I know there has been discussion over the idea of an IP address being "personal information" under the DPA (Data Protection Act) and even that a phone number (on its own) could be considered personal information.
It seems a tad odd to me. I understood the idea was that a data controller has to be able to associate the information with a living individual to make it personal information, and to my mind neither of these manage that, generally. Yes, for a phone company, the phone number they allocated, given that they have access to their customer database, is personal information as they can do that association. But to the general public or some other company, a phone number on its own is surely not personal information.
The reason this came up recently was location services for mobiles. It is technically possible to locate a mobile by number. But is that number and location "personal information", i.e. does someone offering such services have to go through hoops to validate that the phone user is happy for the location to be given to someone else? (I know, morally, they should, that is not my point).
I would say the number alone is not personal information, and neither is a location within several hundred metres even when in conjunction with a mobile number. Neither, nor both, allow a living individual to be identified or for other data to be obtained from that information so as to identify a living individual...
But I have a feeling the ICO have a different view on this.
So I wondered...
I could take a list of first names, and a list of surnames, and even a set of dates of birth. A name and date of birth together are usually considered to be "personal information". I could make a table giving every combination of such a unique reference number. This could be expanded to have even more data to make it that a number in my table can link to enough information to relate to a specific living individual.
I then have a database which is no different logically to the database a mobile phone provider has associating a name and a number together.
But the number I use is, say, an 8 digit number.
Now, anyone that happens to have 8 digit numbers in a database of their own has something which I could map to a living individual. Just like a mobile company could make a mobile number to a living individual (bill payer, if not user).
Do does that mean anyone with such numbers have to treat then as personal information now? Just like a phone number? They have as much ability to convert the number to other data, like a name and date of birth, as they do a phone number - i.e. they can't...
Perhaps if I make a list which maps to letter combinations. Could the words in the post now become personal information because somewhere there is a mapping of "the" to "Fred Bloggs, 1st Dec 1947" in some database?
If not, then surley a mobile number, and even an approximate location, cannot count as personal information. As such someone could offer mobile phone lookup services with no DPA implications?
Yes, being devil's advocate here... comments?