Personal data in leaked datasets is still personal data

By Simon Rice, Group Manager for Technology

Personal data in leaked datasets is still personal dataThey say ‘no publicity is bad publicity’, but after spending most of the week trending on Twitter, I wonder if the users of the Ashley Madison site might disagree.

Having already prompted a flurry of news stories when the online attack of the Ashley Madison servers was first revealed, this week we’ve seen another wave of coverage as the personal data was published online.

Wherever your sympathies might lie in relation to the people identified in the published data set, the fact remains that such details are personal information, with certain protections in law.

Like many online attacks, the data protection response is international. In this case, we’re liaising with our counterparts in Canada, where the company is based.

But with cases like this, there is still a domestic aspect to consider.

Anyone in the UK who might download, collect or otherwise process the leaked data needs to be aware they could be taking on data protection responsibilities defined in the UK’s Data Protection Act.

Similarly, seeking to identify an individual from a leaked dataset will be an intrusion into their private life and could also lead to a breach of the DPA.

Individuals will have a range of personal reasons for having created an account with particular online services (or even had an account created without their knowledge) and any publication of further personal data without their consent can cause them significant damage or distress.

It’s worth noting too that any individual or organisation seeking to rely on the journalism exemption should be reminded that this is not a blanket exemption to the DPA and be encouraged to read our detailed guide on how the DPA applies to journalism.

This is not the first time an online service has suffered such an attack and unfortunately it’s unlikely to be the last. But it’s important people don’t assume that the law and the protections it affords to UK individuals don’t apply online.

Have your details been published in a dataset?

If you find your personal data being published online then you have a right to go to that publisher and request that the information is removed. This applies equally to information being shared on social media. If the publisher is based in the UK and fails to remove your information you can complain to the ICO.

Simon RiceSimon Rice is the Group Manager for the Technology team which provides technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.

Last updated 21/08/2015 17:00

This entry was posted in Simon Rice and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s