My last article on privacy and data protection in the workplace (read here) generated a lot of opinionated buzz, home and abroad, to such an extent that, I thought of doing a follow-up article but this time, on the meaning and scope of the term “personal data” which remains the nub of protection offered by the various data protection laws and regulations universally.
Regrettably, to my mind, not-so-much perspectives have been drawn from the provisions of the NDPR on meaning and latitude of the term “personal data” as far as privacy and data protection considerations are concerned.
The European Commission has given an inexhaustive list of examples of personal data thus:
• a name and surname;
• a home address;
• an email address such as firstname.lastname@example.org;
• an identification card number;
• location data (for example the location data function on a mobile phone);
• an Internet Protocol (IP) address;
• a cookie ID;
• the advertising identifier of your phone;
• data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
But according to CNIL (an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data.):
“Personal data are any anonymous data that can be double checked to identify a specific individual (e.g. fingerprints, DNA, or information such as “the son of the doctor living at 11 Belleville St. in Montpellier does not perform well at school”).”
Although this perspective is arguable because anonymized data are not contemplated or protected by the NDPR or GDPR but the example used appears pseudonymised rather than anonymised.
In providing further guidance to stakeholders on what constitutes personal data, the Cloud services company Boxcryptor provides a list of things that could be considered personal data, either on their own or in combination with other data in their intervention titled “What is Personal Data? Simple examples from everyday life” as:
(1) Biographical information or current living situation, including dates of birth, social Security numbers, phone numbers and email addresses.
(2) Looks, appearance and behaviour, including eye colour, weight and character traits.
(3) Workplace data and information about education, including salary, tax information and student numbers.
(4) Private and subjective data, including religion, political opinions and geo-tracking data.
(5) Health, sickness and genetics, including medical history, genetic data and information about sick leave.
However, by the definition provision under article 1.3 (xix), the NDPR defines personal data as:
“any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others”
Data subject’s name as personal data
So, from the seemingly expansive definition of personal data above, its crux lies in “unique identification” of data subject and that brings us to the vexed question as to whether a person’s name simplicita, is necessarily a unique identifier in the light of court decisions that, no man has an exclusive right to his/her name.
Since the NDPR is fashioned wholly or partially after the GDPR, we cannot shy away from drawing inspiration from perspectives under it. That having said, the Information Communication Office (ICO) – United Kingdom’s independent body set up to uphold information rights- states on its website that:
“A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.”
Taking it further, IT Governance (a leading global provider of cyber risk and privacy management solutions, with a special focus on cyber resilience, data protection) wrote in its article titled “The GDPR: what exactly is personal data?” thus:
“You might think that someone’s name is as clear an example of personal data as it gets; it is literally what defines you as you. But it’s not always that simple, as the UK’s Information Commissioner’s Office explains:
“By itself the name John Smith may not always be personal data because there are many individuals with that name. “However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”
However, the ICO also notes that names aren’t necessarily required to identify someone:
“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”
Bringing this home, the decision in Offoboche v Offoboche (2006) 13 NWLR (Pt. 997 P.298 at 304 para. E and 306 para. B. where the Court of Appeal held that:
“No person, group of persons or family has a monopoly of names. Persons have unrestrained liberty to pick and choose names that please them…No legislation in Nigeria restricts a person to a fixed number of names. In effect, even if names are identical or the same, no person in Nigeria has a legal right to restrain another person from answering or bearing those names.”
Later in the decision in Banjoko v Ogunlaja (2013) LPELR – 20373 (CA) the same Court of Appeal held that:
“No name has been ascribed to belong exclusively to any particular person, group of persons or family. I am not yet aware of any legislation to that effect in Nigeria. In my considered but humble view, anybody who fancies a name or title for whatever reason is free to adopt same. Even within the same family, the same name is used by different members of the same family, as often as the members of the family want or others outside the family as they desire.”
Conclusively on this, it is the writer’s opinion that one’s name may not necessarily constitute personal data if same is not unique to him in the context of processing.
Company registration number
Although the European Commission states that company registration is not considered a personal data, this writer thinks that such a blanket waiver betrays the principle of unique identifier and context of identification and/or processing.
It may be favourably argued that, where a person’s identity and other personal data are linked to his/her company’s registration number, then it may necessarily follow that, an unlawful processing of such company registration number will impact on the person’s privacy and data protection rights.
If personal data refers to information that identifies a data subject, then one would think that such category ought to be open and broad once it passes the test. The Intersoft Consulting, a European consultant on data protection put it thus:
“Since the definition includes “any information,” one must assume that the term “personal data” should be as broadly interpreted as possible. This is also suggested in case law of the European Court of Justice, which also considers less explicit information, such as recordings of work times which include information about the time when an employee begins and ends his work day, as well as breaks or times which do not fall in work time, as personal data. Also, written answers from a candidate during a test and any remarks from the examiner regarding these answers are “personal data” if the candidate can be theoretically identified. The same also applies to IP addresses. If the controller has the legal option to oblige the provider to hand over additional information which enable him to identify the user behind the IP address, this is also personal data. In addition, one must note that personal data need not be objective. Subjective information such as opinions, judgements or estimates can be personal data. Thus, this includes an assessment of creditworthiness of a person or an estimate of work performance by an employer.”
It is this writer’s opinion that, for every case, once the data subject is able to justify how such company registration number identifies him/her in every material context, then such will fall under personal data going by its definition as “every information that identifies a data subject”. But like I noted earlier, it is arguable and my position is further reinforced by the words of Rosemary Jay and Angus Hamilton in their book “Data Protection, Law and Practice” Second edition published by Thomson, Sweet and Maxwell in 2003 at page 80 thus:
“The concept of data relating to an individual is very wide. Data can of course relate to more than one person and data on a joint bank account for example, will relate to two persons. There is no necessary exclusivity about data. Personal data are not limited to private or family data nor is there any particular way in which data must relate to an individual. It might be in any aspect of their lives whether their business lives, professional lives or private lives. If an individual is a sole trader then information about his business is likely to relate to him. If he is a partner then partnership data might relate to him although this may depend upon the size and complexity of partnership. Whether or not particular data relates to a particular individual will be a question of fact, dependent largely on as assessment of the proximity of data and the relevance of the data to him.”
On behavioural patterns as personal data, the GDPR EU.org – an online web learning resources for the GDPR puts it thus:
“It gets a bit confusing for “identifiable” persons. A person may be identifiable through direct or indirect means. Let’s look at a John Smith who buys coffee every morning before work at the corner Big Coffee Co. If John pays with a credit card, his card info makes him directly identifiable to the merchant, which means data on his coffee purchasing history (e.g., store location, date & time, amount paid, coffee preference) is personal data, thus entitling him to certain rights and protections. If John pays with cash, he may still be indirectly identifiable if he redeems a targeted coupon that was emailed to his inbox at email@example.com, which can be traced back to his name through John’s blog on different coffee blends. The more indirect the identifiers, the more it may depend on surrounding circumstances to determine whether the information qualify as protected personal information. For instance, we expect the increasingly popular adoption of in-store Wi-Fi tracking technology to be deemed as identifiable. Here, retailers use wifi scanners to “listen” to shoppers’ smartphones as they walk in and around the store, and collect data on variables such as device type, MAC address, whether the same device has been to the store before or not (repeat shopper vs. new), in which section of the store does the shopper spend more time, how many more people come in after a major TV ad campaign, etc. None of this data by itself explicitly identifies an individual, but in combination should qualify as personal data processing given the following two considerations: behavioural analysis and online identification.”
From the graphic illustrations above, it appears clear enough that, the categories and extent of human behavioural patterns that will constitute personal data, are not closed and each case ought to be determined on its own merit. This is further traceable to the NDPR’s use of the sentence “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” in the definition of personal data.
Social media post
In his paper titled “Social media and data protection” published in the International Journal on Information Technologies & Security, № 4, 2014, Prof. Radi Petrov Romansky, the Vice Rector of Technical University of Sofia, Bulgaria, states thus:
“The level of privacy in social networking is very different – some networking sites collect limited personal data in the page known as a “profile” (names, birth date, address, phone number), but other sites require additional information about social life, gender, country, hobbies, relationships, etc. These pieces of data personalize the users in major level and the individuals must know the purpose of these data and reason for processing.”
While the GDPR has no such express provision, the NDPR which drew its inspiration from the former, specifically provides for “posts on social networking websites” in its definition of personal data and it is needless to say that, such an intricate example may engender peculiar jurisprudential and factual conundrum when put to test in our courts, especially on the extent of protection.
The NDPR lists “Bank details” as an example of personal data but this writer thinks questions may arise as to whether bank transactions form part of bank details. Lexico.com defines “bank details” as:
“Details such as bank name, account number, etc., which uniquely identify a bank account, and are used when making or receiving a payment, now especially electronically.”
It is however this writer’s opinion that, bank transactions will necessarily contain account number and other details identifying the account holder, hence it will pass the test of personal data under the NDPR.
Telephone Call Data
While the NDPR does not expressly include telephone call data in its definition of personal data, it includes “location data, an online identifier” which are components of telecommunications.
In her article titled “How GDPR Affects Call Recording – Everything You Need to Know”, Dóra Rapcsák – a Hungarian contents strategist and copywriter wrote that:
“…voice files are considered personal data as they can include personal information, such as the caller’s name, address or financial information.”
In further appreciation of the relationship of telephone calls and location data envisaged under the NDPR, Rosemary Jay and Angus Hamilton’s book “Data Protection, Law and Practice” (opcit) comes in handy again, at page 579, the learned duo write thus:
“The development in technology and the expansion in the number of operators have led to particular pressure on personal privacy; location data is available from mobile telephones; directory services are no longer the province of dominant operator and co be offered in a range of ways: “cookies” can track web usage, caller line identification has enabled those called to see the number from which they are being called.”
Since a subscriber’s call data identifies him together with his location, then it is our unassertive opinion that such data will safely pass for personal data under the NDPR.
I will safely conclude here, on the elasticity of definition and scope of personal data, with a portion of the introductory text of a paper titled “The law of everything. Broad concept of personal data and future of EU data protection law”, where Nadezhda Purtova, as associate professor from the University of Tilburg writes thus:
“The concept ‘personal data’ determining the material scope of data protection is meant to be broad but is bound to expand even further and as a result to apply to an exponentially growing range of situations. This is due to the in-built possibilities for the evolving interpretation of the concept itself, exploding generation and aggregation of data, as well as advances in data analytics. As our environment is rapidly approaching what some call ‘onlife’ where our daily existence is mediated by information technology, everything in this environment – weather, waste water, exam scripts – is being increasingly ‘datified’, and literally any data can be plausibly argued to be personal.”
I completely agree with the learned “professor of data protection” on the broad realm of personal data and I have nothing more to urge!.
Olumide writes from Lagos, Nigeria