On Wed, Jun 16, 2004 at 12:03:48AM +0100, davidwyatt wrote:
> I don't dispute an email address should be unique thats an IT system
> perspective. However human error shows this is not always true.
> However giving the drafting of the Act a single item of information on its
> own cannot be personal data (data being plural) so arguing an email address
> is personal data is false. Even a 'name' on its own is not personal data but
> simply a datum. How can a name be proved unique?
Something doesn't have to be unique to be personal data.
My birthday is far from unique, but if I made an SAR to someone who knew
it, I'd expect it to be provided.
There seems to have been some confusion lately of what is personal data,
and what is sufficient data to identify a data subject. These are
obviously two completely different things. Information that is not
unique, on its own, may not be sufficient to identify someone. But taken
with other data in the controller's possession it may be.
So, to continue the example of an email address. If a company gave the
address [log in to unmask] to Mr Fred Bloggs when he worked there between
January 2002 and April 2003, and then gave it to Mr Fred Jones when he
started in July 2003, it would not be sufficient, as part of an SAR to
just examine everything associated with [log in to unmask]
But, as the company should also know, for each Fred, when they had the
email address, they can filter based on that, and provide any associated
data that uncovers.
Tony
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|