Musing over the definitions again – there are worse habits you know!
Suppose you have a data controller who holds personal data and uses an IT company to process the data and suppose further, the IT company does not have access to any identifying details (i.e. the controller retains ALL identifying data and the IT company has no identifying data or data that could lead to identification of data subjects).
Clearly the data controller is processing personal data but is the IT company a data processor?
At first thoughts the answer is “yes” as can be seen from the DPA definitions:
A “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;
Now slip in the definition of “personal data means data…” we get something like:
"“data processor”, in relation to data which relate to a living individual who can be identified from those data or from other information which is in the possession of the data controller or from other information likely to come into the possession of the data controller, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller".
So with a strict reading of the DPA, even if a data controller anonymises the data processed by a data processor, the data would remain personal data in the hands of the processor as the controller has the information to re-identify the data subjects. The key fact of the definition is that the data controller performs the identifying.
The counter argument depends on extending the DoH/Abortion statistics case (see references). This case dealt with a FOI request to a public authority data controller for the release of statistics derived from sensitive personal data. The Court concluded that a disclosure of such statistics was not a disclosure of personal data, if identification of any individual concerned, by the FOI requestor, was "remote".
In other words, even though the data controller can identify the individuals behind the released statistics, if the FOI requestor cannot identify the individual because identification is “remote”, there has not been a disclosure of personal data by the controller.
So if identification by our IT company is “remote” then following DoH/Abortion logic, given that the data controller has to disclose the personal data to the IT company in order to get its services, we discover that our “data processor” is actually not processing personal data. It follows that the IT company is not a data processor and is not subject to the DPA (i.e. the Seventh Principle obligations do not apply and if the IT company is in India, neither do the Eighth Principle).
However, anything else (e.g. identification is more than a remote possibility), then the IT company is definitely a data processor.
But non-identification by the IT company can be guaranteed if the data controller encrypts the data processed by the IT company prior to the transmission of the data to the IT company (assuming the encryption is of recognised standards). It follows that the IT company is not a data processor.
Now to the Cloud
Let us assume that the IT company is offering Cloud services and the DoH/Abortion argument works.
If your organisation is using the Cloud for the processing of personal data, you could encrypt the data in the Cloud; this ensures the Cloud service provider cannot identify any individual and therefore is not a “data processor” (the Cloud service provider, as the IT company above, is not processing personal data).
In addition, if you are worried that an USA Cloud provider may disclose records to the USA authorities or that certain UK organisations can monitor transfers into and from the cloud, then the data are reasonably safe as these authorities won’t have the keys to the encrypted data.
If however, you rely on the Cloud provider’s encryption processes, then the Cloud provider is a data processor. Indeed the Cloud provider would be a data controller if it decided to disclose to USA authorities decrypted personal data without the authority of its client.
Cloud providers are also data controllers if they offer contracts like this (the extract from an actual Apple contract of a few years ago).
“You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate, if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce this Agreement, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users, a third party, or the public as required or permitted by law.”
Concluding comment
Obviously my musings on the implications of the DoH/Abortion case might not gain favour from the Regulators or the Courts. But that is not an issue if the data controller’s own encryption is used to protect the personal data in the Cloud. This, to my mind, is how to use the Cloud safely.
References
The DoH/Abortion case: R (on the application of the Department of Health) v Information Commissioner [2011] EWHC 1430 (Admin)
Can I recommend the book Cloud Computing Law, Edited by Christopher Millard. 448 pages ISBN 978-0-19-967168-7 (Paperback). At £35 it is a snip, well researched, thorough and goes into all the DP issues (including IP). Many of the chapters involve the indomitable Kuan Hon who is well known to our UPDATE Conference attendees.
Comments