Stop the bus!

My two-part scenario featuring ‘Asif’ was real. I changed details, but an employee whose image was used in a web-based promotional campaign really was told that it was contractually necessary. They pushed back with a better data protection argument and the employer subsequently recognised that they had been given bad advice. They learned some lessons and ‘Asif’ was content with the ultimate outcome.

I used some storytelling magic for part two: the first person’s image didn’t end up on a bus. In a separate case, a person objected when their face ended up on the back of a bus as part of a promotional campaign. The organisation received external advice that GDPR didn’t apply.

I was on the periphery of the first case. The bus story was told to me by the person whose face ended up on the back of it, a while after it happened. They didn’t know what to do and let it drop. There are some common threads - images used without a proper justification, advice from an outsourced company – but I knitted them together.

No regulator or court ever looked at the bus question; an outsourced DP company gave advice and the individual didn’t challenge it. I’ve thought about it for a while, though that doesn’t mean I have the right answer. But I have an answer.

I don’t think the bus advert is covered. The UK GDPR applies to two sorts of information: data processed wholly or partly by automatic means, or data that “forms part” of a filing system. The data in question is the printed version of the person’s face – not the electronic image from which it was derived. These are two distinct pieces of data.

I might have got that wrong.

The fact that the printing process might (I won’t go further than that) count as data being processed automatically doesn’t give a permanent automatic marker on a physical print out. It is not being processed automatically now, so I don’t think that part applies.

I might have got that wrong.

I don’t believe that a fleet of buses meets the definition of a filing system, even if you knew which buses held which image. It’s a fleet of buses, not a structured system for storing data. 

I might have got that wrong.

But in each case, I don't think I did. and I don't think my ultimate answer is wrong because it means that Asif can't get his face taken off the bus. The GDPR is not a universal wish-granting machine for individuals. It's a piece of law that balances the rights of individuals and organisations. Unstructured data is generally not covered because if it was, that would be incredibly time-consuming and expensive for controllers.

There is a court case that Jon Baines reminded me of that backs this up to some extent, but I didn’t remember it until yesterday so I’m not going to use it in my defence. There could be another one that proves me wrong.

The most important point for me is that I think I came to this answer in the right way even if it turns out I didn't do enough research and got it wrong. I asked: ‘is an image printed on a bus covered by GDPR?’. Even if I've answered that question incorrectly, I can live with that because I started from the right place. You can't be right every time but you can always start from the right place.

What a DPO or DP practitioner shouldn’t do is say ‘an image printed on the back of a bus must be personal data, because if it isn’t, that leads to a bad outcome, so how can I get to the outcome where it is?’ This kind of motivated reasoning doesn’t always lead you to the wrong answer, but I think it’s more likely to.

The GDPR isn’t intended to cover all data. If it was, Article 2 would be different. Unstructured data would be covered. But it’s not a mistake that it’s not. It’s a decision taken by those who drafted it. Some data is covered, some is not.

The only question is whether I have correctly worked out where this data falls, but I am convinced that where you want it to be isn’t a relevant consideration in the context of answering this question.

I am content with my answer for two reasons: first, I think it’s correct but second, it’s an answer to the question I asked. I didn’t ask for a solution to the problem: I asked if ‘Dial A DPO’ had interpreted GDPR correctly. I think they did.

Of course, some readers will object: it’s not fair if Asif can’t get his face taken off the bus. There's a whole post I didn't write about data ethics. But in this real case, the employer cared more about the bus company’s penalty than doing the right thing anyway. Sometimes, that’s how things play out. I would have advised the employer to pay the bus company's penalty to avoid annoying their employee and facing problems down the line. But as far as I know, nothing happened. The person who told me the story was still working at the same place.