I made a presentation earlier this week to the north eastern members of the Chartered Institute of Management Accountants about the new General Data Protection Regulation (GDPR) and some of the questions that arose were about what constituted “personal data” and was therefore regulated by the Data Protection Act and GDPR. I’m not sure that I fully explained why these were personal data at the event so I thought I’d blog about it. Of course the context is always important in anything to do with DPA and GDPR and it may be that we didn’t have sufficient time to get under the skin of these questions to fully understand the specifics but these are my further thoughts. The questions asked were:
- Is a business contact’s name and email address personal data?
- Are the comments that I write about people personal data?
- Is a database ID personal data?
Before we look at those specific examples and a) find out if they are personal data and b) explain why they are or are not it we should review the general definitions contained within DPA.
Data means information which –
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or
(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).
Personal data means data which relate to a living individual who can be identified* –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –
- organisation, adaptation or alteration of the information or data,
- retrieval, consultation or use of the information or data,
- disclosure of the information or data by transmission, dissemination or otherwise making available, or
- alignment, combination, blocking, erasure or destruction of the information or data.
* It is really important I feel to make a point to clear up what I believe is a major misunderstanding of whether a person can be identified. As we know the DPA was enacted to implement Directive 95/46/EC of the European Union and the Directive defines Personal Data differently. It’s subtle but different nonetheless.
For the purposes of this Directive:
- ‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
The misconception is that a photograph of a random person cannot be personal data if I don’t know who the photo is of and therefore I am unable to identify them from the data. But I do not believe that is not what the Directive (and therefore DPA) aims to achieve. To me, the use of the word “identifiable” makes it very clear. Is the individual identifiable from the data? Could they identify themselves for example? Could their family, friends and colleagues identify them? If it is possible to identify them from the photograph then the chances are it is personal data. As the ICO writes in his guidance on Determining What is Personal Data, “Many of us do not know the names of all our neighbours, but we are still able to identify them.”
Another example given by the ICO is, “a combination of data about gender, age, and grade or salary may well enable you to identify a particular employee even without a name or job title.” Personal Data. Recital 26 of the Directive states that whether or not the individual is identifiable will depend on “all the means likely reasonably to be used either by the controller or by any other person to identify the said person”. So in reality we may need to perform a reasonableness test in order to determine if any data or combination of data in a set of circumstances is to be classified as personal data.
Ok, so you don’t really need me anymore – if you were in any doubt at all these definitions should make it easy to work it out for yourself – Blog over?!
In reviewing the specific examples that came up on Monday evening:
Name and Email Address:
Email addresses are designed to be processed by computer – no one can have any doubt about that. And the combination of name and email is an absolutely unique combination globally and therefore an individual can be identified from that data. It is personal data. The fact it is a work email is irrelevant. DPA makes no distinction whether the data is in a work or private context.
Ok, what about just email address? What if we have a shared family email address: [email protected], which doesn’t identify me directly as it could relate to any one of my five family members. Take a look at the second part of the definition of DPA Personal Data. If we are processing other information such as name which in conjunction with the mail address allows me to become identifiable then it falls under the scope of the DPA definition. Name + email address can be used to identify me. But think about this a while longer. Say we don’t have names – we ONLY process age and email address. Is that personal data? Well, each of us in my family is a different age and therefore each member of my family is clearly identifiable from the combination of age and email address. Personal Data? I would say so. But think about the context. In a mailing list of 25,000 email addresses what are the chances of it containing personal data? Pretty high I’d say.
Ok, what about just name? Surely “John Smith” cannot be considered to be personal data as there must be hundreds of them and surely none specifically can be identified from the Data? Here is where it gets a bit more interesting. Let’s say that I met John Smith at the CIMA event earlier this week and I write about him in this Blog. “John Smith asked a great question but which showed a lack of understanding about the nuances of the law”. In that context – unless the room was filled with John Smiths – it is possible for that individual to be identified. Maybe not by the population at large, but certainly by everyone else who was at the event. Personal Data? I would say so in this context.
And don’t just take my work for it. In February 2014 a member of staff at the Bloomsbury Patient Network (an organisation providing information and support for people who are HIV-positive) emailed up to 200 patients who were HIV-positive. The email addresses were entered into the “To” field, meaning they were visible to everybody who received the email. In May 2014, the same member of staff repeated the error. The ICO ruled that considering the subject matter of the email message the mistake was a serious breach of data protection laws.
Context is King
So the context is absolutely key and that is where a lot of people I find struggle with the DPA. They want a simple set of rules which say what you can and can’t do. They don’t like it when you can do something under certain circumstances but not in others. But we need to get used to this risk based approach because there is more of it in the new order of GDPR.
Are opinions that we record about people classified as personal data? Clearly if they are computerised or are intended to be computerised (e.g. scanned to a eDS) or form part of a structured filing system etc. then those opinions may well be personal data. Infact opinions are specifically referred to in the guidance issued by the Information Commissioner:
“The definition also specifically includes opinions about the individual, or what is intended for them.
A manager’s assessment or opinion of an employee’s performance during their initial probationary period will, if held as data, be personal data about that individual. Similarly, if a manager notes that an employee must do remedial training, that note will, if held as data, be personal data.”
Similarly in regard to ID numbers the ICO writes:
“It is important to note that, where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be “personal data”.
An organisation holds data on microfiche. The microfiche records do not identify individuals by name, but bear unique reference numbers which can be matched to a card index system to identify the individuals concerned. The information held on the microfiche records is personal data.”
GDPR goes further and specifically states in its definitions in Article 4 that identification numbers (including online identifiers [e.g. cookie IDs]) are personal data the leaving us in no doubt.
Why do you want to know whether these are personal data?
I suppose the question I should have asked – but if felt too combative in the session – was, “why do you want to know if it’s personal data?” What is the imperative to determine if such data is personal data or not? Is this just a casual enquiry or are data such as these being processed in a risky fashion such as emailing lists of ID numbers in unprotected excel sheets? If it is the former – welcome to the world of jurisprudence! If it is the latter … why expend energy on arguing whether an email containing an excel sheet of job candidate IDs is personal data when a simple fix of finding a more secure method of data transfer would implement a quick and robust fix. Why take the risk? Why risk the privacy of the data subjects whose information you are processing, the reputation of your organisation, and your own professional reputation?
In a way, who cares if it’s personal data or not? Why not err on the side of caution and determine as a matter of policy to transfer all data securely?
19th April 2016