No need to scour internet when assessing whether personal data is sensitive, UK tribunal rules

Out-Law News | 01 Sep 2015 | 4:44 pm | 3 min. read

Businesses are not expected to scour the internet and other sources to check whether there is any information that, when linked with personal data they hold, would mean the data they hold is in fact sensitive personal data, according to a new UK ruling.

The Upper Information Rights Tribunal said (23-page / 115KB PDF) that organisations only need to consider "the immediate context" of data to determine whether it is personal or sensitive personal data.

In considering a case brought under the Freedom of Information Act, the Upper Information Rights Tribunal (Upper Tribunal) ruled that the Information Commissioner's Office (ICO) must disclose the names of journalists contained on a list seized during a raid on the home of private investigator Steve Whittamore in 2003.

The ICO had claimed that the information it was being asked to disclose was sensitive personal data. This, it said, was because the data was "information as to the alleged commission of criminal offences by at least some of the journalists concerned".

Sensitive personal data has to be treated much more carefully by organisations than other personal data and stricter rules apply to its collection, use and disclosure. The ICO had argued that it would breach the Data Protection Act by disclosing the names of the journalists on Whittamore's list.

However, the Upper Tribunal said that the names of the journalists was personal data but not sensitive personal data. It said that the public interest in disclosing that data outweighed the public interest in withholding the information. It therefore ordered the ICO to disclose the list of names to a man seeking the information, Christopher Colenso-Dunne. However, the information has to remain confidential until any potential appeal proceedings are concluded. In a statement, the ICO said that it is "in the process of considering [its] response" to the Upper Tribunal's judgment.

Upper Tribunal judge Nicholas Wikeley said he agreed with arguments put forward by Colenso-Dunne's legal representative.

"Data controllers cannot reasonably be expected to conduct a search of the entire public domain to check that there is nothing else 'out there' which, when combined with the personal data being processed, changes its nature into sensitive personal data," Colenso-Dunne's legal representative said, according to the Upper Tribunal's ruling. "The data must essentially speak for itself in its immediate context. Information which on the face of it is ‘ordinary’ personal data cannot suddenly transmute into sensitive personal data because of other information which is out in the public domain."

Judge Wikeley said: "The fact that some people might misconstrue the fact that a journalist’s name was in the material seized from Mr Whittamore as an allegation that he or she had committed an offence did not convert personal data into sensitive personal data."

The judge's comments on the narrow way in which personal data should be assessed to determine whether or not it is sensitive personal data contrasts with the approach data protection authorities have taken in guidance they have issued on data anonymisation.

The ICO, Article 29 Working Party and other privacy watchdogs have all recognised that technology has made it easier to link data with other information and that this presents a challenge for businesses in applying effective anonymisation measures. This is because of the risk of re-identification of data subjects when data from multiple sources is brought together.

Data anonymisation does not need to be 100% effective to take that data outside of the scope of data protection laws, which only apply to personal data.

In this context, the ICO has produced a code of practice on anonymisation. According to the code, providing there is no more than a "remote" chance that data subjected to anonymisation measures can be traced back to individuals then, for the purposes of the law, that data would be treated as having been anonymised and no longer constituting 'personal' data.

"If the risk of identification is reasonably likely the information should be regarded as personal data," the ICO said.

This approach is broadly supported by the Article 29 Working Party which has warned of the "residual risks to data subjects" from anonymised datasets in light of the potential for new data to come to light over time and enable the people behind anonymised data to be re-identified as a result of the matching of the datasets.

The Working Party has said therefore that "anonymisation should not be regarded as a one-off exercise" and that businesses should "regularly" reassess "the attending risks" of re-identification.

However, according to judge Wikeley's approach, "the immediate context" of personal data need only be considered when assessing whether that information is sensitive or not. A piece of non-sensitive personal data should in and of itself be treated as ordinary personal data and not sensitive personal data even if it can be considered sensitive personal data when matched together with a piece of sensitive personal data, according to the approach.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.