IP addresses – the unique numbers used to identify machines and devices on the Internet – are classed as personal data for the purposes of the Data Protection Act 1998 where the data controller has a means, which they are reasonably likely to use, of linking the IP address to a particular individual, (such as other account or profile information held by them). Internet Service Providers invariably have access to such information and are advised to treat all IP addresses as personal data, whereas website operators must consider whether or not they have the means to link individual users to IP addresses.
In a recent decision, the Information Commissioners Office (ICO) has made it clear that a different analysis is required when considering whether or not IP addresses are personal data in the context of a request for information under the Freedom of Information Act 2000 (or, as in this particular case, the Environmental Information Regulations). Here the focus must be on the process of disclosure and whether any member of the public could identify an individual from their IP address.
In the decision in question, where the applicant had requested from Hackney Council the IP addresses of persons who had responded to a survey (information not linked to the other data contained in the survey submissions), the ICO decided that the IP addresses were not personal data in the context of disclosure. Accordingly, the Council could release the information without having regard to the data protection principles. This was the case notwithstanding the possibility that some of the IP addresses might have been personal data in the Council’s hands. The ICO’s decision in this case follows others such as Common Services Agency v Scottish Information Commissioner and Department of Health v Information Commissioner, in which the courts have held that effectively anonymised data is not personal data in the context of disclosure under FOI.
ICO Decision Notice re Hackney Council Ref: FS50315994