ICO Accepted a Pet’s Name As Its Handlers Personal Data

What Happened?

British Police attended the rave on 31 October at about 10.30pm on the outskirts of Bristol and formed a cordon to prevent more attendees joining before they cleared the event, seized the generator and arrested eight people. The rave reportedly lasted almost 24 hours and attracted several hundred people, according to the Independent, which first reported the dog attack. Jessica Mae Andrew, was severely injured after being mauled by a police dog at an illegal rave in Yate, Bristol. She was hospitalized with serious injuries to her leg and foot, including fractured bones, and required skin and muscle grafts, as well as reconstructive surgery. Police attended the rave to shut it down and seize the generator, and arrested eight people. Andrew took legal action against the police, and Avon and Somerset police have referred the incident to the Independent Office for Police Conduct. Chief Constable Andy Marsh said officers faced violence and missiles, with two organisers receiving £10,000 fines. Campaigners have raised concerns about the increasing use of police force on members of the public during the pandemic.

The name of the Dog

The UK GDPR defines personal data as any information that can identify a living individual. A recent case investigated whether a dog’s name could be considered personal data. The case involved a request for information about a police dog that had caused serious injury to a member of the public. The request asked for the dog’s name, as well as other information. The police argued that disclosing the dog’s name would indirectly identify the dog handler, and therefore fall under the personal data exemption. The Information Commissioner Office (ICO) was asked to determine whether the information constituted personal data and concluded that the dog’s name could identify the handler indirectly, making it personal data. The ICO emphasized that all means that could reasonably identify an individual must be considered. The police’s argument was supported by the fact that web searches of the dog’s name revealed the handler’s name, which the ICO was able to confirm.

Indirect Personal Data

Due to this ability and means to identify the dog handler, a living individual, via the dog’s name alone, the ICO was satisfied that the dog’s name fell within the definition of ‘personal data’ and the ASC was able to rely upon the exemption in the FOIA. It was also considered that even if the name was not in the public domain, colleagues within the ASC internally would know who the handler was if the dog’s name were disclosed.

It should be noted however that all other information relating to the dog itself was not capable of identifying the dog handler, and therefore considered not to be personal data.

A Similar Case

Some commented to this case as tantamount to the dynamic/static IP addresses ruling by the ECJ in the Patrick Breyer case. The European Court of Justice Case C-582/14, Patrick Breyer, was based on a challenge to the German Data Retention Directive. The challenge was based on the fact that the Directive required the retention of dynamic IP addresses, which are the temporary addresses assigned to internet users by their internet service providers during a given session.

The Court ruled that requiring the retention of dynamic IP addresses was a form of data retention and was therefore subject to the same restrictions as other forms of data retention. The Court found that the Directive did not provide for any restrictions on the use of dynamic IP address data, which meant that it was not necessary for the retention of dynamic IP address data to be subject to the same restrictions as other forms of data retention.

The Court also ruled that the Directive was too broad in its scope and did not provide sufficient safeguards to ensure that the data collected was necessary and proportionate to the purpose for which it was collected. The Court concluded that the Directive was in violation of EU law and that it should be amended to provide for more specific restrictions on the retention of dynamic IP address data.

Take Away

In this ICO case, it was determined that the name of a police dog could indirectly identify its handler and therefore be classified as personal data. This does not mean that all pet names automatically qualify as personal data, but rather that it depends on the specific circumstances. Information that relates to an individual and can identify them, whether directly or indirectly, has the potential to be classified as personal data. Therefore, it is important for organizations to review whether seemingly innocuous information might inadvertently identify a specific individual, particularly when dealing with requests for information or when considering redaction of information. Ultimately, what constitutes personal data must be determined on a case-by-case basis.