Nameless data can still be personal

[Roland Perry]

In article <0A765050-41EE-4D97-B5B3-2207B3217A51@googlemail.com>, Joel 
Harrison <joeldharrison@googlemail.com> writes
>ISPs and law enforcement, yes (which is what I said). Website 
>operators, usually no. The test is whether the website operator is in, 
>or is likely to come into, possession of the other data necessary to 
>identify the relevant individual.  That will not apply to most website 
>operators in possession of logs alone.  It will only apply where the 
>user has a fixed IP address and that user (as opposed to the ISP) is 
>listed as the holder of the address in a public register - but even 
>then, if the website operator neither consults that register nor is 
>likely to do so, the data is not personal data. And if the register 
>merely lists the name of the user, there will be many cases in which 
>the operator lacks the necessary contextual information to make that 
>personal data.
>
>> Meanwhile, I don't think that personal data should be treated any 
>>less carefully once it's "escaped" from the hands of a data controller.
>You're assuming it was personal data in the first place.

As I keep saying, I don't believe in a concept of "chameleon data", that 
changes between being personal and not-personal with the phase of the 
moon. Or data where one sample is personal (because it can be easily 
linked to a person) and another isn't (because the linkage is harder to 
find). When you have a web-log that contains examples of both, don't you 
think that the web-log needs treating carefully, as a whole?

-- 
Roland Perry