Tuesday, 14 July 2009

Make IP address “personal data” & “reclaim privacy” by giving more info?

“IP Addresses, Reference Numbers, URLS and the UK’s Data Protection Act 1998”, a July 2009 paper by data protection specialist Dr Chris Pounder, suggests that:

“There is now a simple test of whether or not certain information linked to an IP address, reference number or URL is personal data. If the individual user concerned provides the necessary identifying information, then the data ARE personal data. If sufficient individual users each provide the necessary identifying details, then the data linked to ANY individual should be considered to be personal data.

… there is a simple mechanism that can be used by any individual user to transform information such as an IP address or URL into personal data. All the individual needs to do is provide the relevant identifying information to the
service provider (e.g. name, IP address, date, time of use of service etc),
preferably accompanied with a complaint of substance about the processing..”

In other words, to quote his blog post:

“…any individual users can, at any time, seek the protection of a data protection regime by providing the necessary identifying details [i.e. name, address and IP address you used] to any organisation that stores their IP address or URL.”

His article even includes in Appendix B the text of a standard form email which individuals could write to providers (including to Google in relation to Street View).

Via law firm Pinsent Mason’s tech law site Out-Law.com - which interestingly didn’t comment on the paper or give their own views on the subject. (Dr Pounder is ex-Pinsent’s, I notice.)

See also Out-Law’s own March 2008 note on IP addresses and the Data Protection Act, where they say:

“…In the hands of an ISP an IP address becomes personal data when combined with other information that is held – which will include a customer's name and address. In the hands of a website operator, it can become personal data through user profiling… If you wish to use IP addresses to identify or build a profile on each of your visitors as an individual, even if they are never identified by name, you should assume that the Data Protection Act applies…”

Now I’m not sure myself about what Dr Pounder says as I haven’t started studying data protection law yet and I haven’t digested the paper properly. Giving even more information to restrict the use of your information?

I know I can already take these steps to preserve my privacy if I want to, anyway:

And indeed, as my Gmail account email addresses is my name, or rather a common abbreviation of it, couldn’t you say that Google already knows who I am as an identifiable individual?

It would be interesting to know if others agree with Dr Pounder’s views.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.