by DP Act · Cited by 3 — The Data Protection Act 1998 (the DPA) applies only to information which falls within the definition of ‘personal data’. The ICO, with other European data
72 KB – 30 Pages
PAGE – 1 ============
1 Determining what is personal data v1.1 2012 1212 Determining what is personal data Data Protection Act The Data Protection Act 1998 (DPA) is based around eight principles relation to their personal information and place certain obligations on those organisations that are responsible for processing it. An overview of the main provisions of the DPA can be found in The Guide to Data Protection. This is part of a series of guidance , which goes into more detail than the Guid e, to help organisations to fully understand their obligations , as well as to promote good practice . This guidance explains how to determine whether information is It is designed to help data protection practi tioners decide whether data falls within the definition of personal data in circumstances where this is not obvious.
PAGE – 2 ============
2 Determining what is personal data v1.1 2012 1212 Contents Overview .. .. .. 3 Introduction .. .. . 3 Personal data as defined by the Directive and the Data Protection Act 1998 .. .. .. 4 The Directive .. .. .. 4 The Data Protection Act 1998 .. 4 The aim of this guidance and flowchart .. . 6 Is Act? .. .. 6 1 Identifiability .. .. .. 7 .. 9 10 4 Data linked to an individual .. 11 5 The purpose of the processing .. .. 12 Informing or influencing decisions .. . 12 Different organisations processing the same data for different purposes .. .. 14 6 Biographical significance .. . 16 7 Does the information concentrate on the individual? 17 Minutes of Meetings .. .. 18 Information about objects or things .. . 20 8 Processing which has an impact on individuals .. 21 Can data about objects be personal data about an individual even though the data controller does not currently use such data to learn, recor d or determine something about that individual? .. 21 Appendix .. .. 24 .. .. 24 A Personal data about more than one individual . 24 B Personal data in complaint files .. . 25 C . 27 D Disclosing information which could be linked to identifiable individuals .. .. . 29
PAGE – 3 ============
3 Determining what is personal data v1.1 2012 1212 Overvie w We have been aware for some time of the need to replace our guidance on the implications of the Durant judgment. Inevitably that guidance reflected the fact that the Court of Appeal was widely understood to have adopted a rather narrower interpretation of and experts had followed previously. We recognised the need to produce guidance with a greater emphasis on what is covered than what is not. In June 2007 the Article 29 Working Party, an advisory committee composed of representatives of the national supervisory Though our guidance is structured differently we are satisfied that it is consistent with the approach taken by the Working Party. Both the Opinion and our guidance make great use of practical examples to illustrate the key considerations when deciding what is personal data. Introduction The Data Protection Act 1998 (the DPA) applies only to information other European data protection authorities, has been considering protection of individuals with regard to the processing of personal data and on the free movement of such d ata (the European Data Protection Directive or the Directive). This work has culminated in Opinion 4/2007 on the concept of personal data (01248/07/EN WP136) adopted by the Article 29 Data Protection Working Party on 20 June 2007. This guidance draws on Opinion 4/2007 and applies the concepts discussed in that paper in a UK context.
PAGE – 4 ============
4 Determining what is personal data v1.1 2012 1212 Personal data as defined by the Directive and the Data Protection Act 1998 The Directive The object of the European Data Protection Directive 1 , implemented in the UK by the protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing ive by reference to whether information relates to an identified or identifiable individual. The Directive provides, in Article 3, that it applies only to the processing of personal data where the processing is wholly or partly by automatic means, or whe re it is non – automated processing of 2 The Directive therefore considers first whether the information relates to an identifiable individual and then desc ribes the two different types of processing (processing by automatic means or non – information within the scope of the Directive. The Data Protection Act 1998 The DPA repeats the substance of the Directive definition of Directive. The DPA first considers the nature of the processing to processed by automatic means or non – automated processing within The Directive and the DPA cover two common categories of information: 1 See Article 1 European Directive 2 As defined in European Directive Article 2 (c)
PAGE – 5 ============
5 Determining what is personal data v1.1 2012 1212 – information proc essed, or intended to be processed, wholly or partly by automatic means (that is, information in electronic form) 3 ; and – information processed in a non – automated manner which forms manu al information in a filing system) 4 . In most circumstances it will be relatively straightforward to determine: (a) whether the processing falls within the scope of the (b) whether the information in and consequently, to determine whether you are processing The additional scope of the Data Protection Act The DPA introduces two more types of manual processing of information which, if the information relates to an identifiable additional categories of processing are introduced in the DPA – processing info 5 ; and 3 Data in electronic form is defined in section 1(1)(a) of the DPA. 4 5 defined in section 1(1)(d) and section 68 DPA. In most cases it will be obvious when you are processing personal data. In those rel atively few cases where this is unclear, this guidance, and in particular the questions set out in the flowchart, aim to take you through the factors to consider when determining whether you are processing personal data. The guidance offers suggestions, fo r use in appropriate cases, of considerations which may help you reach a decision about the nature of the information in question.
