ICO respond to questions about Phorm's registration
Alexander Hanff
ukcrypto at chiark.greenend.org.uk
Thu, 9 Apr 2009 18:16:48 +0100
--001485f6d538d544930467226980
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
2009/4/9 Nicholas Bohm <nbohm@ernest.net>
> Alexander Hanff wrote:
> > First see here:
> > http://www.whatdotheyknow.com/request/121mediaphorm_registration_as
> >
> > It would seem that Phorm were not registered with the ICO as Data
> > Controllers until January 2008 which means they were not registered for
> > the trials in 2006/2007. ICO claim that BT were the Data Controllers
> > and Phorm were exempt under the rules for Data Processors but many of
> > the people campaigning against Phorm's technology feel this is not
> > correct. Personally, I think that because it was Phorm's product being
> > tested not BT's and that technology was owned, built, configured,
> > maintained and run by Phorm as well as the aggregated data being
> > processed by Phorm then it should be Phorm who are classified as the
> > Data Controller as to my knowledge BT had no "control" over the data
> > Phorm aggregated.
> >
> > It is interesting comparing this case with the case of Consulting
> > Association who were raided by ICO and are being prosecuted simply for
> > processing personal data (supplied to them by companies with data
> > controllers) without the consent or knowledge of the data subjects.
> >
> > The difficulty is how do you argue this with the ICO. I don't recall
> > there being any clear cut definitions in the DPA which set the ground
> > rules for classifying who is a processor and who is a controller but I
> > will have a looksie this weekend when I get a few minutes spare. My
> > concern is that the legislation is sufficiently vague/broadly worded fo=
r
> > the ICO to get away with this.
>
> DPA s1(1): =93data controller=94 means, subject to subsection (4), a per=
son
> who (either alone or jointly or in common with other persons) determines
> the purposes for which and the manner in which any personal data are, or
> are to be, processed
>
> I think BT determined the purposes for which it ran the trials, by
> knowing what would happen to data if it ran the trials and deciding to
> run them. It is at least arguable that in the same way they also
> decided the manner in which data were processed, by knowing what would
> happen to data if it ran the trials and deciding to run them.
>
> These conclusions could be contradicted by evidence that Phorm were in
> practice able during the trials to tweak the system as they wished in
> ways that altered the purpose and manner - in that case they would have
> been determining those things.
>
> Any data processed by Phorm might well have been pseudonymised. Whether
> pseudonymous data is really not personally identifiable (even assuming
> that it cannot be "re-identified") raises an issue that remains to be
> fought out. If "personally identifiable" means "capable of being
> connected with an individual identified by the identifiers which that
> individual habitually uses", then genuinely pseudonymous data is not
> personally identifiable. But if "personally identifiable" means that
> the pseudonym is used in such a way that the person to whom it is
> applied can be recognised to be the same person on different otherwise
> unconnected occasions or in different otherwise unconnected
> transactions, which I think is the better understanding, then processing
> pseudonymous data may require registration. But I don't expect the ICO
> to accept this readily.
>
> Nicholas
> --
> Salkyns, Great Canfield, Takeley,
> Bishop's Stortford CM22 6SX, UK
>
> Phone 01279 870285 (+44 1279 870285)
> Mobile 07715 419728 (+44 7715 419728)
>
> PGP public key ID: 0x899DD7FF. Fingerprint:
> 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF
>
> The section of the DPA you quoted is what is confusing me in this issue.
Since it was Phorm's product and equipment which was being tested, surely
Phorm are the ones who "determine[d]
the purposes for which and the manner in which any personal data are, or
are to be, processed".
BT merely provided them with the "sample" for the trials and actually BT
didn't supply Phorm with any "personal data" they just handed them the
persons themselves on a platter and let Phorm extract all the data they
wanted.
As I said on our forums, I doubt there is a way to argue this with the ICO
as a: they have made it clear they are not interested in taking any
enforcement action for the illegal trials; and b: the law is worded in such
a broad way, meaning the ICO can basically interpret it any way that suits
them.
Thanks for the reply, Nicholas, always good to hear from you.
Alexander Hanff
--001485f6d538d544930467226980
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote">2009/4/9 Nicholas Bohm <span dir=3D"ltr"><<a =
href=3D"mailto:nbohm@ernest.net">nbohm@ernest.net</a>></span><br><blockq=
uote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 20=
4); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class=3D"h5">Alexander Hanff wrote:<br>
> First see here:<br>
> <a href=3D"http://www.whatdotheyknow.com/request/121mediaphorm_registr=
ation_as" target=3D"_blank">http://www.whatdotheyknow.com/request/121mediap=
horm_registration_as</a><br>
><br>
> It would seem that Phorm were not registered with the ICO as Data<br>
> Controllers until January 2008 which means they were not registered fo=
r<br>
> the trials in 2006/2007. =A0ICO claim that BT were the Data Controller=
s<br>
> and Phorm were exempt under the rules for Data Processors but many of<=
br>
> the people campaigning against Phorm's technology feel this is not=
<br>
> correct. =A0Personally, I think that because it was Phorm's produc=
t being<br>
> tested not BT's and that technology was owned, built, configured,<=
br>
> maintained and run by Phorm as well as the aggregated data being<br>
> processed by Phorm then it should be Phorm who are classified as the<b=
r>
> Data Controller as to my knowledge BT had no "control" over =
the data<br>
> Phorm aggregated.<br>
><br>
> It is interesting comparing this case with the case of Consulting<br>
> Association who were raided by ICO and are being prosecuted simply for=
<br>
> processing personal data (supplied to them by companies with data<br>
> controllers) without the consent or knowledge of the data subjects.<br=
>
><br>
> The difficulty is how do you argue this with the ICO. =A0I don't r=
ecall<br>
> there being any clear cut definitions in the DPA which set the ground<=
br>
> rules for classifying who is a processor and who is a controller but I=
<br>
> will have a looksie this weekend when I get a few minutes spare. =A0My=
<br>
> concern is that the legislation is sufficiently vague/broadly worded f=
or<br>
> the ICO to get away with this.<br>
<br>
</div></div>DPA s1(1): =A0=93data controller=94 means, subject to subsectio=
n (4), a person<br>
who (either alone or jointly or in common with other persons) determines<br=
>
the purposes for which and the manner in which any personal data are, or<br=
>
are to be, processed<br>
<br>
I think BT determined the purposes for which it ran the trials, by<br>
knowing what would happen to data if it ran the trials and deciding to<br>
run them. =A0It is at least arguable that in the same way they also<br>
decided the manner in which data were processed, by knowing what would<br>
happen to data if it ran the trials and deciding to run them.<br>
<br>
These conclusions could be contradicted by evidence that Phorm were in<br>
practice able during the trials to tweak the system as they wished in<br>
ways that altered the purpose and manner - in that case they would have<br>
been determining those things.<br>
<br>
Any data processed by Phorm might well have been pseudonymised. =A0Whether<=
br>
pseudonymous data is really not personally identifiable (even assuming<br>
that it cannot be "re-identified") raises an issue that remains t=
o be<br>
fought out. =A0If "personally identifiable" means "capable o=
f being<br>
connected with an individual identified by the identifiers which that<br>
individual habitually uses", then genuinely pseudonymous data is not<b=
r>
personally identifiable. =A0But if "personally identifiable" mean=
s that<br>
the pseudonym is used in such a way that the person to whom it is<br>
applied can be recognised to be the same person on different otherwise<br>
unconnected occasions or in different otherwise unconnected<br>
transactions, which I think is the better understanding, then processing<br=
>
pseudonymous data may require registration. =A0But I don't expect the I=
CO<br>
to accept this readily.<br>
<br>
Nicholas<br>
--<br>
Salkyns, Great Canfield, Takeley,<br>
Bishop's Stortford CM22 6SX, UK<br>
<br>
Phone =A001279 870285 =A0 =A0(+44 1279 870285)<br>
Mobile =A007715 419728 =A0 =A0(+44 7715 419728)<br>
<br>
PGP public key ID: 0x899DD7FF. =A0Fingerprint:<br>
5248 1320 B42E 84FC 1E8B =A0A9E6 0912 AE66 899D D7FF<br>
<br>
</blockquote></div>The section of the DPA you quoted is what is confusing m=
e in this issue.=A0 Since it was Phorm's product and equipment which wa=
s being tested, surely Phorm are the ones who "determine[d]<br>
the purposes for which and the manner in which any personal data are, or<br=
>
are to be, processed".<br><br>BT merely provided them with the "s=
ample" for the trials and actually BT didn't supply Phorm with any=
"personal data" they just handed them the persons themselves on =
a platter and let Phorm extract all the data they wanted.<br>
<br>As I said on our forums, I doubt there is a way to argue this with the =
ICO as a: they have made it clear they are not interested in taking any enf=
orcement action for the illegal trials; and b: the law is worded in such a =
broad way, meaning the ICO can basically interpret it any way that suits th=
em.<br>
<br>Thanks for the reply, Nicholas, always good to hear from you.<br><br>Al=
exander Hanff<br>
--001485f6d538d544930467226980--