Some chump has come up with a brilliant wheeze
to take our minds off the fact that, even after all these years, there is no
universally agreeable view on the meaning of “personal data”. When does an item
of information become “personal data”, and thus subject to the full rigour of
the Data Protection Act? Or the Data Protection Directive? Or, even, the proposed
General Data Protection Regulation? For, if it is not “personal data”, then the
Act / Directive / Regulation does not apply, and a business can treat it just
as it would treat any other type of business information.
The wheeze is brilliant in its
simplicity – rather than worry about the definition of “personal data”, let’s
create another data category, and commence earnest discussions on what elements
of data protection legislation be applied to that, instead. Where the connection with an identified (or identifiable) person is weak or slight, the rules could be relaxed.
So, the high priests of data protection
have been convening to determine whether different laws ought to apply to a
different type of information. To make this different type as obscure as
possible, it’s been given the name “pseudonymous”. Aficionados of
data protection adore this sort of stuff – they just love dealing with terms
that are hard to pronounce, spell and define.
A recent meeting of said aficionados in Central London considered
whether a definition of pseudonymous
data should be included in the proposed Regulation. And, if so, what it should include.
It goes without saying that after earnest debate, consensus was
there none. Not only is it a difficult concept to grasp, any definition really
needs to be considered in the context of the entire instrument – which naturally
did not currently exist, nor were betting men prepared to countenance might
exist in the foreseeable future.
I don’t think that anyone was prepared to rubbish the concept of
pseudonomisation – after all, anything that makes it easier for an individual
to protect their privacy should be welcomed. But do such terms really need to
be mentioned in legislation? And if they are mentioned, what incentives are on
offer to encourage data controllers to adopt pseudonymous techniques?
The discussion continued. But what should happen when data can be
readily depesudonymised? (yawn)
And the questions kept coming. Should it be possible to deny individuals their subject access rights would continue to apply to pseudonymous
data? Or apply data portability or the ‘right to be forgotten’ to pseudonymous
data? (deeper yawn)
I’m sure that all this stuff needs to be debated, earnestly and
with great rigour. But not on a hot sunny day.
Even our chums at the ICO have revised their views on whether to
support a definition of pseudonymous data. They were keener on the concept than
they are today. Given the difficulties in defining the difference between personal
data and pseudonymous data, there’s not a lot of point referring to it in the
proposed Regulation. Hurrah. It’s always pleasing to note when the ICO supports
a risk-based approach to issues such as these.
Image credit:
.
Posts
