Case Reference Number RFA0547589 Dear Mr Brown, Thank you for the data protection concern you raised about PCC Northamptonshire and the way it is handling personal data. Concerns raised with the Information Commissioner’s Office We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for. Our aim is to raise information rights practices within organisations. We do this by taking an overview of all concerns that are raised about that organisation with a view to improving their compliance with the Data Protection Act (“the DPA”). Our role is not to investigate or adjudicate on individual concerns, but we will consider whether there is an opportunity to improve the practice of the organisations we regulate. Should we identify an opportunity for improvement we may give advice about handling personal information, provide guidance, or ask them to review their procedures. Concern raised with us It appears that PCC Northamptonshire has published a response to a Freedom of Information Act 2000 (“FOIA”) request in the following link: northantspcc.org.uk/docs/foi/001171-14.pdf As I understand it, PCC Northamptonshire attempted to redact personal data within its FOIA response, but when the document is copied and pasted into another application (such as Microsoft Word), the underlying text is revealed. In this case, the matters raised that are relevant to the DPA relate to the seventh data protection principle, which says: “Appropriate technical and organisational measures shall be taken against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Our View Based on the information provided by you in this case, we have decided that it is unlikely that PCC Northamptonshire has complied with the requirements of the DPA. Therefore, it is our view that there is now action required by PCC Northamptonshire. It appears that PCC Northamptonshire applied a two-step approach in order to anonymise the data published on its website. When the relevant document is copied and pasted into another application, the majority of the hidden information is revealed as “xxx”. This seems to sufficiently anonymise the relevant data. However, in one instance, in an email of 18 February 2014 at 11:41, the name “Andrew” is revealed in an email address. The DPA is concerned with ‘personal data’. It says that ‘personal data’ means data which relates to a living individual who can be identified: from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Under part (b) of the DPA’s definition of personal data, it appears that “Andrew” would be identifiable by the data controller (“PCC Northamptonshire”) from other information which PCC Northamptonshire would be in the possession of. The Article 29 working party Opinion (4/2007) on the concept of personal data concluded that anonymous data, in the sense used when applying the Directive, could be defined as any information relating to a natural person, where the person could not be identified, whether by the data controller or by any other person, taking into account all means likely reasonably to be used to identify that individual. Sometimes it is not immediately obvious whether an individual can be identified or not, for example, when someone holds information where the names and other identifiers have been removed. In these cases, Recital 26 of the Directive states that, whether or not the individual is nevertheless identifiable will depend on “all the means likely reasonably to be used either by the controller or by any other person to identify the said person”. As it seems “Andrew” would reasonably be identifiable by PCC Northamptonshire, it has not effectively anonymised the personal information. From the information provided, it seems that PCC Northamptonshire did not take the appropriate technical and organisational measures to prevent the unauthorised disclosure of an individual’s personal data. Therefore, it appears that PCC Northamptonshire has not met its obligations under the seventh data protection principle. Consequently, in my view, it is unlikely that PCC Northamptonshire has complied with the requirements of the DPA in this case. Action required We have recommended that PCC Northamptonshire ensures that all responses to FOIA requests are published using appropriate technical and organisational measures to make sure that personal data is redacted. PCC Northamptonshire should review the FOIA responses it has already published and ensure that personal data is appropriately anonymised. In addition, we have recommended that PCC Northamptonshire views our website for more information about the DPA, with specific reference to the anonymisation code of practice. Next steps We keep a record of all the concerns raised with us about the way PCC Northamptonshire processes personal data. The information we gather from complaints may form the basis for action in the future where appropriate. Thank you for bringing this matter to our attention. Yours sincerely, Case Officer The Information Commissioner’s Office
Posted on: Wed, 10 Sep 2014 20:32:18 +0000
Trending Topics
Recently Viewed Topics
© 2015