Recent guidance released by the UK Information Commissioner’s Office indicates that the regulator’s view of “personal data” – the fundamental concept behind the Data Protection Act 1998 - (1) is broader than previously thought and (2) differs significantly from the courts’ interpretation. This is a significant development for those retailers who hold and process substantial volumes of customer data.
The Act regulates the way in which organisations process (use) personal data. A broader interpretation of “personal data” means that more information will be subject to regulation by the Act. If organisations follow the new guidance, rather than the courts’ interpretation, this is likely to increase both the burden and the complexity of complying with the Act. For information to be an individual’s “personal data” within the meaning of the Act, a number of criteria have to be satisfied, including: (1) the individualmust be “identified or identifiable” and (2) the information must “relate to” him. The second issue forms the crux of the ICO’s new guidance.
Where it is not obvious that data are about an identifiable individual, the guidance includes supplemental questions to highlight situations where: (1) data are being processed, or could easily be processed, to learn, record or decide something about an identifiable individual or (2) as an incidental consequence of the processing, either (a) something could be learned or recorded about an identifiable individual or (b) the processing could have an impact on, or affect, an identifiable individual. If either (1) or (2) apply, the data “relate to” that individual and are likely to be personal data, e.g. data about an individual’smobile phone are considered to relate to him, as this determines what he will be billed.
This approach is inconsistent with the Court of Appeal’s judgment in Durant v the Financial Services Authority. There the court held that, to be an individual’s personal data, information must (i) affect his privacy, (ii) have himas its focus and (iii) be biographical about him in a significant sense.
Due to the importance of CRM and other customer databases in the retail sector, decisions about database management can have far-reaching effects. It will generally be advisable for organisations to err on the side of caution and tend to treat all information held relating to individuals as “personal data”. This will be particularly important in any review of data security procedures which organisations choose to carry out following recent high profile security breaches, such as that by HerMajesty’s Revenue and Customs.