Full Disclosure

Joel Harrison ukcrypto at chiark.greenend.org.uk
Tue, 29 Apr 2008 14:34:21 +0100 

On 4/29/08, Nicholas Bohm <nbohm@ernest.net> wrote:
>> ``Is the Phorm UUID personally identifiable data?''
>
> I think it depends who is in possession of it.  When in the possession of
> someone who can link it to what is undoubtedly personally identifiable, then
> so is the UUID.

Certainly - one of the features of the DPA is that whether data
constitutes personal data depends on whose hands it falls into and
what other information that person has or is likely to have.  It is
perfectly possible that the UUID is personal data in the hands of the
ISP (because it can associate the UUID with an IP address and
ultimately to a user account) and also in the hands of the website who
gets hold of the cookie (and which has the user's payment details
stored), but not in Phorm's hands.

Note that there's a bit of divergence between the definition of
personal data in the DPA and in the Directive.  In the DPA, data is
personal data if it relates to a person who can be identified from
that data, or from that data together with other data in (or likely to
come into) the data controller's possession.  (This is why an IP
address that is dynamically allocated may be personal data in the
hands of the ISP, who can examine its logs to work out the user to
whom the address was allocated at a given time, but not necessarily in
the hands of a third party, who is unlikely ever to obtain that
information - unless that third party happens to be involved in law
enforcement, etc.)

The Directive, on the other hand, is a bit broader.  It defines
personal data as information that relates to an identified or
identifiable person, and says (in the recitals) that whether a person
is identifiable depends on the means likely to be used by the
controller "or by any other person".

So, you may find that the ICO is prepared to say that Phorm is not
processing personal data (although its partner ISPs may be), but that
regulators in other EU member states view things differently.  In any
event, the UK takes a narrower view of what constitutes personal data
than many other EU member states - something that has recently
attracted pretty serious criticism from the Commission.

Joel