Off topic: DPA question

[Andrew Cormack]

Francis
On the DPA point, ICO advice (including the recent Anonymisation Code) suggests that once separated from the lookup key, pseudonymised data may be very close to non-personal, because the DPA specifically says that the lookup key must be "in the possession of the data controller" (or likely to come into their possession). As you say, that may run into problems of insufficient protection of privacy, unregulated secondary use, etc. But the alternative approach, following the literal wording of the Directive ("if anyone can..."), also gets into problems, because if you treat keyed-data-without-key as personal data then several duties (including subject access requests and proactive notification of breaches) are impossible to satisfy. IP addresses highlight the problem: if you treat them as personal data then the law requires websites to respond people saying "I am aaa.bbb.ccc.ddd, show me the logs you hold for me" (and all the other previous holders of that DHCP-pool address), and if those logs get compromised then they may be required to let all the owners of those addresses know, somehow! Maintaining a record that that aaa.bbb.ccc.ddd gave consent to processing (e.g. to exporting their packets from the EEA) could also be interesting...

The draft Regulation tries to get out of this by the hideous hack of saying that if compliance with a duty would require you to collect additional data then you're excused that duty. That feels like a loophole that I expect corporate lawyers to drive a coach and horses through if it ever becomes law :(

We badly need a law that will recognise that there is a new category of "potential personal data", which did exist in 1995 but hadn't been noticed, and impose appropriate duties on it (probably based on the risk of identification and resulting harm). The ICO has been suggesting that for a while, but getting push-back from those who consider this "going soft on privacy". But under the present law, where it's presumed that unlinked data is fully personal, those who wish to comply can't and those who don't wish to comply have the perfect excuse not to :(

But the question was also about e-mails and there the PECR has a separate distinction between the addresses of "individual subscribers" and "others". The PECR, still transposing the original, unamended, Directive, only restricts sending of unsolicited advertising e-mail to individual subscribers. If you aren't an IS - for example because your company pays the bill (or, as far as I can see, your parent or significant other does) then PECR doesn't protect you from spamming, only DPA does :( 

Andrew 

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238


> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Francis Davey
> Sent: 13 June 2014 15:16
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Off topic: DPA question
> 
> 2014-06-13 11:28 GMT+01:00 Andrew Cormack <Andrew.Cormack at ja.net>:
> 
> 
> 	Just to add a wrinkle the Privacy and Electronic Communications
> Regs *do* distinguish between e-mail addresses of "individual
> subscribers" and others :(
> 
> 	But even then it's pretty tricky, if you're external to the
> system, to try to distinguish them - how do you know whether
> andrew.cormack at ja.net is an 'individual subscriber' or not? Or indeed
> how do I know which marcus at connectotel.com is?
> 
> 
> 
> 
> The definition of personal data, for the purposes of the directive, is
> (in article 2(a)):
> 
> "(a) 'personal data' shall mean any information relating to an
> identified or identifiable natural person ('data subject'); an
> identifiable person is one who can be identified, directly or
> indirectly, in particular by reference to an identification number or
> to one or more factors specific to his physical, physiological, mental,
> economic, cultural or social identity;"
> 
> This is actually quite simple. It asks essentially two questions: (i)
> does the data relate to a natural person and (ii) are they identifiable
> (or identified, but of course an identified person is ex hypothesi
> identifiable).
> 
> A work email for an individual clearly relates to them. Some "role"
> email addresses may not (though as Roland points out, it will depend).
> 
> Can _someone_ identify that person? In most cases, yes.
> 
> So, in most cases, individuals' work emails will be personal data. It
> really is meant to be that all-encompassing.
> 
> You ask "how do I know which ....?" but that is the wrong question.
> Nothing in A2(a) requires that the person asking the question "is it
> personal data" can themselves identify the individual, what it requires
> is that someone can.
> 
> This is logical and sensible. It means that if you have data that is
> (say) sensitive health data with secret patient ID's attached so that
> you can't reidentify the patients, but there is a list identifying them
> somewhere else, then that is personal data and you have to take care of
> it, eg by ensuring proper security of it, even though you may not
> personally be able to misuse it. It might fall into the hands of
> someone who can misuse it.
> 
> Now the Data Protection Act 1998 isn't drafted like that. It uses a
> slightly more restrictive definition of "personal data". I don't
> believe we've had convincing UK authority that relied on that
> difference, and I advise clients not to assume that they can get away
> in the UK with something that Europe clearly forbids.
> 
> 
> --
> Francis Davey
>