Monday 15 July 2013

Chasing the pseudonymous data tail

Some chump has come up with a brilliant wheeze to take our minds off the fact that, even after all these years, there is no universally agreeable view on the meaning of “personal data”. When does an item of information become “personal data”, and thus subject to the full rigour of the Data Protection Act? Or the Data Protection Directive? Or, even, the proposed General Data Protection Regulation? For, if it is not “personal data”, then the Act / Directive / Regulation does not apply, and a business can treat it just as it would treat any other type of business information.

The wheeze is brilliant in its simplicity – rather than worry about the definition of “personal data”, let’s create another data category, and commence earnest discussions on what elements of data protection legislation be applied to that, instead. Where the connection with an identified (or identifiable) person is weak or slight, the rules could be relaxed.

So, the high priests of data protection have been convening to determine whether different laws ought to apply to a different type of information. To make this different type as obscure as possible, it’s been given the name “pseudonymous”. Aficionados of data protection adore this sort of stuff – they just love dealing with terms that are hard to pronounce, spell and define.

A recent meeting of said aficionados in Central London considered whether a definition of pseudonymous data should be included in the proposed Regulation. And, if so, what it should include.

It goes without saying that after earnest debate, consensus was there none. Not only is it a difficult concept to grasp, any definition really needs to be considered in the context of the entire instrument – which naturally did not currently exist, nor were betting men prepared to countenance might exist in the foreseeable future.  

I don’t think that anyone was prepared to rubbish the concept of pseudonomisation – after all, anything that makes it easier for an individual to protect their privacy should be welcomed. But do such terms really need to be mentioned in legislation? And if they are mentioned, what incentives are on offer to encourage data controllers to adopt pseudonymous techniques?

The discussion continued. But what should happen when data can be readily depesudonymised? (yawn)

And the questions kept coming. Should it be possible to deny individuals their subject access rights would continue to apply to pseudonymous data? Or apply data portability or the ‘right to be forgotten’ to pseudonymous data? (deeper yawn)

I’m sure that all this stuff needs to be debated, earnestly and with great rigour. But not on a hot sunny day.

Even our chums at the ICO have revised their views on whether to support a definition of pseudonymous data. They were keener on the concept than they are today. Given the difficulties in defining the difference between personal data and pseudonymous data, there’s not a lot of point referring to it in the proposed Regulation. Hurrah. It’s always pleasing to note when the ICO supports a risk-based approach to issues such as these.  

Image credit: