Friday, 11 August 2017

Public Interest

At present the Data Protection Act contains an exception for journalistic / public interest processing and disclosures of personal information - this is why the press can name people in stories, especially public figures.

I don't know if the new GDPR (General Data protection Regulation) stuff has the same exception - if not then the newspapers are going to be very strange, with no pictures of anyone, and even saying "The Home Secretary" will be identifying an individual, so not allowed. The exception must exist, surely?

Now, I wonder if it is public interest to state the full name of the person that works for British Telecommunications plc that has stated that BT is not a communications provider? I mean it seems such a stupid lie that he deserves "naming and shaming" surely?

P.S..

I was not trying to make this yet another unhinged rant, honest, it was a genuine DPA/GDPR issue. Can I name the person?

Now, I was thinking, I could give his first name, which is Andrew, as we know many Andrews, even in BT, and so could not, as data controller, identify the person from his first name alone.

However, it got me thinking, The rule is, as far as I know, that anything which allows the data controller to identify the person, including access to other data the data controller has, or could get access to from third parties even, counts as personally identifiable data - even if the rest of the world could not use that data to identify the person.

So if I said "customer number 1209", to me, that is an identifiable individual, so that data, just "customer number 1209" is personally identifiable data, and I could not post it, even if nobody reading this knows who that is? Is that the case, really? Thankfully customer 1209 has agreed to that much data about him (or her) being posted in this blog post.

However, this BT person - I (as the data controller) can identify him from the "story". Just saying "The BT person that said BT is not a communications provider" is enough for the data controller to identify that person.

Basically, I cannot post *ANYTHING* about the story in any way without releasing personal identifying information - i.e. information the data controller can use to identify that person (given other data the controller has, or has access to).

Surely that makes no sense? Or is giving his identifiable information in public interest? If not, I cannot post the store at all. If so, then giving his full name is no more help to the data controller in identifying the person than the content of the story is.

So what is the question? Is the question "Is revealing personal identifiable data in public interest? yes/no". Or is the question "Is revealing this persons full name in public interest? yes/no?"

As I say, not an unhinged rant, a real question...

6 comments:

  1. I would suggest not. I'd also suggest not making series of three increasingly unhinged-sounding blog posts all about a relatively pedantic point with no obvious relevance to anything.

    ReplyDelete
    Replies
    1. I am sorry they sound unhinged. There are people with real problems - finding it impossible to port an ISDN line, for example, and it stems from some stupidity with BT plc pretending to be different companies and passing the buck between itself and itself, and even denying the ability to use the legally required dispute resolution process to fix the problem. It is a total dead end without going to the courts, and it needs fixing.

      Also, surely, what is actually "unhinged" is the huge incumbent UK communications provider British Telecommunications plc, insisting, repeatedly that it is not a communications provider. OK, maybe not as unhinged as saying "I am not a teapot", but pretty unhinged none the less. Is it not reasonable that I find this madness concerning and blog worthy?

      Delete
    2. Oh, BT are certainly unhinged. But that's no reason to let them drive /you/ insane.

      I think a blog post about the problem would be perfectly reasonable. It's the series of three blog posts attacking the same point from multiple angles that seems a bit excessive, especially as they don't seem likely to actually /achieve/ anything positive.

      Delete
    3. Maybe I was in the sun too long in Cannes today, or spent too much time going up and down in the lifts :-) Yes, sometimes I managed to not make one coherent blog post, sorry. If I don't post something I spend all day getting crosser usually. However, I hope OFCOM will read one as I did include on my tweet of the blog post. And I now BT do sometimes read my blog, so maybe someone will say they should perhaps address these stupid comments internally. I'm happy to discuss sanely with either if it could actually make any progress to help my customers.

      Delete
  2. > I don't know if the new GDPR (General Data protection Regulation) stuff has the same exception


    No. It is up to each member state to add appropriate derogations into their national law. In the UK, it is likely to be through the data protection bill announced earlier this week.

    "Of interest to the public" != "in the public interest". Personally, I would not see as it meeting either test.

    ReplyDelete
  3. The person at BT plc that made the statement is not really relevant - they're communicating on behalf of the entity - it is therefore effectively BT plc that has made the statement IMO, which presumably despite being effectively a "person" or "entity" is not covered by any such regulations.

    ReplyDelete