitivity' is a matter of context, and may be defined within legal frameworks. For GDPR, Special categories of personal data are considered a subset of sensitive data. To illustrate the difference between the two, consider the situation where Location data is collected, and which is considered 'sensitive' but not 'special'. As a probable rule, sensitive data require additional considerations whereas special category data requires additional legal basis / justifications.
Examples dex:E0010 :: Indicating personal data is sensitive or special category
dex:E0045 :: Indicating data belongs to sensitive or special category
Date Created 2022-01-19
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DEX

7.1.27 Special Category Personal Data

Term SpecialCategoryPersonalData Prefix dpv
Label Special Category Personal Data
IRI https://w3id.org/dpv#SpecialCategoryPersonalData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:SensitivePersonalDatadpv:PersonalDatadpv:Data
Broader/Parent types dpv:SensitivePersonalDatadpv:SensitiveDatadpv:Data
Object of relation dpv:hasData, dpv:hasPersonalData
Definition Sensitive Personal Data whose use requires specific additional legal permission or justification
Usage Note The term 'special category' is based on GDPR Art.9, but should not be considered as exclusive to it. DPV considers all Special Categories to also be Sensitive, but whose use is either prohibited or regulated and therefore requires additional legal basis for justification that is separate from that for general personal data.
Examples dex:E0010 :: Indicating personal data is sensitive or special category
dex:E0045 :: Indicating data belongs to sensitive or special category
Source GDPR Art.9-1
Date Created 2019-05-07
Date Modified 2022-01-19
Contributors Elmar Kiesling; Harshvardhan J. Pandit, Fajar Ekaputra
See More: section PERSONAL-DATA in DEX

7.1.28 Statistically Confidential Data

Term StatisticallyConfidentialData Prefix dpv
Label Statistically Confidential Data
IRI https://w3id.org/dpv#StatisticallyConfidentialData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:ConfidentialDatadpv:Data
Object of relation dpv:hasData
Definition Data protected through Statistical Confidentiality regulations and agreements
Source
Date Created 2024-02-14
See More: section PERSONAL-DATA in DPV

7.1.29 Synthetic Data

Term SyntheticData Prefix dpv
Label Synthetic Data
IRI https://w3id.org/dpv#SyntheticData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:GeneratedDatadpv:Data
Object of relation dpv:hasData
Definition Synthetic data refers to artificially created data such that it is intended to resemble real data (personal or non-personal), but does not refer to any specific identified or identifiable individual, or to the real measure of an observable parameter in the case of non-personal data
Source ENISA Data Protection Engineering
Date Created 2022-08-18
Date Modified 2023-12-10
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.1.30 Unverified Data

Term UnverifiedData Prefix dpv
Label Unverified Data
IRI https://w3id.org/dpv#UnverifiedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data that has not been verified in terms of accuracy, inconsistency, or quality
Date Created 2022-11-02
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.1.31 Verified Data

Term VerifiedData Prefix dpv
Label Verified Data
IRI https://w3id.org/dpv#VerifiedData
Type rdfs:Class, skos:Concept
Broader/Parent types dpv:Data
Object of relation dpv:hasData
Definition Data that has been verified in terms of accuracy, consistency, or quality
Date Created 2022-11-02
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.2 Properties

7.2.1 has data

Term hasData Prefix dpv
Label has data
IRI https://w3id.org/dpv#hasData
Type rdf:Property, skos:Concept
Range includes dpv:Data
Definition Indicates associated with Data (may or may not be personal)
Date Created 2022-08-18
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DPV

7.2.2 has personal data

Term hasPersonalData Prefix dpv
Label has personal data
IRI https://w3id.org/dpv#hasPersonalData
Type rdf:Property, skos:Concept
Broader/Parent types dpv:hasData
Sub-property of dpv:hasData
Range includes dpv:PersonalData
Definition Indicates association with Personal Data
Examples dex:E0044 :: Specifying personal data
Date Created 2022-01-19
Contributors Harshvardhan J. Pandit
See More: section PERSONAL-DATA in DEX

7.3 External

DPV uses the following terms from [RDF] and [RDFS] with their defined meanings:

The following external concepts are re-used within DPV:

8. Contributors

The following people have contributed to this vocabulary. The names are ordered alphabetically. The affiliations are informative do not represent formal endorsements. Affiliations may be outdated. The list is generated automatically from the contributors listed for defined concepts.

Funding Acknowledgements

Funding Sponsors

The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.

Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.

The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).

Funding Acknowledgements for Contributors

The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.

A. References

A.1 Informative references

[AI]
AI Technology concepts for DPV. URL: https://w3id.org/dpv/ai
[DPV]
Data Privacy Vocabulary (DPV) Specification. URL: https://w3id.org/dpv
[DPVCG]
W3C Data Privacy Vocabularies and Controls Community Group (DPVCG). URL: https://www.w3.org/community/dpvcg/
[FOAF]
FOAF Vocabulary Specification 0.99 (Paddington Edition). Dan Brickley; Libby Miller. FOAF project. 14 January 2014. URL: http://xmlns.com/foaf/spec
[GDPR]
General Data Protection Regulation (GDPR). URL: https://eur-lex.europa.eu/eli/reg/2016/679/oj
[GUIDES]
Guides for DPV. URL: https://w3id.org/dpv/guides
Legal Jurisdiction-relevant concepts for DPV. URL: https://w3id.org/dpv/legal
[LOC]
Location and Geo-Political Membership concepts for DPV. URL: https://w3id.org/dpv/loc
[PD]
Personal Data categories for DPV. URL: https://w3id.org/dpv/pd
[PRIMER]
Primer for Data Privacy Vocabulary. URL: https://w3id.org/dpv/primer
[RDF]
RDF 1.1 Concepts and Abstract Syntax. URL: https://www.w3.org/TR/rdf11-concepts/
[RDFS]
RDF Schema 1.1. URL: https://www.w3.org/TR/rdf-schema/
[RISK]
Risk Assessment and Management concepts for DPV. URL: https://w3id.org/dpv/risk
[schema-org]
Schema.org. W3C Schema.org Community Group. W3C. 6.0. URL: https://schema.org/
[TECH]
Technology concepts for DPV. URL: https://w3id.org/dpv/tech