The Information Commissioner's Office has recognised that, following the Court of Appeal's decision in the Durant case and the Article 29 Working Party opinion on the concept of personal data, data controllers have been finding it difficult to determine what constitutes personal data for the purposes of the Data Protection Act 1998. The Information Commissioner's Office has issued a technical guidance note and checklist to assist data controllers in identifying personal data especially in circumstances where it is not immediately obvious whether data falls within the DPA definition.
The guidance takes the form of a series of questions which must be followed in the correct order to work out whether specific information falls within the definition of personal data within the DPA. In addition, the guidance sets out the ICO's thoughts on other issues concerning personal data including personal data about more than one individual, personal data and complaint files and disclosure of information which could be linked to identifiable individuals.
The questions which should be considered and which form part of the flowchart are as follows:-
Question 1: Can a living individual be identified from the data, or from the data and other information in the possession of, or likely to come into the possession of, the data controller?
The guidance gives several examples where an individual can be identified. The guidance points out that simply because the name of an individual is not know does not mean that an individual cannot be identified. The guidance points out that individuals can be identified both by description or on the basis of physical characteristics e.g. the man with the red Ford Focus at Number 12.
Where it is not immediately obvious whether a person can be identified the question whether or not the individual is nevertheless identifiable depends on the means which the data controller or any other person is reasonably likely to use to identify that person.
The person processing the data must consider 3 factors:-
(i) what means are available to identify an individual and the extent to which such means are readily available, for example searching a public register;
(ii) what means are likely to be used by a determined person to identify the individual for example investigative journalists, estranged partners or stalkers; and
(iii) consider that means of identifying individuals that are feasible and cost effective will change over time and therefore if a decision is taken that the data held does not allow the identification of individuals, that decision should be reviewed in light of technical or security developments over time.
Question 2: Does the data (relate to) the identifiable living individual (whether in personal or family life, business or profession)?
The guidance draws a distinction between data that is "obviously about" an individual and data which is not. Data "relates" to an individual where the data is processed to learn or record something about that individual or where the processing has an impact on that individual.
Question 3: Is the data obviously about a particular individual?
Examples of data obviously about a particular individual include a person's medical history, criminal record and record of particular performance at work or other achievement. If the information is obviously about an individual then the data is personal data for the purposes of the DPA. If not, the guidance sets out additional issues which need to be considered. The guidance sets out as an example records which are clearly personal data where the information in question is not obviously about an individual but is about their activities including personal bank statements or itemised phone bills which constitute personal data about the individual operating the account or contracting for telephone services.
Question 4: Is the data "linked" to an individual so that it provides particular information about the individual?
The example given here is that of data about the salary for a particular job which may not in itself be personal data for example where it is included in the advert for a job. However once the vacancy has been filled and there is a single named individual in post, the salary information about the job will be personal data relating to that person.
Question 5: Is the data used or is it to be used to inform or influence actions or decisions affecting the identifiable individual?
Context is key here. For example information about a house in itself is not personal data however such information is often linked to an owner or resident and consequently the data about the house will be personal data about that individual. The guidance gives examples where data about a house relates to an individual because the purpose of processing that data is to learn something about that individual for example his address or to determine something about him (for example the extent of his council tax liability). The guidance points out that different organisations may process the same data for different purposes but that the same piece of data may be personal data in one party's hands whilst it is not personal data in another party's hands.
Question 6: Does the data have any biographical significance in relation to the individual?
It is important to remember that it is not always necessary to consider biographical significance to work out whether data is personal data. This is the case where the data is either obviously about an individual or where it is clearly linked to that individual and is processed in order to determine or influence the way in which that individual is treated. Biographical significance only needs to be considered where information is not obviously about an individual or clearly linked to him. What is important here is whether the data goes beyond recording the individual's casual connection with a matter or event. For example where an individual is listed as an attendee in the minutes of the meeting, then the minutes have biographical significance for that individual in that they record his whereabouts at a particular time. It does not however mean that everything in the minutes of the meetings is personal data about each of the attendees.
Question 7: Does the data focus or concentrate on the individual as its central theme rather than on some other person or some object, transaction or event?
Again, the issue of focus only needs to be considered where information is not obviously about an individual or clearly linked to him. The guidance gives typical examples of focus particularly in the context of minutes of meetings and disciplinary hearings.
Question 8: Does the data impact or have the potential to impact on an individual whether in a personal, family, business or professional capacity?
Even if data is not usually processed to provide information about an individual, if there is a reasonable chance that it will be processed for that purpose, the data will be personal data. The guidance gives the example of a taxi firm recording the movements of the taxis in its fleet by using the vehicle tracking devices in order to plot the location of its taxi fleet. If this data also allows the firm to monitor the performance of drivers or to provide information about the location of its drivers, then it can be considered personal data relating to the drivers.
This guidance has been in the pipeline for some time and is a must read for anyone processing personal data or dealing with subject access requests. Guidance on the "relevant filing system" definition is due to be published soon.