Thursday, 4 November 2010

Personal information

I know there has been discussion over the idea of an IP address being "personal information" under the DPA (Data Protection Act) and even that a phone number (on its own) could be considered personal information.

It seems a tad odd to me. I understood the idea was that a data controller has to be able to associate the information with a living individual to make it personal information, and to my mind neither of these manage that, generally. Yes, for a phone company, the phone number they allocated, given that they have access to their customer database, is personal information as they can do that association. But to the general public or some other company, a phone number on its own is surely not personal information.

The reason this came up recently was location services for mobiles. It is technically possible to locate a mobile by number. But is that number and location "personal information", i.e. does someone offering such services have to go through hoops to validate that the phone user is happy for the location to be given to someone else? (I know, morally, they should, that is not my point).

I would say the number alone is not personal information, and neither is a location within several hundred metres even when in conjunction with a mobile number. Neither, nor both, allow a living individual to be identified or for other data to be obtained from that information so as to identify a living individual...

But I have a feeling the ICO have a different view on this.

So I wondered...

I could take a list of first names, and a list of surnames, and even a set of dates of birth. A name and date of birth together are usually considered to be "personal information". I could make a table giving every combination of such a unique reference number. This could be expanded to have even more data to make it that a number in my table can link to enough information to relate to a specific living individual.

I then have a database which is no different logically to the database a mobile phone provider has associating a name and a number together.

But the number I use is, say, an 8 digit number.

Now, anyone that happens to have 8 digit numbers in a database of their own has something which I could map to a living individual. Just like a mobile company could make a mobile number to a living individual (bill payer, if not user).

Do does that mean anyone with such numbers have to treat then as personal information now? Just like a phone number? They have as much ability to convert the number to other data, like a name and date of birth, as they do a phone number - i.e. they can't...

Perhaps if I make a list which maps to letter combinations. Could the words in the post now become personal information because somewhere there is a mapping of "the" to "Fred Bloggs, 1st Dec 1947" in some database?

If not, then surley a mobile number, and even an approximate location, cannot count as personal information. As such someone could offer mobile phone lookup services with no DPA implications?

Yes, being devil's advocate here... comments?


  1. Doesn't the phone directory change things, as you can lookup a name (and often an address) from a number using that - I would have thought a name and address are clearly personal information?

    It's a bit different for a mobile number I suppose, but wasn't there something a while back about putting them in to a directory as well?

  2. Yes, but you cannot look up a number to find the name/address.

  3. Ah, it seems indeed they don't let you lookup name from number (I thought they used to, but am probably mistaken). However, given BT manage the central phone directory, there's presumably nothing to stop them looking up a name and address from a *competitor's* number, thus the information is enough for someone to identify a named individual, so should be treated as PII?

  4. This is kind of my point - the fact that someone somewhere can convert a phone number to a name should mean that they have to treat a phone number as personal information.

    However, everyone that cannot do that (e.g. me) should not have to treat it as personal information.

    If I do, then my logic of making a table of names and numbers could mean other arbitrary numbers magically become personal information just like phone number because someone somewhere can convert them to more personal details.

  5. I don't think your example is complete enough.

    If the other person's/company's database with an 8-digit field calls that field 'RevK Refnum' so that it can be linked to your DB to get PII, then yes that number becomes PII.

    Without that logical link, it is just an 8-digit number.

    Similarly, if a DB has a field 'Phone number' containing phone numbers (funnily enough) then it is logically clear how and when that can be linked to other data to get PII.

  6. But the counter argument to that is that while the number can be turned in to personal details by someone somewhere, the personal details they can be turned in to do not represent the same person that you were referring to, whereas if you publish a phone number, and someone turns that phone number in to a name and address, then it is likely that you and they both know who the person is...

  7. So you can store phone numbers as long as you don't say they are phone numbers... Good.

  8. No, I would say it's that you can store strings of digits that could be interpreted as phone numbers, as long as they are not phone numbers to you - i.e. even if someone can turn the string of digits in to a name and address, that name and address (and the number interpreted as a phone number) has absolutely nothing to do with the meaning of those numbers as published by you.

  9. Well, I was under the impression the data had to be something the data controller could use. I.e. using information he has access to or is likely to have access to.

    So, even if I *know* they are phone numbers, if I do not have access to a phone number lookup to turn that in to something I can use to identify a living individual from (or are likely to have access to), then they are *NOT* personal information.

  10. There have been cases where Data Controllers have released "anonymised" datasets containing medical studies or browsing habits and third parties have been able to apply statistical methods to identify (deanonymise) certain individuals in the dataset.

    I saw an episode of the BBC's "Cost of Free" series that explained these particular cases.

    It was remarkably well put for something so technical that was aimed at a general audience.

    Seems to have some youtube links to part of one of the episodes.

    What can and cannot be used as personal identifying information becomes extremely vague in the face of correlation with other sources and statistical analysis by third parties.

    Personal Identifying Information in the DPA seems to be an "as good as can be expected" attempt at trying to codify practices that might limit the statistical significance of any single data source.

    Unfortunately the modern communications technology often makes obtaining a statistically significant set of data sources a triviality.

  11. I do know that { location, car registration numbers } pairs, which are something that TrafficMaster collect an awful lot of, were not considered personal data by the ICO back at the time the original 'blue camera' TM network was being set up.

    That seems to be fairly similar.

  12. Ah, but doesn't TrafficMaster only collect the middle characters (ie. they discard the leftmost & rightmost) for their tracking purpose?

    Then of course they will say when they harvest RevK's number as "EV 1" (discarding the initial R & trailing K) that they can identify him in a stream of traffic up the A1 as a probe car, but they don't know if it's "REV 1K" or some other number...

  13. Car reg should not be considered personal as it allows, at best, identification of a car not a person. The fact you can find a person by one of several databases (e.g. registered keeper, the insurance companies database, and I am sure many others) should not be an issue. They identify people/car relationships but there is no single car->person mapping.

    Like the idea that you know the ref is a "refref" earlier. If the ref is a ref for some other thing, which multiple databases could associate arbitrarily with individuals.