If this decision (first spotted by @DataCorrection) gets any traction, the myth will become that the First Tier Tribunal said that a dog’s name was personal data. To be fair, I don’t think they did that, but it’s their fault if people come to that conclusion.
The dog in question bit a woman on the leg when police were breaking up an illegal rave in Bristol causing what sound like very severe injuries. The description in the original ICO decision is grisly. This post is a lot less jokey that it would have been had I not read it.
A @WhatDoTheyKnow regular made an #FOI request for the name of the dog, the name of the handler and their qualifications, plus a bewildering final demand for "Your reasons for the dog attacking". The Tribunal says the dog info is personal data.
I want to highlight this decision as an example of something that I have mentioned before as a vital skill for the DPO – the ability and willingness to explain where your advice comes from, relating what you say back to the law.
The decision lacks any analysis: “There is no room for any doubt that these are all requests for personal data of the dog handler. It is not in question that identification of the dog would inevitably reveal his or her handler.”
That’s what you get about why the dog’s name is personal data. I was baffled, so I went back to the original ICO decision. Kudos to @ICOnews for putting FOI cases about Avon and Somerset Police under at least 3 different names, and parking this decision under the least accurate.
Anyway, I found it in the end, and in it you get a detailed explanation of why the Commissioner thinks the dog’s name is personal data: spoiler alert, if you Google the dog’s name you can find the handler. There’s more to it than that, but ICO explains it properly.
You can disagree with it, either on the DP basis that the dog’s name wouldn’t identify the handler (for the record, I’m persuaded by the ICO that it would), or because you think the data should be disclosed. I need to think about that.
The Tribunal decision make no attempt to explain itself and so is unconvincing, deserving the place in DP lore that it may end up in. The ICO decision is detailed and coherent thus much more persuasive. Different audiences need varying detail, but you've got to offer something.
The Department for Business, Energy & Industrial Strategy recently published a privacy notice covering their intention to gather data related to gas and electricity consumption. Data gathered includes the meter number and postcode of the house, plus the level of consumption.
This is, by any standard, a vast data grab, covering millions of households. Although the purpose of the scheme is the Energy Price guarantee, there are huge risks here. Energy consumption can tell you an enormous amount about how a household behaves.
I made an #FOI request to DBEIS to dig into the background. In particular, I wanted to see the #DPIA that DBEIS must have carried out to get as far as publishing a privacy notice about the scheme and whether they’d discussed the project with @ICOnews.
Instead of a post today, I have a request for your assistance and a plug. The request for assistance is for the best, most authoritative definition of personally identifiable information (PII) - what is it, and where does it come from.
I've seen a few examples over the years but none of the ones I can currently find seem like *the* definition. Maybe there isn't one, it's just an industry term with no real basis, but I don't want to make that assertion.
Don't tell me what you think the definition is; I can do that myself. Give me a source or tell me where I might find it.
The point of me asking will become clear in an upcoming post / series of posts.
In Manchester, we have a brown bin for bottles, cans and assorted other recyclables. They collect it every other Tuesday, and fortunately, next week is brown bin week. I say fortunately, because mine is full.
Friends, it’s brimming. The whole thing is loaded with 2L bottles of Frosty Jack cider and a variant of Strongbow that comes in purple cans. There’s a bunch of Stella cans, a brace of Carling, and tins of something called Hollandia that looks like a fake brand from a soap opera.
Anyone rooting around in my brown bin would think that I had either had a ‘things teenagers drink in the park’ themed party, or I am a raging alcoholic. But neither of these things are true.
Having seen a few posts about director liability and data protection, I thought it would be worth setting out how it works and how the ICO would prosecute a director for their company’s UK #GDPR misdeeds.
Put simply, they can’t.
Section 198 of the UK DPA says if “an offence under this Act has been committed by a body corporate” and it can be proved that it happened with the consent or connivance or because of the neglect of a director (or similar), they are liable to be prosecuted.
This section doesn’t apply to any contraventions of the UK GDPR, only to *offences* set out in the UK DPA. The offences themselves are a mixed bag, ranging from obtaining personal data without the authorisation of the controller to unauthorised reidentification.
If you’re a dinosaur like me, you’ve seen certain issues come around again and again, with different people coming at them with different perspectives. When I was a boy, the use of live data for testing systems or training was generally unacceptable.
There are ways to avoid it – you might take real data and anonymise it (a risk in itself but much better than letting staff loose with the live stuff), or you might create fake data from scratch (safer but more laborious).
Either way, the risk of making real data available to staff who didn’t need to see it or exposing it inadvertently was too great. The same went for testing things using a live system; you didn’t do it. The alternatives were being rejected because of they were time consuming.
An individual used the #FOI website What Do They Know to ask @ICOnews about complaints made about the Met Police; effectively, they wanted to know how many of the complaints were upheld. The info was disclosed, but the response also contained an interesting statement. (1/7)
The ICO reply said: “Please keep in mind that there is no requirement to produce a formal decision in data protection cases such as the Decision Notices issued in FOIA ones.” whatdotheyknow.com/request/795467… (2/7)
There’s a solid argument that this is true – there isn’t a line in the Data Protection Act 2018 which is as unambiguous as S50(2) of the FOI Act (the Commissioner “shall” make a decision unless certain conditions are met. (3/7)