The UK GDPR defines personal data as any information which relates to a living individual who can be identified or is identifiable from that information. There is no definitive list of what constitutes personal data. However a recent ICO case highlights just how wide this can be. In this blog, we look at how the ICO came to the decision that a name of a dog could lead to the identification of a human.

The question for the ICO

This particular ICO decision arose under the Freedom of Information Act 2000 (the "FOIA"), in relation to a request submitted to the Avon and Somerset Constabulary (the "ASC") about an incident involving the serious injury of a member of public by a police dog. The request asked for several pieces of information including the name of the particular dog, name of the dog's handler, and the dog's police records, notes, training records etc. Although the decision looked at the ultimate question of whether the ASC had properly complied with the FOIA, the focus of our analysis will be on the ICO's interpretation of personal data in relation to the exemption relied upon by the ASC under section 40(2) of the FOIA to withhold the requested information.

What is personal data?

The information in question that the ASC sought to apply the personal data exemption to was the name of the dog who had been involved in the incident. The primary argument put forward by the ASC is that disclosing the name of the dog would indirectly identify the dog handler, therefore falling within the definition of personal data in section 3(2) of the UK GDPR.

The ICO was asked to determine whether the information constituted personal data, and in doing so drew attention to the nature of personal data as defined in the legislation, being information which relates to a living person and which identifies that person, either directly or indirectly.

The ICO's decision

On the point of the dog's name, the ICO accepted that the information requested did relate to the dog handler in question and that it could identify them, albeit indirectly.

In coming to this conclusion, the ICO outlined that it was important to consider all means that may reasonably or could likely be used to identify an individual. In this case, the ASC said that web searches of the dog's name revealed the name of its handler, which the ICO was able to replicate and confirm.

Conclusion

Due to this ability and means to identify the dog handler, a living individual, via the dog's name alone, the ICO was satisfied that the dog's name fell within the definition of 'personal data' and the ASC was able to rely upon the exemption in the FOIA. It was also considered that even if the name was not in the public domain, colleagues within the ASC internally would know who the handler was if the dog's name were disclosed.

It should be noted however that all other information relating to the dog itself was not capable of identifying the dog handler, and therefore considered not to be personal data.

Comment

The ICO's view in this case is based on a very specific set of facts. Despite some media reporting to the contrary, the ICO did not say that a pet name is automatically personal data. However, the case is a helpful reminder that determining whether information is personal data can be complex.

If information not only relates to an individual but is also capable of identifying that individual, then there is the potential that it is classed as personal data. Additionally, the decision highlights how information need not directly identify the individual to constitute personal data, as indirect identification is prominent in determining what is or not personal data.

As a result, what constitutes personal data always needs to be determined on a case-by-case basis. In this decision, the animal's name was unique to the dog handler and that handler would also be known to be an employee of the ASC.

Organisations should therefore be cautious and ensure they properly review whether information might inadvertently identify a specific individual. This is particularly so when dealing with requests for information under freedom of information law or other disclosures of seemingly innocuous information. Similar issues apply when considering the effectiveness of redaction of information - for example, information relating to third parties in a response to a data subject access request.

If you would like to discuss anything raised in this blog or have queries on the classifying and processing of personal data, please get in touch with our data protection team.

Contributors

Rachel Lawson

Associate

Martin Sloan

Partner

Simren Kooner

Trainee Solicitor