The identification of living individuals
The times they are a-changin’ (back)!
We’re about a month in from the reintroduction of the Data Protection and Digital Information Bill. At the present time, we’re still waiting for the updated impact assessment based on the latest changes. While we wait there’s plenty of information to look at in the text of the Bill.
We will produce more detailed analysis of the changes over the coming months. However, in the first of a regular series, we’ll take a brief look at some of the changes that will affect all organisations. The Bill alters the basic definition of personal data. In other words the basic scope of data protection is being altered and, in essence, reduced.
A ‘new’ definition
The GDPR brought a key change in the definition of when an individual is identifiable. Ostensibly anonymous data can count as personal because it might become identifiable in the future.
Here’s what the new Bill says:
3A Information relating to an identifiable living individual
(1) For the purposes of this Act, information being processed is information relating to an identifiable living individual only in cases described in subsections (2) and (3).
(2) The first case is where the living individual is identifiable (as described in section 3(3)) by the controller or processor by reasonable means at the time of the processing.
(3) The second case is where the controller or processor knows, or ought reasonably to know, that—
(a) another person will, or is likely to, obtain the information as a result of the processing, and
(b) the living individual will be, or is likely to be, identifiable (as described in section 3(3)) by that person by reasonable means at the time of the processing.
Part (2) is straightforward. If all the information is available to narrow down to a unique person at the time the data is processed, then they have been identified.
Part (3) is more complex and, consequentially, needs parts (4), (5) and (6) to try and clarify it.
In this second scenario, it’s someone other than the controller or processor who’s doing the identification. For example, an organisation with whom the data has been shared. Part (4) makes it clear that it could also be someone who obtained the data illegitimately.
So what does it mean?
It didn’t matter, with the old definition how much effort was required get the remaining data to complete the identification. In contrast, under the new rules there is a ‘reasonability’ clause, putting a limit on the actions that can be taken.
If data is shared or breached and it would take an unreasonable degree of effort to identify the individual data subject, then what was disclosed is arguably not personal data.
For data controllers like schools and colleges, this brings the concept of pseudonymisation back into play. It doesn’t mean that going back to initialising pupil names is enough to stop records being personal data. However, it does open new opportunities. There’s no reason to think this will be particularly controversial in the committee stages, unlike some of the other changes.
Next time we’ll look at some of the changes that are planned around subject access requests.
Leave a Reply
Want to join the discussion?Feel free to contribute!