Nameless data can still be personal

[Joel Harrison]

On 9 Nov 2008, at 10:41, Roland Perry <lists@internetpolicyagency.com>  
wrote:

> In article <9D53C16A-2D39-4D3A-A966-FB33C68593D7@googlemail.com>,  
> Joel Harrison <joeldharrison@googlemail.com> writes
>>> In the EU we say "some IP addresses identify people, so we should  
>>> treat  all of them as personal data",
>
>> It's worth noting that the UK is out of step with much of the rest  
>> of the EU on this point.  In the UK an IP address will usually not  
>> be personal data, other than in the hands of the user's ISP or law  
>> enforcement officials, because the person processing the data lacks  
>> the necessary information to identify the user.
>
> The law only applies to "Data Controllers", and these are exactly  
> the ISPs, website operators, and law enforcement agencies in receipt  
> of logs, who *do* have the means to identify the individual.
>
ISPs and law enforcement, yes (which is what I said). Website  
operators, usually no. The test is whether the website operator is in,  
or is likely to come into, possession of the other data necessary to  
identify the relevant individual.  That will not apply to most website  
operators in possession of logs alone.  It will only apply where the  
user has a fixed IP address and that user (as opposed to the ISP) is  
listed as the holder of the address in a public register - but even  
then, if the website operator neither consults that register nor is  
likely to do so, the data is not personal data. And if the register  
merely lists the name of the user, there will be many cases in which  
the operator lacks the necessary contextual information to make that  
personal data.


> Meanwhile, I don't think that personal data should be treated any  
> less carefully once it's "escaped" from the hands of a data  
> controller.
You're assuming it was personal data in the first place.


>
> -- 
> Roland Perry
>