Off topic: DPA question

Francis Davey fjmd1a at gmail.com
Fri Jun 13 15:16:00 BST 2014 

2014-06-13 11:28 GMT+01:00 Andrew Cormack <Andrew.Cormack at ja.net>:
>
>
> Just to add a wrinkle the Privacy and Electronic Communications Regs *do*
> distinguish between e-mail addresses of "individual subscribers" and others
> :(
>
> But even then it's pretty tricky, if you're external to the system, to try
> to distinguish them - how do you know whether andrew.cormack at ja.net is an
> 'individual subscriber' or not? Or indeed how do I know which
> marcus at connectotel.com is?
>
>
The definition of personal data, for the purposes of the directive, is (in
article 2(a)):

"(a) 'personal data' shall mean any information relating to an identified
or identifiable natural person ('data subject'); an identifiable person is
one who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to
his physical, physiological, mental, economic, cultural or social identity;"

This is actually quite simple. It asks essentially two questions: (i) does
the data relate to a natural person and (ii) are they identifiable (or
identified, but of course an identified person is ex hypothesi
identifiable).

A work email for an individual clearly relates to them. Some "role" email
addresses may not (though as Roland points out, it will depend).

Can _someone_ identify that person? In most cases, yes.

So, in most cases, individuals' work emails will be personal data. It
really is meant to be that all-encompassing.

You ask "how do I know which ....?" but that is the wrong question. Nothing
in A2(a) requires that the person asking the question "is it personal data"
can themselves identify the individual, what it requires is that someone
can.

This is logical and sensible. It means that if you have data that is (say)
sensitive health data with secret patient ID's attached so that you can't
reidentify the patients, but there is a list identifying them somewhere
else, then that is personal data and you have to take care of it, eg by
ensuring proper security of it, even though you may not personally be able
to misuse it. It might fall into the hands of someone who can misuse it.

Now the Data Protection Act 1998 isn't drafted like that. It uses a
slightly more restrictive definition of "personal data". I don't believe
we've had convincing UK authority that relied on that difference, and I
advise clients not to assume that they can get away in the UK with
something that Europe clearly forbids.

-- 
Francis Davey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140613/4f0e303b/attachment-0001.html>

More information about the ukcrypto mailing list