ICO respond to questions about Phorm's registration

Joel Harrison ukcrypto at chiark.greenend.org.uk
Thu, 9 Apr 2009 18:04:38 +0100 

On Thu, Apr 9, 2009 at 5:27 PM, Alexander Hanff <no2dpi@googlemail.com> wrote:
[snip]
> I was hoping some of you might have some thoughts and suggestions on this
> one?
>
> Regards,
>
> Alexander Hanff
>

Whether Phorm acted as a data controller in the 2006/07 trials depends
on whether it had access to personal data in the course of those
trials and the degree of discretion it had in how that data (if any)
was processed.

The fact that the Webwise system was "owned, built, configured,
maintained and run by Phorm" is not sufficient to make Phorm a data
controller - if I engage a service provider to develop and maintain
(say) a CRM system for me using its own database technology, that
service provider will own, build, configure, maintain and run the
system but I will be the data controller in respect of data stored in
that system.

Similarly, the fact that a person may process aggregated data does not
make that person a data controller (or, indeed, a data processor),
because one has to be dealing with personal data in order to be either
a data controller or a data processor.  However, I don't think your
reference to "aggregated" data is actually correct in the Phorm
context - the data stored by Phorm relates to an individual, linked to
that individual's UID (see below).

The key question is whether Phorm was acting solely on BT's
instructions in the trial (in which case it was a data processor,
notwithstanding that its technology underpinned the trial), or whether
it was able to take autonomous decisions about the purposes for which,
and the manner in which, the data was processed (in which case it was
a data controller).

There is a further complication, which is whether the data ultimately
stored by Phorm (which I understand from Richard Clayton's paper to be
a combination of UID, channels and a time stamp) is personal data.
That turns on whether Phorm[*] can identify the user from that data.
This is something of a hot topic in data protection circles - Phorm
says it isn't personal data; the ICO appears to share that view; but
the European Data Protection Supervisor is firmly of the view that it
is personal data, because it relates to an individual and persists
over time.  Strictly, the EDPS is correct - every time Phorm receives
details of a page viewed by a user, it is able to identify that user
by his/her UID.  It may not know the name or address of the user, or
any other information that is often considered to be part of a
person's 'identity', but it is still able to identify the user by
recognising the UID.

Joel

[*]There is no question (or, at least, there ought not to be) about
whether the data processed by *the ISP* is personal data - the ISP is
in a position to identify the user by linking details about the user's
session to the ISP's billing data.