Re postcodes, there's this from the ICO...
<http://www.ico.gov.uk/foikb/PolicyLines/FOIPolicyAnonymisingpostcodes.htm>
I'm sure that I've previously read somewhere that omitting the last part of
the "inbound" part was sufficient.
e.g. For "BS8 1UD" (my work postcode), "BS8 1" would be sufficiently
anonymous.
Cheers,
Richard
--On 10 January 2013 14:31 +0000 Simon Howarth
<[log in to unmask]> wrote:
> I always advise that the entire postcode should be considered personal
> data unless it can be satisfactorily proven otherwise. There are a great
> many rural postcodes that have only one or two abodes which means that
> identification is made easy. Even with half a dozen houses in a road, you
> have to be sure that there are enough people that small numbers does not
> come into play. It all amounts to disproportionate effort in most cases.
>
>
>
> In the case of my example "SH" - Michael is right that it could be
> personal data. However, the example was meant in isolation and may well
> be a bad one, don't let that red herring deflect from the real question.
> Sorry for my lack of exampular (new word? You heard it here first)
> thought.
>
>
>
> Simon.
>
>
>
>
>
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Ray Cooke
> Sent: 10 January 2013 11:42
> To: [log in to unmask]
> Subject: Re: [data-protection] Addresses being personal data
>
>
>
> On the post code issue. I had to consider release of a spreadsheet
> containing answers to survey questions with postcodes but no names.
>
>
>
> So I did some checks myself and found that just using an unsophisticated
> internet search, without subscribing to any service, it took me about 20
> minutes to identify a postcode with only two addresses and from that to
> identify the individual who had been surveyed and tie that identity to a
> whole host of their personal data.
>
>
>
> I declined to release the data on the basis that the postcodes could
> identify specific individuals.
>
>
>
>
> Ray Cooke
> Information Compliance Officer
> Oxford Brookes University
> Oxford Brookes Information Solutions
> Headington Campus
> Gipsy Lane
> Oxford, OX3 0BP
>
> tel: +44 (0)1865 484354 <tel:%2B44%20%280%291865%20484354>
> fax: +44 (0)1865 483330 <tel:%2B44%20%280%291865%20483330>
>
> www.brookes.ac.uk
>
>
>
> On 10 January 2013 10:27, Grimbaldus <[log in to unmask]> wrote:
>
> Taking Simon's argument further, if it is obvious from the content of the
> email that "SH" is Simon Howarth, perhaps by reference to an activity
> performed by Simon, then that email surely constitutes Personal Data.
>
> This discussion begs a number of related questions:
>
> 1) If the subject refers to "SH" and it is (as) obvious from other emails
> in the thread that this is Simon, does that email not constitute PD?
>
> 2) In such a situation, does the entire thread constitute PD?
>
> [Subject, of course, to the mainstream tests.]
>
> It will probably be necessary to read each email to determine this, which
> leads to question (3).
>
> 3) I have a situation at the moment where the Data Subject, an
> ex-employee, has requested those Personal Data in emails, including
> emails sent and received by themselves. Their Inbox and Sent mailbox
> contain over 10,000 emails. Because of limitations in the configuration
> of the email system itself, it is impractical to search through this
> number for the myriad content /subject references. The emails are likely
> to contain
> commercially-sensitive information which is not PD, and which we would not
> wish to supply. Further, the emails contain innumerable references to
> other parties.
>
> My current thoughts range among:
>
> a) inviting the DS in to read the file, with the stipulation either that
> notes cannot be taken or that any notes must be vetted before being taken
> away.
>
> b) claiming an exemption to supply under s8(2) by reason of
> disproportionate effort;
>
> c) asking the DS to identify the correspondents with whom their PD would
> have been included in emails (e.g. HR), but that would have to be named
> individuals or specific mailboxes. In and of itself, this raises an issue
> of identifying an email from DS to another (or vv) in which some 'of the
> moment' biographical data was cited, e.g. "I'm in the office now if you
> want to call."
>
> Has anyone faced this challenge and what did ('would' for those who
> haven't) you do?
>
> Interestingly, the advice on disproportionate effort given by the ICO
> Helpline followed Durrant,
> /Ezsias/Elliott rather than the Code of Practice and established ICO
> interpretation of s8(2).
>
> 4) Staying with addresses, but turning to postal ones, what of a Post
> Code? Clearly, in the vast majority of instances a Post Code is not PD,
> but it could refer to a single property with single occupancy. An LA
> might be able to identify that situation, but it is highly unlikely that
> (say) a retailer will have such information in their possession, or even
> be able to get it.
>
> So, to borrow a phrase, does the panel think that any Post Code need not
> be treated as PD *if* the Data Controller has no (easy) way to confirm the
> number of properties covered and the occupancy of those?
>
> It is clear from the posts on here that there is a world of difference
> between the ordered, detailed information held by public sector bodies
> about their 'customers' and the less-ordered, and variably dimensioned and
> formatted data held about customers in the retail sector.
>
> Many thx - Michael
>
>
> <snip>
>
> _____
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending
> or receiving messages please send to the list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
> needs To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
Richard
http://www.bris.ac.uk/infosec
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
