ICO respond to questions about Phorm's registration

Nicholas Bohm ukcrypto at chiark.greenend.org.uk
Thu, 09 Apr 2009 17:59:01 +0100 

Alexander Hanff wrote:
> First see here:
> http://www.whatdotheyknow.com/request/121mediaphorm_registration_as
> 
> It would seem that Phorm were not registered with the ICO as Data
> Controllers until January 2008 which means they were not registered for
> the trials in 2006/2007.  ICO claim that BT were the Data Controllers
> and Phorm were exempt under the rules for Data Processors but many of
> the people campaigning against Phorm's technology feel this is not
> correct.  Personally, I think that because it was Phorm's product being
> tested not BT's and that technology was owned, built, configured,
> maintained and run by Phorm as well as the aggregated data being
> processed by Phorm then it should be Phorm who are classified as the
> Data Controller as to my knowledge BT had no "control" over the data
> Phorm aggregated.
> 
> It is interesting comparing this case with the case of Consulting
> Association who were raided by ICO and are being prosecuted simply for
> processing personal data (supplied to them by companies with data
> controllers) without the consent or knowledge of the data subjects.
> 
> The difficulty is how do you argue this with the ICO.  I don't recall
> there being any clear cut definitions in the DPA which set the ground
> rules for classifying who is a processor and who is a controller but I
> will have a looksie this weekend when I get a few minutes spare.  My
> concern is that the legislation is sufficiently vague/broadly worded for
> the ICO to get away with this.

DPA s1(1):  “data controller” means, subject to subsection (4), a person
who (either alone or jointly or in common with other persons) determines
the purposes for which and the manner in which any personal data are, or
are to be, processed

I think BT determined the purposes for which it ran the trials, by
knowing what would happen to data if it ran the trials and deciding to
run them.  It is at least arguable that in the same way they also
decided the manner in which data were processed, by knowing what would
happen to data if it ran the trials and deciding to run them.

These conclusions could be contradicted by evidence that Phorm were in
practice able during the trials to tweak the system as they wished in
ways that altered the purpose and manner - in that case they would have
been determining those things.

Any data processed by Phorm might well have been pseudonymised.  Whether
pseudonymous data is really not personally identifiable (even assuming
that it cannot be "re-identified") raises an issue that remains to be
fought out.  If "personally identifiable" means "capable of being
connected with an individual identified by the identifiers which that
individual habitually uses", then genuinely pseudonymous data is not
personally identifiable.  But if "personally identifiable" means that
the pseudonym is used in such a way that the person to whom it is
applied can be recognised to be the same person on different otherwise
unconnected occasions or in different otherwise unconnected
transactions, which I think is the better understanding, then processing
pseudonymous data may require registration.  But I don't expect the ICO
to accept this readily.

Nicholas
-- 
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK

Phone  01279 870285    (+44 1279 870285)
Mobile  07715 419728    (+44 7715 419728)

PGP public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF