Personal Data: The ICO guidance

October 20, 2007

Under the recent guidance entitled ‘Data Protection Technical Guidance – determining what is personal’ (v1.0 21.08.07) issued by the Information Commissioner’s Office, e-mails, minutes of meetings and anonymised data could all be considered to be personal data under the Data Protection Act 1998. The new Technical Guidance, while not legally binding, significantly extends the more narrow definition of ‘personal data’ welcomed by many and adopted by the Court of Appeal in 2003 in the case of Durant v Financial Services Authority [2003] EWCA Crim 1746.


Section 1(1) of the Act defines ‘personal data’ as ‘data which relate to a living individual who can be identified:


(a) from those data; or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller;
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual
.’
‘Data’ deals with the processing element of the definition and relevant filing systems.


Following the Durant case, the ICO issued guidance on the definition of what amounts to personal data. However, in June 2007 the EU Article 29 Working Party (Opinion 4/2007 (01248/07/EN-wp136)) issued an Opinion on the definition of ‘personal data,’ analysing the four main elements which make up the concept. The Opinion adopted a much wider interpretation than the Court of Appeal decision and the original ICO guidance note.


Following on from that Opinion, and a letter of formal notice issued by the European Commission (it is understood to have taken an adverse view on the way in which the UK has implemented the EC Data Protective Directive (Directive 95/46 EC) on a number of fronts), the Information Commissioner has issued the revised Technical Guidance. This takes the form of a Question and Answer flow chart. The full Technical Guidance is publicly available from www.ico.gov.uk.



The Technical Guidance does not deal with the relevant filing system and processing element of the definition of personal data. The ICO has specified that this is to be dealt with separately. The ICO has acknowledged that the definition of personal data as implemented by the Act approaches the concept in the reverse order to the approach taken by the Directive. Under the Directive, consideration is given first as to whether the information relates to an identifiable individual and then whether it is processed. The Act, on the other hand, approaches the issue from a processing view first and then moves on to whether or not there is an identifiable individual. The ICO appears to take the view that substance prevails over form and this in itself does not affect the outcome of what could be considered to be personal data under either the Act or the Directive. For those involved in data protection on a regular basis some of the more practical issues which arise from the wider definition need to be borne in mind.


Notification


Those advising businesses should be aware and acknowledge that, given the wider definition, the safe route, if in doubt, is to register as a data controller with the ICO.



Subject Access Requests



Given the wider definition, it is reasonable to expect that more information will be available in the context of a subject access request. For those asked to advise on the question of whether it is possible to avoid disclosure, it may be more difficult to rely on a narrow definition – in practice, the subject access exemptions will therefore play a much more significant role.



Transferring Data Outside the EEA



Those businesses which took the view that the eigth principle did not apply to them because they did not transfer personal data outside the EEA may well take a different view in the future for the purposes of Principle 8. This will require a review of the countries outside the EEA to which the personal data is transferred. Flowing on from that review, appropriate safeguards for the rights and freedoms of individuals may need to be put in place.



Existing Registrations



Existing registrations will need to be updated.



Data Processor


Consideration should be given as to whether those who have access to the personal data are therefore data processors and appropriate written agreements entered into for the purposes of Principle 7.


Issues Arising



The following issues, arising out of the questions posed by the Technical Guidance, are of note.



Can an individual be identified from the data or from other information in the possession or likely to come into the possession of the controller?



Whilst a name is the most common identifier, in itself it may be insufficient if the particular individual cannot be identified from it (eg if not part of a known group). An address, place of work or telephone number will assist here. Conversely, without a name it still may be possible to identify someone in the right circumstances. For example, the grade of an employee with gender and age may be sufficient to identify them in a small organisation. It has long been accepted that e-mail addresses for individuals can identify them, particularly if both names are used.



Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?



Data can relate to an individual in several different ways. The content of the data may in itself determine that the data is ‘obviously about’ an individual for example medical, employment or criminal records. The more difficult issue is where the information is not obviously about the individual but is about their ‘activities’. For example personal bank statements, itemised telephone bills or data on a security system showing swipe card movements in and out of offices.


The Technical Guidance details further matters to consider when the data is not obviously about an individual.


Is the data ‘linked to’ an individual so that it provides particular information about an individual?


 
An example would be salary details for a specific post where there is only one such position.


Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?


 
Particular emphasis is laid in the Technical Guidance on the fact that the same data may be processed for different purposes and that it may be personal data in one set of circumstances with one data controller but not when passed on to another controller. Therefore the context in which the personal data is held will be significant. So, for example; information about the market value of a house might be used for statistical purposes. Alternatively, it could be used to calculate an individual’s council tax or capital gains tax liability, in which case it could be personal data.


Does the data have any biographical significance in relation to the individual?



The significant point to consider is whether the data goes beyond recording the individual’s casual connection with a matter or event which has no personal connotations for him.


Does the processing of the data affect or is likely to affect the individual?



For example, being listed as an attendee in the minutes of a meeting could be significant as the minutes state that the individual was in a particular place at a particular time.


Does the information concentrate on the individual?



The Technical Guidance acknowledges the difficulty of minutes of meetings. Is it personal data about the person being discussed at the meeting or the attendees or both. The advice given is to look at the focus of the minutes.


Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?



Can data about objects be personal data about an individual even though the data controller does not currently use such data to learn, record or determine something about that individual? An example would be a document management system which records whether individuals have viewed or modified certain documents and at what times. If that data were to be used for disciplinary proceedings to show that an individual was accessing documents to which they were not entitled, or were viewing certain documents when they had claimed to be doing something else, that information would be personal data.


In Conclusion


It is perhaps a reflection of today’s regulated society, some would say overregulated society, that in order to ascertain whether or not personal data is indeed personal data it is felt a flow chart is appropriate. It also suggests a rather strained, academic approach (there are eight steps!) to interpreting the legislation. This can be distinguished from the Court of Appeal’s rather more practical approach which some would say is more pragmatic. It is appreciated however that the ICO will feel constrained by European events.


Beverley Flynn is a partner in the Commercial services department at Stevens & Bolton LLP: www.stevens-bolton.co.uk