#97

One of the things that fascinate me about privacy law is the concept of "filing system". GDPR is clear that its material scope applies only to "processing of personally data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." Recital 15 eludicates, "Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation."

When I was taking a training seminar for my CIPP/E certification, I learned that not all personal data can be processed. A random business card or a Post-It note attached to a computer, though containing personal data, is generally unstructured data, and cannot be the subject of processing.

Although the DPA defines what a filing system is (as a set of information structured either by reference to individuals or by reference relating to individuals in such away that specific information relating to a particular person that is readily accessible), reference to it in the law only appears in the data subject's right to blocking and erasure. The Implementing Rules and Regulations to the law, on the other hand, does state that "processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system." It is unclear from this provision if the permissive "may" applies to "automated or manual processing" or the fact that personal data may or may not be contained in a filing system.

What exactly is structured data? Both GDPR and the DPA denote that a set of information is considered structured if you can access data through a specific criteria (specific in DPA that the criteria must be by reference to individuals or relating to individuals). Does this mean that one-off personal data that does not form part of a filing system cannot be the subject of processing? For example, is a single ID a filing system (since it does have several categories like "Name", "Age", "Birth", et al.), or is there a need for multiple IDs to be considered as a filing system?

How about CCTVs? The NPC certainly considers CCTV footages as information that can be the subject of processing, but what about CCTVs can be considered as a filing system? Can you retrieve personal information from a CCTV by reference to an individual, or are you just fast forwarding through the footage to find a particular person? That does not seem like a filing system, unless the CCTV footage is structured after the fact or your CCTV is advanced enough to categorize recorded persons by face or other parameters.

This can be a boon for defense lawyers. Saying something is not structured data and outside the scope of the DPA can be a good play. It's a bold strategy, Cotton. Let's see if it pays off for 'em.