Nameless data can still be personal

Peter Tomlinson ukcrypto at chiark.greenend.org.uk
Sun, 09 Nov 2008 12:54:57 +0000 

Joel Harrison wrote:
> On 9 Nov 2008, at 12:15, Peter Tomlinson <pwt@iosis.co.uk> wrote:
>> Andrew Cormack wrote:
>>> Incidentally *anyone* who controls personal data is a data controller:
>>> there doesn't have to be just one DC for each item of personal data. So
>>> if personal data escapes from its original controller, in a form that
>>> makes it still personal, then as far as I can see the recipient is a
>>> data controller too.
>> Data processor, I believe.
>>
> In the situation to which I think Andrew was referring, the recipient 
> would be a controller. A processor is one who processes data on behalf 
> of, and on the instructions of, a controller.
As I see it, a data controller has to have a contract with the person 
concerned, and a data processor is authorised by a data controller to 
receive and use the data for specific purposes.

The suggestion in this thread seems to be that the ISP who controls the 
IP address may be a data controller in respect of the subject who uses 
the IP address. Therefore if the data "escapes" in a way that allows 
information about the person using the IP address to be gleaned, the 
escape is illegal. If, however, the recipient of the data has an 
agreement with the data controller to use the data, then I believe that 
the recipient is a data processor and has to have a contract with the 
data controller.

Certainly in the case of bus passes the bus operator can visually read 
the name of the pass holder off the face of the pass, but in my view is 
not allowed to use that in association with the transaction messages - 
if a fraudulent transction is suspected, the bus operator should contact 
the pass issuer and advise them of a suspicious transaction, and I see 
one of two ways to do that:

- inspect the pass visually and write down the name and serial number, 
then submit a paper report

- without recording the name of the pass holder, create an additional 
transaction message reporting a suspicious use of the pass (and 
referencing the serial number read electronically).


Peter