Off topic: DPA question

[Francis Davey]

2014-06-16 8:53 GMT+01:00 Andrew Cormack <Andrew.Cormack at ja.net>:

> Francis
> On the DPA point, ICO advice (including the recent Anonymisation Code)
> suggests that once separated from the lookup key, pseudonymised data may be
> very close to non-personal, because the DPA specifically says that the
> lookup key must be "in the possession of the data controller" (or likely to
> come into their possession). As you say, that may run into problems of
> insufficient protection of privacy, unregulated secondary use, etc.


Yes, I agree that the UK and UK ICO's have been very keen not to adopt the
wider European definition. I think it is the logically more sensible of the
two and that the sorts of problems you outline (eg to do with SAR's) could
be fixed without great difficulty. As you say, we will soon have a
regulation to argue about.

Note for those on list who aren't familiar with the distinction (though I
expect that everyone on this list is really well informed and better than
many lawyers): the key difference between a directive and a regulation (in
EU law) is that a directive needs to be implemented ("transposed") into
member states' laws; regulations don't.

What this will mean is that the new regulation's wording will be what UK
courts have to rely on, rather than whatever garbled version the UK's
drafters may have ended up with. In other words: there will be more
cross-European standardisation (perhaps even harmony :-).

-- 
Francis Davey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140616/9b22d23b/attachment.html>