Another day, another data protection story in the news.
Spinvox provides a novel service which claims to use automated technology to convert voicemails into SMS texts or emails. Its entry in the Information Commissioner’s register of data controllers states that in doing this it will not transfer any personal data outside the EEA.
Spinvox has become unstuck over allegations that some of the messages are converted to text by humans (not computers) in call centres outside the EEA. Spinvox claims that such messages are anonymised (by removing identifiers such as the email address and mobile number). However, there are further claims that some of those messages processed by the call centres contained commercially sensitive and personal information, which allow the user of the service (and others) to be identified.
Whether or not Spinvox is actually in breach of the Data Protection Act (DPA) and its notification to the Information Commissioner is unclear. What the story does demonstrate, however, is that you cannot assume that simply removing external identifiers (such as email addresses and mobile numbers) is enough to anonymise the data and take it outside the ambit of the DPA – the content of the information may itself be inherently “personal”.
The story also emphasises the importance of data controllers ensuring that their notifications to the Information Commissioner and privacy policies are correct and up to date and give users true transparency over how their data will be processed – for example, explaining to users that their information may be transferred outside the EEA for processing and explaining the steps that the data controller will take to to keep that information secure.
On July 23, 2009