This is the first in a series of blogs on the Data Protection and Digital Information Bill (the “Bill”) published just before the Parliamentary recess. This blog explains:
(a) how the Bill’s new definition of “personal data” works;
(b) why the definition is very problematic for data subjects; and
(c) how, after nearly four decades of data protection law in the UK, the Government is promoting a definition of personal data that is demonstrably weaker than that in the DPA1984.
The proposals in the Bill to change the definition of “personal data” did not feature in the DCMS original Consultation Document. This omission raises serious questions about whether or not other undisclosed horrors lurk in the depths of this Bill.
Remember as you read on, what is being proposed exists to “provide greater clarity about which type of data is in scope of the legislation” (p26 of the “Explanatory Memorandum”). I should add, that this blog provides all the clarity absent from that Memorandum.
Why change the definition?
The purpose of the new definition of personal data is to distinguish between three types of data. These types are:
(a) personal data which relates to an identified or identifiable living individual where identification is usually by a controller or a processor using reasonable means. Such identification could be by name, address, location, social characteristics, identification numbers etc;
(b) non-personal data which is information that is likely to have been derived from personal data (or which is currently treated under the UK_GDPR as personal data), but where a data subject is no longer identifiable without the expenditure of an unreasonable amount of effort on the part of a controller or a processor; and
(c) anonymous data which is data that cannot be attributed to a specific living individual.
The basic idea is that organisations that process “non-personal data” or “anonymous data” cannot be a controller or a processor as the data cannot be related to a particular living individual without unreasonable effort on the part of that controller or processor.
In other words, non-personal data and anonymous data are both free of any data protection concern (i.e. no obligations arise from the UK_GDPR). The Bill’s objective is to widen the scope of these two categories by narrowing the scope of those data that are classified as “personal data”. That in summary is the name of the game.
What has changed in the definition?
The Bill splits personal data into two further types by introducing the concept of “direct” and “indirect” identification of a living individual in the context of the personal data being processed. So, for example:
- “Direct identification” occurs when a living individual is identifiable from the data “directly” without the use of any “additional information”. An example would be a normal database that contains records such as the data subject’s surname, address, date of birth, policy number as well as other data attributes.
- “Indirect identification” occurs when a living individual is identifiable from the data plus some other “additional information” which might be held by another person. An example would be a database of phone numbers where the identification of data subjects is known to be in a separate list (e.g. a telephone directory) held by the controller, processor or another person. Pseudonymised personal data is expressly defined to be a class of data where indirect identification occurs.
In the case of “direct identification”, identification of a data subject has to be “by the controller or a processor by reasonable means at the time of the processing”. More or less the same goes for indirect identification where such identification requires “additional information” to be held (or likely to be held) by a controller, processor or “another person”.
“Reasonable means” is defined as a non-exhaustive (illustrative) list which includes “among other things: (a) the time, effort and costs involved in identifying the individual by that means, and (b) the technology and other resources available to the person”. In other words, there could be other factors to consider (see Case 2 below).
Note that “at the time of the processing” in the context of “direct identification” is likely to be the time the controller or processor first obtains the personal data either from the data subject or from another source. The same more or less applies if indirect identification is completed by a controller or a processor (i.e. data protection obligations kick in as soon as the additional information is obtained or is likely to be obtained).
Note also that in the context of “indirect identification” and before the additional information is obtained (or is likely to be obtained), the data processed by a controller or a processor is not personal data and is free from data protection obligations.
In the context of “indirect identification” by another person, the time of the processing is likely to be when the controller or processor knows (or should know) that the “additional information” has been obtained (or is likely to be obtained) by that “another person” who has expended “reasonable means” to identify a data subject.
Additionally, both “direct” and “indirect” identification of a data subject under this Bill requires an assessment, by the controller, of the “reasonable means” used to perform the identification. This implies that if the means of identification are “unreasonable” for whatever reason, then the data are not personal data and no data protection obligations arise.
It can be seen that what “reasonable means” are available is very important to the personal data definition. Note that if the controller assesses that the “reasonable means” are unreasonable, that controller will process the information as if it were not personal data (e.g. no transparency, security or rights).
In conclusion, if a controller gets its assessment of reasonable means wrong, the default position is that the processing occurs, in secret, until it is stopped by the ICO using his powers (which is increasingly unlikely). As will be seen, this places too much power in the hands of the controller.
Finally, identification (directly or indirectly) can be “by the controller or a processor” (emphasis on “or”). This opens up three possibilities which are (to me, very confusing):
- First that identification details are held by the controller but not by the processor. If this possibility is valid, the processor’s data protection obligations do not apply as the processor is not processing personal data;
- Second that identification details are held by the processor but not by the controller. If true, the controller obligations do not apply (!!!). But if this were true then the processor that performs the identification would become a separate controller or joint controller (surely!?);
- Finally, identification details are held by either controller or processor (or is known to be held by another person etc) then both controller and processor would be subject to data protection obligations This possibility obviously contradicts the first two.
I haven’t a clue what is going on here or why. I find the use of “by … a processor” inexplicable and unnecessary; it is miles away from the “clarity” promised in the Explanatory Memorandum.
Illustrative scenarios: CCTV
Now we have a feel for what is going on with the definition of personal data, can we consider two cases. I have made these up to illustrate why the definition is problematic, so forgive any artificial construct.
Case 1: Consider a controller who employs CCTV operators in a City Centre. One operator is directing a police officer to intercept and arrest a thief who is wearing a red hat, orange shirt and blue jeans as the thief is dipping into shoppers’ handbags.
Now which of the following statements best “clarifies” whether the identification of a living individual is direct or indirect? Remember, you have to consider the “reasonable means” expended by the controller to perform this identification.
- The thief is directly identified via specific criteria (e.g. by monitoring a particular individual wearing a red hat, orange shirt and blue jeans). Is this sufficient to deliver direct identification even though the CCTV operator does not know other important identification details (e.g. the thief’s name, date of birth, home address, National Insurance Number etc)?
- The thief is indirectly identified. Once apprehended, the police become the “another person” who completes the identification through the use of “additional information” easily collected by the police after arrest (i.e. the “reasonable means” test is passed). Note that with indirect identification, a key factor is that the “another person” obtains the “additional information” for identification; it does not matter that the CCTV operator does not obtain the “additional (identification) information” from the Police.
So which did you prefer? Which option is more certain: direct or indirect identification? Remember you should not muddy the waters by choosing both (as these concepts have been introduced to provide more “clarity” – Ha Ha).
If you chose indirect identification, now consider what happens if the police do not obtain the “additional information” for whatever reason (e.g. the thief disappears)? Because the “additional information” is not obtained, the CCTV operator is not processing personal data. ( I know that’s a rubbish conclusion but that is what this Bill does).
Research & Pseudonomisation
Case 2: Now assume a NHS Trust Hospital shares pseudonymised health personal data with a University for medical research purposes (i.e. the Trust keeps the identities; the University has all the medical details except identification). Because pseudonymisation is involved, only indirect identification is relevant.
The University and Trust sign a legally binding data sharing agreement which states the Trust will never release the identity of any patient to the University. To protect the identification personal data further, and unknown to the University, the Trust stores the only copy of the identity personal data with a secure Trusted Third Party. This Party is tasked with encrypting the data using techniques unknown to the Trust.
In summary, this scenario is constructed so that any access to identifying details is a “very last resort” matter and aimed at precluding general access to the identifying details in a large number of circumstances.
The question I am driving at is as follows: “Is the University processing pseudonymised personal data or is it processing “non-personal data”?”. The answer depends on your assessment of the “reasonable means” that could be used to perform the indirect identification by the University, Trust or Third Party?
Although the “additional information” exists, does its existence as a very last resort matter, impact on “another person’s” ability to complete the identification using “reasonable means”?
Or does the complex construction, specified by the scenario, provide a sufficient barriers to preclude the general obtaining of “additional information” by “reasonable means”? Is it possible that the University or Trust could reasonably argue, given that the definition of “reasonable means” is non-exhaustive, they have arranged matters so there were no reasonable means of identifying a living individual?
If so, then the University is not a controller; it follows that it has no data protection obligations as a controller. The patient cannot withdraw consent to the research, object to the processing, seek subject access and the University has no security, retention or transparency obligations and the data protection elements of the data sharing agreement are irrelevant.
Such processing will continue until the ICO intervenes (unlikely in my view). Quite simply the data subject risks being written out of the research equation. And that is before you get into the Research proposals in the Bill.
In conclusion, once this definition is enacted, there is a considerable risk that lawyers are likely to set to work creating circumstances for their clients where data subject protections vanish through the use of complex organisational structures, data sharing exchanges and contracts.
These will start with personal data, somehow produce “non-personal data”, which then can be scattered to the four corners of the Earth without any data protection concern.
Comparison with DPA1998/DPA1984
The Bill’s definition of personal data is completely different to the DPA1998 which also required identification of a living individual either to be direct (i.e. “from the data”) or “indirect” (i.e. “from those data and other information which is in the possession of, or likely to come into the possession of, the data controller”).
Note that for indirect identification under the DPA1998, the main test was: (a) whether the controller held the identification details in his possession, or (b) was the controller likely to obtain those identification details later on, or (c) the controller did not hold any identification details. Only in the latter case did the DPA1998 not apply.
Under the Bill, identification of the living individual has to be by “reasonable means”. In other words, the identification details can be in the possession of the controller but it takes unreasonable effort to join the dots to a living individual. In this case, the data are not personal data (even though the identification detail “is in the possession of the data controller” – the DPA1998 test).
This explains how the new definition of personal data in the Bill does not even elevate itself over DPA1998 standards. The DPA1998, I remind readers, were subject to infraction proceedings with the European Commission commenced in 2004. The Commission thought the DPA1998 was a defective implementation of Directive 95/46/EC and this included its definition of “personal data”.
Indeed, the definition of “personal data” in the DPA1998 was almost word for word taken from the DPA1984 (i.e. personal data was data that related to a “living individual who can be identified from that information (or from that and other information in the possession of the data user”(“data user” was the 1984 term for a controller).
In other words, from the data subject’s perspective, the Bill’s definition of personal data is even inferior to that found in the DPA1984
Concluding comment
So if the definition of personal data falls below DPA1984 standards, what is the Commission’s likely view of the Bill’s new definition in the context of Adequacy?
Send your answers on a post-card or email either to Auntie Nadine Dorries at the DCMS (before September 5th) and perhaps Uncle John Edwards at the ICO (before his next speech as he “believes the proposals strike a good balance in making improvements”).
Autumn Data Protection Courses
Because of continued COVID uncertainty, the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- I am holding a day course on the changes arising from the Data Protection and Digital Information Bill on Thursday, September 15 by Zoom only (£250 + VAT per delegate).
- The next Data Protection PRACTITIONER Courses is in London on Monday September 19-23 (5 days);
- The next Data Protection FOUNDATION Course is in London on Tuesday November 15-17 (3 days)
Full details (as we are upgrading our Amberhawk website), details of all the above courses can be obtained by emailing info AT amberhawk.com
Comments
You can follow this conversation by subscribing to the comment feed for this post.