The point about the IP address identifying the ISP is an interesting one, because the rebuttal of a complaint to the ICO used this in part.
The issue concerned a complaint from individual #1 that my client had sent marketing emails to his email address when he had opted out.
Investigation showed that individual #2 had provided that email address (and the same postal address and home telephone number) some two years prior to individual #1's supply (and had consented to marketing by email).
The domain name in the email address was that of a UK ISP. The original communication from individual #2 and the later communication from individual #1 came from the same IP address and the address fell in the block allocated to that ISP.
It was my belief that my client was entitled to rely on the first supply as a justification for sending the marketing email.
The ICO differed, finding it of import that the email address was the name (with a minor difference) of individual #1 and nothing like individual #2's name and therefore "on the balance of probabilities" the email address was that of individual #1. He advised that my client should contact individual #2 to revalidate his contact details. I facetiously suggested an advertisement in the Times!
My suspicion is that individuals #1 and #2 had most likely been in a relationship that had ended in a less than amicable manner.
[In passing, many of the SARS and complaints I have dealt with and advised on appear to be from people seeking some sort of "revenge", on an ex-partner, a relative, a colleague, or the Data Controller.]
Regards - Michael Bacon
Grimbaldus Limited
> On 31 Jan 2015, at 16:29, Roland Perry <[log in to unmask]> wrote:
>
> In message <[log in to unmask]>, at 12:48:03 on Sat, 31 Jan 2015, Michael Bacon - Grimbaldus <[log in to unmask]> writes
>> Some real scenarios from retail clients:
>>
>> 1) An account customer (#1) places an order online from home. The retailer's firewall captures the IP address. The stored account details include the customer's name, address, home and mobile telephone numbers and email address. It is easily arguable that the IP address is the customer's Personal Data.
>>
>> 2) The customer's partner, also an account customer (#2), places an order online from home. The retailer's firewall captures the IP address. The stored account details include customer #2's name, address, home and mobile telephone numbers and email address. Whose PD is the IP address now? Both of them or neither of them? It cannot be used as a unique identifier of either one of them, as it will point to both of them.
>
> This is a classic case of the "excluded middle". Sometimes an IP address will be clearly one individual's PD, sometimes it will clearly not be. Then there's all the cases in the middle which "might be". But the only practical way to run your organisation is treat all IP addresses with the same respect and sort out the "who's PD" issue later on a case by case basis.
>
> [snip - more examples]
>
>> These are everyday issues for online and large retailers. I know that they are less of an issue for utilities, and local and central government - where one is more commonly dealing with a *uniquely* identifiable individual assocated with a single address.
>
> For the Internet industry it's an issue of "public" (in published logs, WHOIS databases and so on, where in many cases there might be some mileage in getting informed consent) IP addresses are, and whether they need to be treated under DPA law when requested by law enforcement etc.
>
> I note, for example, that my previous posting included the following in one of the header lines (in a sense "logged by my email provider Gradwell and then published by the JISCMAIL system"):
>
> Received: from 5751e95f.skybroadband.com (HELO perry.co.uk)
> (87.81.233.95)
>
> The latter of course being my static IP address which certainly identifies the household, if not myself. It also reveals who my connectivity ISP is, but knowing that doesn't really help identify me, but just might say something about my choice of supplier (which stretching the analogy a bit is for some almost a religious matter).
> --
> Roland Perry
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|