Nameless data can still be personal

[Peter Tomlinson]

Andrew Cormack wrote:
> Incidentally *anyone* who controls personal data is a data controller:
> there doesn't have to be just one DC for each item of personal data. So
> if personal data escapes from its original controller, in a form that
> makes it still personal, then as far as I can see the recipient is a
> data controller too.
Data processor, I believe.

Which is why it is essential that bus passes for the elderly and 
disabled don't have personal data stored in the clear in the entitlement 
dataset in the chip in the pass, even though the fixed format dataset 
definition includes fields for some personal data - the bus that can and 
does read the chip [1] has to read the entire dataset in order to verify 
the digital signature created from the whole dataset, and thus the bus 
operator becomes not a data controller but a data processor. You can't 
have every LA having contracts with every bus operator, and anyway the 
test of necessity comes in: it is not necessary for the bus operator (or 
anyone else reading that part of the chip) to have that data in the pass 
dataset, because the bus pass serial number can always be used by those 
authorised to track back to the pass holder. Other datasets in the chip 
(e.g. local authority functions) that may need to hold personal data 
have to be separately protected so that the data can only be accessed by 
authorised persons.

Peter

[1] Blackpool and much of Lancs and Cumbria, parts of Cheshire, and a 
slowly growing number of other places in England. Also growing numbers 
of buses in Scotland, and soon similar in Wales. Not London for a while 
yet - its not compatible with the current Oyster infrastructure.