Nameless data can still be personal

Joel Harrison ukcrypto at chiark.greenend.org.uk
Mon, 10 Nov 2008 13:46:13 +0000 

On Mon, Nov 10, 2008 at 12:07 PM, Roland Perry
<lists@internetpolicyagency.com> wrote:
> In article <0A765050-41EE-4D97-B5B3-2207B3217A51@googlemail.com>, Joel
> Harrison <joeldharrison@googlemail.com> writes
>>
>> ISPs and law enforcement, yes (which is what I said). Website operators,
>> usually no. The test is whether the website operator is in, or is likely to
>> come into, possession of the other data necessary to identify the relevant
>> individual.  That will not apply to most website operators in possession of
>> logs alone.  It will only apply where the user has a fixed IP address and
>> that user (as opposed to the ISP) is listed as the holder of the address in
>> a public register - but even then, if the website operator neither consults
>> that register nor is likely to do so, the data is not personal data. And if
>> the register merely lists the name of the user, there will be many cases in
>> which the operator lacks the necessary contextual information to make that
>> personal data.
>>
>>> Meanwhile, I don't think that personal data should be treated any less
>>> carefully once it's "escaped" from the hands of a data controller.
>>
>> You're assuming it was personal data in the first place.
>
> As I keep saying, I don't believe in a concept of "chameleon data", that
> changes between being personal and not-personal with the phase of the moon.

Not with the phase of the moon, granted, but whether data is personal
data absolutely does depend on whose hands it's in (because it depends
on what other data that person has/is likely to have).  That's
absolutely clear - it's right there in the definition of "personal
data" in section 1(1) of the Act.

> Or data where one sample is personal (because it can be easily linked to a
> person) and another isn't (because the linkage is harder to find). When you
> have a web-log that contains examples of both, don't you think that the
> web-log needs treating carefully, as a whole?

Where personal and non-personal data are indeed mixed, yes, I agree
that best practice is to treat the whole dataset as if it were
personal data.  It's usually more straightforward and cost-effective
to do this, too.  But, as I've said, a web-log will usually consist
exclusively of non-personal data unless the site operator also
collects other data about visitors to the site.

Joel