Have you ever come to a conclusion that worries you and you can’t find the error?
Well since it’s Friday tomorrow I will ask a Friday question today; the question is: ‘Is the definition of “personal data” in the new Bill fit for purpose?’.
In summary, I think there is a problem with “personal data” definition in the Data Protection Bill (“DPBill”) as there is no equivalent of Section 1(2) of the Data Protection Act (“DPA”). This Section extends the definition of certain “processing” operations (e.g. a disclosure of recorded personal data) to include the disclosure of the same personal details if the information is not recorded.
For completeness, under Section 1(2) the processing operations of “using or disclosing” extends to “using or disclosing the information contained in the data”; similarly, with “obtaining or recording” which extends to the “information to be contained in the data”.
So why is an equivalent of Section 1(2) needed in the DPBill? Well to get to the answer to this question, one has to consider the first limb of the definition of “data” in the DPA.
The definition of “data” in the DPA
The first limb of the definition says that “’data’ means information which is being processed by means of equipment operating automatically in response to instructions given for that purpose”. Note that there is no indication here that the information is recorded or not, so in theory it could be both.
However, it can be seen that to be able to “process” data (i.e. “perform an operation on the data”), it follows that the information has to be recorded so the “equipment operating automatically” can carry out such an “operation”. In short, personal data has to be “recorded”.
However, Section 1(2) extends that definition of specific processing operations (e.g. disclosure) to information that is not recorded.
For example, suppose a private investigator wants me to illicitly use my access to a bank’s database to find out Mary Smith’s home address and account details. If I send these details to the investigator by email, I am disclosing recorded data.
However, if I meet the investigator in the pub and say “Mary Smith lives at 55 Acacia Avenue”, I am not disclosing any recorded data but rather the “information contained in the data”.
From Mary Smith’s perspective, the impact of each disclosure is the same; it does not matter whether the disclosure of personal data was made from recorded personal data or not.
In addition, as far as the DPA is concerned, because of Section 1(2), there is no difference between the actual disclosure of personal data and the disclosure of the information contained in the personal data. Both disclosures are subject to application of the data protection principles and the enforcement regime of the ICO.
DPBill’s definition of “personal data”
The definition of “Personal data” in the DPBill means “any information relating to an identified or identifiable living individual”. It can be seen that, as with the DPA, the “information” about an individual need not be recorded to qualify as personal data (unrecorded gossip about an individual in a conversation can, according to this definition, be personal data).
In the DPBill, there is no qualification on the word “information” as there is, for example, in Section 84 of the Freedom of Information Act which requires the “information” in FOIA to be recorded.
Likewise, the definition of “processing” in Clause 2(4) (like the DPA) states that “processing, in relation to personal data, means an operation or set of operations which is performed on personal data, or on sets of personal data…”. Such processing operations can include “disclosure” or “use”.
Thus if “information” is to be “processed” under the DPBill it requires the personal data to be recorded in order it can be subject to “an operation… performed on personal data”. It then follows that if the information is not recorded, it is not being processed under the DPBill as it cannot be subject to “an operation”.
Now consider the Principle in Article 5(1)(f) (“personal data processed in a manner that ensures appropriate security…”). This means, through the word “processed”, that the security obligations apply to recorded information about an individual (and not to unrecorded information which may be disclosed in a conversation).
So, suppose a controller fails to train his staff and a staff member discloses information in an unrecorded form. Is that controller in breach of the security principle? Well if you follow the argument with respect to the unrecorded information, the answer is “NO”?
Of course, one might argue that some processing of personal data had occurred previously (e.g. that processing that displays the personal data on a member of staff’s screen in order to facilitate a subsequent verbal disclosure). But if you go down that route, other issues arise.
For example, any anonymous data derived from personal data could be caught by a data protection regime on the grounds that personal data once had been processed in order to generate the anonymised form which is then disclosed.
Either way, there appears to be a problem. Of course, if the DPBill had its equivalent of Section 1(2) the loop-holes described above would not arise (hopefully it will be amended).
At the beginning of the blog I asked a simple question.
Now can I ask a really scary Friday question: since the definition of personal data in the DPBill is that of the GDPR: “do all data protection laws in the EU contain the same flaw?”.
Courses (London, Edinburgh)
- DATA PROTECTION BCS FOUNDATION QUALIFICATION: Edinburgh (3,4 and 5 October).
- GDPR/DP Bill WORKSHOPS: Edinburgh (6 October).
- DATA PROTECTION BCS PRACTITIONER QUALIFICATION: The next intensive DP courses is in London (starts 13 November).
- NEW DATA PROTECTION BILL ALL DAY UPDATE: London (20 November)