Nameless data can still be personal

[Caspar Bowden]

> admin@chiark.greenend.org.uk] On Behalf Of Andrew Cormack
...
>
> Joel
> If you have a reference for the fact that IP addresses aren't personal
> data in the UK then I'd love to know it.

Some refs:

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_ap=
plication/collecting_personal_information_from_websites_v1.0.pdf
"So if it is only the ISP who can link the IP address to an individual it i=
s difficult to see how the Act can cover collecting dynamic IP addresses wi=
thout any other identifying or distinguishing information"

http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf =
(read the whole thing - subtle and as interesting for what it doesn't say a=
s much as what it does)

http://www.ico.gov.uk/about_us/news_and_views/current_topics/what_is_person=
al_data.aspx (someone should do a close analysis contrasting with above)

http://www.liberty-human-rights.org.uk/issues/3-privacy/pdfs/liberty-privac=
y-report.pdf
pp. 120-121

<<<<<Concerns over the effectiveness of the DPA also arise from the definit=
ion of 'personal data'. This
definition impacts upon the scope of processing regulated by the DPA. The D=
PA defines 'personal
data' as:
'data which relate to a living individual who can be identified -
(a) from those data, or
(b) from those data and other information which is in the possession of, or=
 is likely to come into the
possession of, the data controller' 233
Meanwhile the definition set out in the EU Data Protection Directive states=
;
''personal data' shall mean any information relating to an identified or id=
entifiable natural person
('data subject'); an identifiable person is one who can be identified, dire=
ctly or indirectly, in particular
by reference to an identification number or to one or more factors specific=
 to his physical,
physiological, mental, economic, cultural or social identity' 234
The Articles in the directive are preceded by a series of explanatory 'reci=
tals'. Recital 26 states:
'Whereas the principles of protection must apply to any information concern=
ing an identified or
identifiable person; whereas, to determine whether a person is identifiable=
, account should be taken
of all the means likely reasonably to be used either by the controller or b=
y any other person to identify
the said person; whereas the principles of protection shall not apply to da=
ta rendered anonymous
in such a way that the data subject is no longer identifiable'(emphasis add=
ed) 235.
The definition of personal data in the DPA is, therefore, more restrictive =
than that allowed for in the
Directive. The DPA bases the definition of personal data as relating to a l=
iving individual identifiable
from the data itself or from other information held by the data controller.=
 The Directive is more
expansive by allowing the definition to include data identifiable by the co=
ntroller or any other person
This might seem an obscure and rather academic point. However, it is extrem=
ely relevant in the
context of the mass data matching and mining processes referred to in this =
work. We have
expressed concerns that pressures towards greater matching and profiling of=
 data might prove
irresistible. The definition of data contained in the DPA allows a certain =
leeway to do this if the data
is anonymised prior to passing to a third party for further processing. Thi=
s would allow, for example,
data from the one data controller (data controller 'A') to be passed to ano=
ther data controller (data
controller 'B') to be matched against information held by them. If the data=
 had been anonymised by
A before being passed to B (by allocating an identifying number for example=
) then it might not
constitute personal data under the DPA while in B's possession meaning B wo=
uld not have to
comply with DPA requirements. Once B had processed the data they could pass=
 it back to A with,
for example, any comment about the person to whom the identifying number re=
lated being a
potential security or crime risk.
As a consequence the data has not really been 'anonymised' as most people w=
ould understand the
word. A more accurate definition might 'pseudonymised'. This definition mig=
ht be used to describe
data that does not contain names, but which does contain an identifier (suc=
h as a number) unique
per individual for some time window. This identifier allows for further inf=
ormation to be obtained
which can then be linked back to the person linked to this identifier.
The use of pseudonymised data to allow a way around the DPA would not be po=
ssible if the
definition in the Data Protection Directive was to be applied. Any processi=
ng by B would still have
to comply with data protection requirements as the person would be identifi=
able as a consequence
of information held by A.
The implication of this is that it may be possible for data held on the NIR=
 or on other mass
informational databases to be matched or profiled against data held elsewhe=
re without reference to
data protection principles if it is initially anonymised (even if de-anonym=
ised once passed back). The
extent of DPA applicability to anonymised data is a grey area. While certai=
nty in data processing can
sometimes be elusive 236, a definition of personal data more in line with t=
he Directive would ensure
that 'anonymisation' does not allow avoidance of data protection principles=
 >>>>>

--
Caspar