Overlooked - Liberty
Overlooked - Liberty
Overlooked - Liberty
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
120 <strong>Overlooked</strong>: Surveillance and personal privacy in modern Britain<br />
by virtue of S.10 DPA. While S.10 seems to provide further protection under the DPA, it also serves<br />
to again demonstrate how data sharing practices have outstripped protections. The Act caters for<br />
situations where the processing of a particular piece or pieces of information cause harm to an<br />
individual, where they are aware of that harm and are able to request that the processing not take<br />
place. This does not match up to the mass processing reality of 2007.<br />
At the heart of a response to these changes in data processing culture should be a significant<br />
strengthening of the power and ability of the ICO to regulate the notification process effectively.<br />
Notification needs to be more about regulation than about administration. The ICO needs to be able<br />
to determine in advance whether processing might be constitute ‘assemble’ processing and take<br />
action to prevent it. The ICO needs to be capable of limiting processing purposes, of making<br />
decisions on societal rather than individual impact of what might constitute damage or distress, and<br />
of strict interpretation of what constitutes excessive processing for purpose. In order to make any<br />
of these changes effective, the Information Commissioner needs to be given effective enforcement<br />
power to prevent any processing he considers to be incompatible with data protection principles.<br />
Concerns over the effectiveness of the DPA also arise from the definition of ‘personal data’. This<br />
definition impacts upon the scope of processing regulated by the DPA. The DPA defines ‘personal<br />
data’ as:<br />
‘data which relate to a living individual who can be identified –<br />
(a) from those data, or<br />
(b) from those data and other information which is in the possession of, or is likely to come into the<br />
possession of, the data controller’ 233<br />
Meanwhile the definition set out in the EU Data Protection Directive states;<br />
‘‘personal data’ shall mean any information relating to an identified or identifiable natural person<br />
(‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular<br />
by reference to an identification number or to one or more factors specific to his physical,<br />
physiological, mental, economic, cultural or social identity’ 234<br />
The Articles in the directive are preceded by a series of explanatory ‘recitals’. Recital 26 states:<br />
‘Whereas the principles of protection must apply to any information concerning an identified or<br />
identifiable person; whereas, to determine whether a person is identifiable, account should be taken<br />
of all the means likely reasonably to be used either by the controller or by any other person to identify<br />
the said person; whereas the principles of protection shall not apply to data rendered anonymous<br />
in such a way that the data subject is no longer identifiable’(emphasis added) 235 .<br />
The definition of personal data in the DPA is, therefore, more restrictive than that allowed for in the<br />
Directive. The DPA bases the definition of personal data as relating to a living individual identifiable<br />
from the data itself or from other information held by the data controller. The Directive is more<br />
expansive by allowing the definition to include data identifiable by the controller or any other person.<br />
233<br />
Section 1(1).<br />
234<br />
Ibid 87 at Article 2(a).<br />
235<br />
Ibid 87 Recital 26.