Buckinghamshire CC ANPR cameras

[Roland Perry]

In article 
<CAEWR3kuqqwnsJ33V_wSfV-9qNw22Hy42-UDghGPZ-vJ8Kzxnrg at mail.gmail.com>, 
Francis Davey <fjmd1a at gmail.com> writes
>Note that the directive does not restrict "identifiable" to
>"identifiable by the data controller". It seems to me that the purpose
>of the directive - or at least one of them - is to prevent personal
>data from being misused not by the data controller but by others,
>including those who obtain it unlawfully, eg through theft. So, if I
>process data which, though I could not misuse it, would be mis-usable
>by someone else, I am held to various standards of data security in
>order to prevent that happening.
>
>The Data Protection Act 1998 doesn't seem to take the same view. It says:
>
>“personal data” means data which relate to a living individual who can
>be identified—
>
>(a) from those data, or
>(b) from those data and other information which is in the possession
>of, or is likely to come into the possession of, the data controller,
>
>Now that's a much more restrictive definition as it restricts
>"identifiable" to mean either objectively identifiable from the data
>or identifiable with additional information by the data controller.
>Data in my hands that I am unlikely to be able to identify as
>belonging to an individual would not be personal data. That would, in
>turn, mean I had no security obligations to prevent it falling into
>the hands of someone who could identify it.

There's a huge loophole in the making here... let's say a phone company 
gave lots of cellsite data to his fishmonger, who everyone would agree 
has no way of deciphering it or identifying people, and the fishmonger 
then gave all the data to the police (who could). Doesn't sound right 
that a chain-of-custody issue as simple as that could relieve everyone 
of the responsibility.

>That, in my view, seems like its a failure to implement the directive.
>My reading of the Commission's objections is that they think so too.

-- 
Roland Perry