The definition of personal data has always been broad. It can include any information which identifies or relates to a living individual. This can either be directly or indirectly from that information in combination with other information.
A previous ICO (Information Commissioners Office) case highlighted that a dog’s name could lead to an individual’s identity being revealed, and this blog covers what is considered personal data and the importance of reviewing all the data you hold.
What is personal data?
The UK GDPR provides us with a non- exhaustive list of identifiers, which includes your name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What about your dog’s name?
An ICO decision discussed how, via indirect identification, a name of a dog could lead to the identification of a living individual and therefore be considered personal data.
The Police received a request for information under the Freedom of Information Act (FOIA). The person had been bitten by a police dog during an illegal rave and had incurred a number of injuries. The request included the question:
- “What is the name of the dog?”
The police refused the request under section 40(2) of the FOIA which provides a non-disclosure exemption for personal information, if it is the personal data of an individual other than the requester and where one of the conditions listed in section 40(3A) (3B) or 40(4A) is satisfied.
Following the non-disclosure, a complaint was made to the ICO. The ICO considered whether the withheld information would constitute personal data and if it was, would the disclosure of the data breach any data protection principles.
Even though an individual cannot be directly identified from the information, it may still be possible to indirectly identify them. Knowing the name of the police dog and undertaking a cursory search of the web with the dog’s name also revealed the name of its handler.
The ability to find out the identity of the police dog handler with this secondary identifying information meant that the dog’s name fell within the definition of personal data.
The ICO also confirmed that indirect identification would be the case in respect of colleagues who, even if the dog’s name was not within the public domain, would still know who the handler was. Therefore, the dog’s name was considered personal data that would identify and relate to the handler.
Whilst this is not a new concept, it does highlight that organisations need to look carefully at how they categorise personal data and reinforces that what constitutes personal data should always be considered on a case-by-case basis.
If you need any help in categorising personal data or considering personal data when completing a subject access request or a request under FOIA please contact Eleanore Beard in the Brabners Data Protection team.
