Not-at-the-monent personal data (was RE: Full Disclosure)

[Andrew Cormack]

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-
> admin@chiark.greenend.org.uk] On Behalf Of Peter Fairbrother
> Sent: 27 September 2008 19:22
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Full Disclosure
>=20
> Nicholas Bohm wrote:
>=20
> >
> > ``Is the Phorm UUID personally identifiable data?''
> >
> > I think it depends who is in possession of it.  When in the
> possession
> > of someone who can link it to what is undoubtedly personally
> > identifiable, then so is the UUID.
>=20
> But does whether a piece of data is personally identifying depend
> on who
> has possession of it, and what other databases they have access to?
>=20
> I don't see how it can - the first may be known, but the second
> can't be
> - or is there a law which says if you have x piece of information,
> you
> can't then get y piece of information, because y would make x
> personally
> identifiable?
>=20
> I guess that you'd have to define three types of data, one
> completely
> non-identifying, one non-identifying without some other data, and
> one
> which makes the second type identifying.
>=20
>=20
> My brain hurts
>=20
> -- Peter

See the Article 29 Working Party's Opinion on search engines and their
general Opinion 2007/4 on the concept of personal data.

They say that unless the recipient of a pseudonymous identifier (they
are talking about IP addresses, but the principle seems to transfer
nicely) knows that it *cannot* be linked to an identifiable living
individual then the recipient has to treat the identifier and any
associated information as if it were personal data. This seems a
slightly stricter test than UK law, which only requires that such
linkage not be likely.

So yes, it does seem that there are three classes of data:
1) Personal data
2) Non-personal data
3) Data that is personal in my hands, but not in someone else's (either
because they cannot, or will not, get the information needed to link it
to an identifiable individual)

Thanks to the "likely", UK law is clearer about the existence of class
3, but the Art29WP seem clear that it exists in EC law (95/46/EC) as
well.

Andrew

--
Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation
Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399

JANET, the UK's education and research network=20



JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024=20
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG