Full Disclosure

[Andrew Cormack]

And doesn't the recent Article 29WP opinion on google^H^H^H^H^H^Hsearch
engines and personal data make the effective definition of personal data
even wider? As I read it, though I may be wrong, they seemed to be
saying that unless you were sure the identifier couldn't be linked to a
person then you had to act as if it could. That's very different from UK
law post-Durant, of course.

Andrew

--
Andrew Cormack, Chief Regulatory Adviser=20
JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation
Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399=20

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk=20
> [mailto:ukcrypto-admin@chiark.greenend.org.uk] On Behalf Of=20
> Joel Harrison
> Sent: 29 April 2008 14:34
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Full Disclosure
>=20
> On 4/29/08, Nicholas Bohm <nbohm@ernest.net> wrote:
> >> ``Is the Phorm UUID personally identifiable data?''
> >
> > I think it depends who is in possession of it.  When in the=20
> possession of
> > someone who can link it to what is undoubtedly personally=20
> identifiable, then
> > so is the UUID.
>=20
> Certainly - one of the features of the DPA is that whether data
> constitutes personal data depends on whose hands it falls into and
> what other information that person has or is likely to have.  It is
> perfectly possible that the UUID is personal data in the hands of the
> ISP (because it can associate the UUID with an IP address and
> ultimately to a user account) and also in the hands of the website who
> gets hold of the cookie (and which has the user's payment details
> stored), but not in Phorm's hands.
>=20
> Note that there's a bit of divergence between the definition of
> personal data in the DPA and in the Directive.  In the DPA, data is
> personal data if it relates to a person who can be identified from
> that data, or from that data together with other data in (or likely to
> come into) the data controller's possession.  (This is why an IP
> address that is dynamically allocated may be personal data in the
> hands of the ISP, who can examine its logs to work out the user to
> whom the address was allocated at a given time, but not necessarily in
> the hands of a third party, who is unlikely ever to obtain that
> information - unless that third party happens to be involved in law
> enforcement, etc.)
>=20
> The Directive, on the other hand, is a bit broader.  It defines
> personal data as information that relates to an identified or
> identifiable person, and says (in the recitals) that whether a person
> is identifiable depends on the means likely to be used by the
> controller "or by any other person".
>=20
> So, you may find that the ICO is prepared to say that Phorm is not
> processing personal data (although its partner ISPs may be), but that
> regulators in other EU member states view things differently.  In any
> event, the UK takes a narrower view of what constitutes personal data
> than many other EU member states - something that has recently
> attracted pretty serious criticism from the Commission.
>=20
> Joel
>=20
>=20

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024=20
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG