Following the Court of Appeal judgment in Durrant, the Information Commissioner’s Office (ICO) published guidance on the meaning of “personal data”. In the Durrant case, the Court narrowed the definition by holding that data would only be defined as personal data in a document where the information related only to that individual, and affected that individual’s privacy when he or she was the focus of the document and not just mentioned in it. The ICO original guidance focussed on what was not covered by the term personal data. In this latest guidance the ICO seeks to produce guidance with a greater emphasis on what is covered by the term using a number of useful examples. The guidance is in line with the Data Protection Act 1998 and the EC Directive 95/46/EC (the European Data Protection Directive)
For the purposes of the Act and the Directive the term Data now covers four types of data:
o Electronic data
o Data forming part of a relevant filing system
o Data forming part of an accessible record (other than electronic or relevant filing system)
o Data recorded by a public authority
Previous guidance issued by the ICO states that in most cases it will be obvious if the data being processed, either in electronic or a manual format relates to an identifiable individual and consequently whether the processing concerns personal data. However there may be occasions when it is less clear whether the data is personal data or not.
Is the ‘data’ ‘personal data’?
The guidance states that an individual must be distinguishable from others in the group. Sufficient information such as a name and address may be required in order to do this but may not always be the case. Unique identifying features of an individual may also suffice. A combination of data about gender, age and grade or salary may enable the identification of a particular employee even without a name or job title. However, whether or not the individual is identifiable will depend on “all the means likely reasonably used either by the controller or by any other person to identify the said person” If there is only a possibility that an individual might be identified through close analysis of the data, this will not be sufficient to make it identifiable.
Where data is not obviously about an identifiable individual the guidance suggests a number of questions which should be asked which may help decide whether data is personal data.
o Could the data be processed to learn, record or decide something about an individual?
o As a consequence of the processing could you learn or record something about an identified individual?
o Could the processing have an impact on or affect an identifiable individual?
There will be cases where data is not itself personal data but in certain circumstances it will become personal data where it can be linked to an individual to provide particular information about that individual.
Example: Salary details for a particular job may not by itself, be personal data, but where linked to a named employee, the salary information will become personal data.
Another example might concern data about a house where it is linked to an individual or used in deliberations or decisions concerning an individual. In both cases the data relates to the individual because the purpose of processing that data is to learn something about the individual.
A single piece of data which is not data for one data controller may become personal data when it passed to another data controller.
Example: A photo taken of revellers in Trafalgar Square on New Years Eve by a photo journalist for his photo library and a similar photo taken by a police evidence gatherer in order to identify potential troublemakers. The photo in the possession of the journalist is not personal data but in the hands of the police will become personal data. Whether or not data is personal data in the hands of one party and not another will therefore depend on the purpose and potential impact of the processing of the data.
Where information is not obviously about an individual or clearly linked it may be necessary to consider ‘biographical’ information. This means whether the data goes beyond recording the individual’s casual connection with matter or event which has no personal connection.
Example: An attendee listed in the minutes of a meeting where the minutes have significance for the individual in that they record the individual’s whereabouts at a particular time.
Focus of the information
Whether the remaining contents of the minutes contain information of biographical significance (and constitute personal data) will be determined by the ‘focus’ of the minutes.
Example: where an individual’s suitability for a post is discussed, the record of these discussions will be personal data
Where the focus of a meeting is about one or a number of individuals such as in the example above, then it is likely that the minutes held as data will be personal data about those individuals. The personal data will include not only those facts about the condition or behaviour of the individual discussed but any third party opinions or any intentions of any person in respect of that individual. Whether comments made about a particular individual constitute ‘personal data’ will depend on the capacity in which the speaker made the comments. In other words whether the individual was giving a personal opinion or putting forward views on behalf of another. The views of a company or organisation expressed by its agent are not personal data about the agent.
Objects or things
Where information is processed to monitor an object or thing such as a machine, it is unlikely to be ‘personal data’ unless the information gathered is also used to monitor an individual such as the productivity of the person who operates the machine. If this type of information is linked to an individual to learn something about them then it will become personal data.
There may be occasions where the data controller occasionally processes information to learn something about an individual. Even though it is not the purpose of the processing by the data controller; information gained about an individual in this way will become personal data.
Example: A taxi firm which records the movements of its vehicles by using tracking devices for business efficiency and customer service. If the control centre for the taxi firm uses this tracking system to locate and contact individual taxi drivers for reasons unconnected with the business (such as a request by a family member) the data will be personal data as the processing has an impact on the individual.
What is relevant in this example is whether the processing of the information has or could have a resulting impact upon the individual, even though the content of the data is not directly about that individual, nor is there any intention to process the data for the purpose of determining or influencing the way the person is treated.
There still may be occasions where there is uncertainty about whether data is personal data. As a matter of good practice, data controllers should still treat the information with care and ensure it is disposed of securely. Other issues concerning ‘personal data’ can be found in the appendices to the guidance at www.informationcommissionersoffice.com