Nameless data can still be personal

[Andrew Cormack]

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-
> admin@chiark.greenend.org.uk] On Behalf Of Peter Tomlinson
> Sent: 09 November 2008 12:55
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Nameless data can still be personal
>=20
> Joel Harrison wrote:
> > On 9 Nov 2008, at 12:15, Peter Tomlinson <pwt@iosis.co.uk> wrote:
> >> Andrew Cormack wrote:
> >>> Incidentally *anyone* who controls personal data is a data
> controller:
> >>> there doesn't have to be just one DC for each item of personal
> data. So
> >>> if personal data escapes from its original controller, in a
> form that
> >>> makes it still personal, then as far as I can see the recipient
> is a
> >>> data controller too.
> >> Data processor, I believe.
> >>
> > In the situation to which I think Andrew was referring, the
> recipient
> > would be a controller. A processor is one who processes data on
> behalf
> > of, and on the instructions of, a controller.
> As I see it, a data controller has to have a contract with the
> person
> concerned, and a data processor is authorised by a data controller
> to
> receive and use the data for specific purposes.

I tend to phrase it the other way round:
1) If you hold personal data then you are a data controller, unless
2) You only hold and process it under the instructions of someone else,
in which case you're a data processor.

Someone in state (1) has duties (and liabilities) to the data subject
under the Act (e.g. to notify the data subject, cope with SARs, etc.). A
contract is one way to handle those duties and liabilities.

Someone in state (2) only has duties and liabilities to the data
controller under whose direction they are working. If the data processor
makes a mistake or does something wrong, the data controller has to bear
any resulting liabilities to the data subject.

As far as I can see, if you accidentally receive personal data, you
automatically become a data controller for it. Since that status carries
duties and liabilities, it's a really good idea to get rid of it
a.s.a.p. by returning the data to a relevant authority.

> The suggestion in this thread seems to be that the ISP who controls
> the
> IP address may be a data controller in respect of the subject who
> uses
> the IP address.

Agreed.

> Therefore if the data "escapes" in a way that
> allows
> information about the person using the IP address to be gleaned,
> the
> escape is illegal. If, however, the recipient of the data has an
> agreement with the data controller to use the data, then I believe
> that
> the recipient is a data processor and has to have a contract with
> the
> data controller.

Agreed.
=20
> Certainly in the case of bus passes the bus operator can visually
> read
> the name of the pass holder off the face of the pass, but in my
> view is
> not allowed to use that in association with the transaction
> messages -
> if a fraudulent transction is suspected, the bus operator should
> contact
> the pass issuer and advise them of a suspicious transaction, and I
> see
> one of two ways to do that:
>=20
> - inspect the pass visually and write down the name and serial
> number,
> then submit a paper report
>=20
> - without recording the name of the pass holder, create an
> additional
> transaction message reporting a suspicious use of the pass (and
> referencing the serial number read electronically).

Agreed. And I'd very much hope that the contract between the pass issuer
and the bus operator states which one applies, otherwise the bus
operator would seem to be getting close to the line of working only
under the direction of the data controller, and thereby becomine a data
controller themselves.

Cheers
Andrew

> Peter
>=20
>=20
>=20


JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024=20
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG