Buckinghamshire CC ANPR cameras

Francis Davey fjmd1a at gmail.com
Thu Jan 12 09:46:27 GMT 2012

2012/1/12 Chris Edwards <chris-ukcrypto at lists.skipnote.org>:
> Does that apply to *all* processing of registration numbers ?  Or only if
> the controller can realistically turn it into a name ?

That depends on who you ask.

If you ask Directive 95/46/EC it defines personal data as follows:

 'personal data' shall mean any information relating to an identified
or identifiable natural person ('data subject'); an identifiable
person is one who can be identified, directly or indirectly, in
particular by reference to an identification number or to one or more
factors specific to his physical, physiological, mental, economic,
cultural or social identity;

Note that the directive does not restrict "identifiable" to
"identifiable by the data controller". It seems to me that the purpose
of the directive - or at least one of them - is to prevent personal
data from being misused not by the data controller but by others,
including those who obtain it unlawfully, eg through theft. So, if I
process data which, though I could not misuse it, would be mis-usable
by someone else, I am held to various standards of data security in
order to prevent that happening.

The Data Protection Act 1998 doesn't seem to take the same view. It says:

“personal data” means data which relate to a living individual who can
be identified—

(a) from those data, or
(b) from those data and other information which is in the possession
of, or is likely to come into the possession of, the data controller,

Now that's a much more restrictive definition as it restricts
"identifiable" to mean either objectively identifiable from the data
or identifiable with additional information by the data controller.
Data in my hands that I am unlikely to be able to identify as
belonging to an individual would not be personal data. That would, in
turn, mean I had no security obligations to prevent it falling into
the hands of someone who could identify it.

That, in my view, seems like its a failure to implement the directive.
My reading of the Commission's objections is that they think so too.
The draft regulation would override the DPA in this respect and we'd
see a change in English law (or we ought to).

> E.g a garage collects registrations of its customers, and can turn them
> into names via it's records.  So personal data.  But the typical
> (non-government) ANPR operator may collect loads of registrations, the
> vast majority of which they are unable (as Ian notes) to turn into a name,
> as they don't have access to DVLA database.

Exactly so. EU and English law differ.

Francis Davey

More information about the ukcrypto mailing list