Protecting sensitive data Principles of data protection Data protection laws are often cited as prohibiting the collection of ethnic data. However, data protection laws can distinguish between the collection of individually identifiable data and that of anonymous data, permitting the latter. European Union law, for example, applies to personal data and exempts anonymous data.48 The Council of Europe notes that statistical results are not personal data because they are not linked to an identifiable person and highlights the need for balance between the need for research and the protection of privacy of individuals.49 In an attempt to balance the need for data on ethnicity with considerations of personal privacy, the European Commission against Racism and Intolerance (ECRI) has recommended that ethnic data be collected in ways that ensure confidentiality, informed consent, and voluntary self-identification. Furthermore, ECRI has urged against publication of personal data in such a way as to divulge individual identity. Taking this line of thinking a step further, one data protection expert has suggested that abuse of personal data be prevented through a method that would “count the members of a community without numbering them, i.e., without recording them individually in files, registries or computer databases” (Székely 2001, p. 279). In addition to containing a general prohibition on the processing of sensitive data –including but not necessarily limited to personal data on racial or ethic origin, political opinions, religious or philosophical beliefs, trade union membership and health or sex life – the EU Data Protection Directive enumerates conditions under which the processing of sensitive data can be legitimated. For example, Article 8 (2) states sensitive data may be processed on the basis of the data subject’s consent, unless the laws of the member States otherwise provide. Further exemptions to the prohibition on processing sensitive data under the Data Protection Directive may be laid down by national laws or by decision of national supervisory authority, provided that suitable safeguards are provided (i.e. necessary technical and organizational measures are taken in order to maintain data security). The reason for this class of exemptions is to facilitate scientific research and government statistics, enabling processing and storage of sensitive data in central population registers, tax registers, census registers and the like. Article 6 of the Data Protection Directive sets out five qualitative principles that must be respected when personal data is processed. These principles require that personal data must be:      Processed fairly and lawfully; Collected for specified, explicit and legitimate purposes; Adequate, relevant and non-excessive; Accurate, and where necessary kept up to date; and Kept in a form that permits the identification of data subjects for no longer than necessary. By virtue of the above principles, data collection operations could wherever possible conduct:   Secondary rather than primary data collection; Anonymous rather than non-anonymous surveys;  Sampling rather than full-scale surveys;  Voluntary rather than compulsory surveys. EU directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 95/46/EC, 24 October. 48 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (1981) and Recommendation No. R(97) 18 of the Committee of Ministers Concerning the Protection of Personal Data Collected and Processed for Statistical Purposes (1997). 49 Chapter 9: Data Collection Tools 131