Information Commissioner's Office
Personal data in leaked datasets is still personal data
Blog posted by: Simon Rice, Group Manager for Technology on August 21, 2015.
They say ‘no publicity is bad publicity’, but after spending most of the week trending on Twitter, I wonder if the users of the Ashley Madison site might disagree.
Having already prompted a flurry of news stories when the online attack of the Ashley Madison servers was first revealed, this week we’ve seen another wave of coverage as the personal data was published online.
Wherever your sympathies might lie in relation to the people identified in the published data set, the fact remains that such details are personal information, with certain protections in law.
Like many online attacks, the data protection response is international. In this case, we’re liaising with our counterparts in Canada, where the company is based.
But with cases like this, there is still a domestic aspect to consider.
Anyone in the UK who might download, collect or otherwise process the leaked data needs to be aware they could be taking on data protection responsibilities defined in the UK’s Data Protection Act.
Similarly, seeking to identify an individual from a leaked dataset will be an intrusion into their private life and could also lead to a breach of the DPA.
Individuals will have a range of personal reasons for having created an account with particular online services (or even had an account created without their knowledge) and any publication of further personal data without their consent can cause them significant damage or distress.
It’s worth noting too that any individual or organisation seeking to rely on the journalism exemption should be reminded that this is not a blanket exemption to the DPA and be encouraged to read our detailed guide on how the DPA applies to journalism.
This is not the first time an online service has suffered such an attack and unfortunately it’s unlikely to be the last. But it’s important people don’t assume that the law and the protections it affords to UK individuals don’t apply online.
Have your details been published in a dataset?
If you find your personal data being published online then you have a right to go to that publisher and request that the information is removed. This applies equally to information being shared on social media. If the publisher is based in the UK and fails to remove your information you can complain to the ICO.
Latest News from
Information Commissioner's Office
Blog: Information Commissioner looks ahead to 202126/01/2021 10:25:10
Blog posted by: Elizabeth Denham, 25 January 2021.
Blog: Maintaining data flows for a digital world25/01/2021 15:38:00
Information Commissioner Elizabeth Denham looks at the data protection aspects of the recently agreed UK-EU trade agreement.
Adtech investigation resumes25/01/2021 12:25:00
Simon McDougall, ICO Deputy Commissioner – Regulatory Innovation and Technology recently commented on Adtech’s investigation.
ICO supports innovative data sharing projects to protect vulnerable people21/01/2021 12:33:00
The ICO Sandbox has selected three innovative data sharing services aimed at helping those who are vulnerable to online gambling harms, supporting ex-service men and women get the care they need, and a platform to help fight against cyber-criminals.
ICO and National Privacy Commission, Philippines, sign Memorandum of Understanding14/01/2021 12:25:00
UK Information Commissioner, Elizabeth Denham, and her counterpart in the Philippines, Commissioner and Chairman Raymund Enriquez Liboro (NPC), yesterday signed a Memorandum of Understanding (MOU).
Motor industry employee sentenced in ICO Computer Misuse Act prosecution08/01/2021 16:15:00
A motor industry employee has been sentenced to eight months' imprisonment, suspended for two years, in a prosecution brought by the Information Commissioner’s Office (ICO).
ICO statement in response to UK Government’s announcement on the extended period for personal data flows, that will allow time to complete the adequacy process29/12/2020 09:15:00
The Government has announced that the Treaty agreed with the EU will allow personal data to flow freely from the EU (and EEA) to the UK, until adequacy decisions have been adopted, for no more than six months.
Update to the joint statement on global privacy expectations of video teleconferencing companies24/12/2020 13:20:00
On 21 July 2020 the Information Commissioner’s Office (ICO) and five other data protection and privacy regulators from around the world jointly signed an open letter to companies providing video teleconferencing services.