PAGE – 6 ============
6 Determining what is personal data v1.1 2012 1212 – processing recorded information held by a public authority The DPA is therefore concer ned with four types of data which can be broadly referred to as: (i) electronic data; (ii) data forming part of a relevant filing system; (iii) data forming part of an accessible record (other than those accessible records falling within (i) or (ii) abo ve); and (iv) data recorded by a public authority. The aim of this guidance and flowchart covered by the DPA is considered in our guidance ‘What information guidance is in the form of a flowchart of numbered questions idance and illustrative examples aimed at developing a practical understanding of the concept of personal data. Protection Act? There are several steps to determining whether data (electronic or 6 for the purposes of the DPA. Questions to help you are set out in boxes 1 to 8 below 7 . 6 7 See also The Guide to Data Protection sections A3.10 – 16
PAGE – 8 ============
8 Determining what is personal data v1.1 2012 1212 There will be circumstances where the data you hold enables you to identify an individual whose name you do not know and you may never intend to discover. Similarly, a combination o f data about gender, age, and grade or salary may well enable you to identify a particular employee even without a name or job title. Sometimes it is not immediately obvious whether an individual can be identified or not, for example, when someone holds i nformation where the names and other identifiers have been removed. In these cases, Recital 26 of the Directive states that, whether or not the likely reasonably to be used either by the controller or by any other Therefore, the fact that there is a very slight hypothetical possibility that someone might be able to reconstruct the data in such a way that the data subject is identified is not sufficien t to make the individual identifiable for the purposes of the Directive. The person processing the data must consider all the factors at stake. Example The tall, elderly man with a dachshund who lives at number 15 and drives a Porsche Cayenne. Example A description of an individual may be personal data where it is processed in connection with a neighbourhood watch scheme or by the police, when seeking to identify potential witnesses to an incident. Example Where an individual is not previously known to the operator s of a sophisticated multi – camera town centre CCTV system, but the operators are able to distinguish that individual on the basis of physical characteristics, that individual is identified. Therefore, where the operators are tracking a particular individua l that they have singled out in some way (perhaps using such physical
PAGE – 9 ============
9 Determining what is personal data v1.1 2012 1212 The starting point might be to look at what means are available to identify an individual and the extent to whi ch such means are readily available. For example, if searching a public register or reverse directory would enable the individual to be identified from an address or telephone number, and this resource is likely to be used for this purpose, the address or telephone number data should be considered to be capable of identifying an individual. When considering identifiability it should be assumed that you are not looking just at the means reasonably likely to be used by the ordinary man in the street, but als o the means that are likely to be used by a determined person with a particular reason to want to identify individuals. Examples would include investigative journalists, estranged partners, stalkers, or industrial spies. Means of identifying individual s that are feasible and cost – effective, and are therefore likely to be used, will change over time. If you decide that the data you hold does not allow the identification of individuals, you should review that decision regularly in light of new technology or security developments or changes to the public availability of certain records. Taking this into account, a person who puts in place appropriate technical, organisational and legal measures to prevent individuals being identifiable from the data held m ay prevent such data falling within the scope of the Directive. personal or family life, business or profession? Yes No DPA. Unsure See 3 to 8 below. However, sometimes this is not so clear and it may be helpful to
PAGE – 10 ============
10 Determining what is personal data v1.1 2012 1212 identifies an individual, even without a name associated with it, may be personal data where it is processed to learn or reco rd something about that individual, or where the processing of that information an individual in several different ways, the most common of which are considered below. 3 because the records concerned are clearly about that individual. With these types of information it is the content of the informa tion that determines that it ‘relates to’ an individual. There are many examples of records which will clearly be personal indiv idual but is about their activities. Yes DPA. No Go to next question. Example A medical history, a criminal record, or a record of a particular Example Data such as personal bank statements or itemised telephone bills will be personal data about th e individual operating the account or contracting for telephone services.
PAGE – 11 ============
11 Determining what is personal data v1.1 2012 1212 following question may help to determine whether the data is Is the data being processed , or could it easily be p rocessed, to: – le arn; – record; or – decide something about an identifiable individual, or; as an incidental consequence of the processing, e ither: – could you learn or record something about an identifiable individual; or – could the processing have an impact on, or affect, an identifiable individual? Questions 4 to 8 may help when considering this issue. 4 Data linked to an individual particular information about that individual? Yes No Go to next question. There will also be many cases where data is not in itself personal data but, in certain circumstances, it will become personal data where it can be linked to an individual to provide particul ar information about that individual.
72 KB – 30 Pages