Hello, my name is XXXXX XXXXX it is my pleasure to assist you with your question today.
Just to clarify, the copy given to the client contained the names of other visitors?
The sheet was a standard sign in sheet. It had initials and last names on it but no other personal information or company details on. If it was dropped in the street no individual would be able to identify who the names belonged to or where it came from.
OK, thank you, XXXXX XXXXX this with me - I will look into this for you, get my response ready and get back to you on here. No need to wait around and you will get an email when I have responded, thank you
Thanks for your patience. The DPA will apply to information which amounts to personal data. This is defined as data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
So if the sign in sheet included peoples’ names then it will amount to personal ta because it would be data from which individuals can be identified If the client who signed in wishes to obtain a copy of this sign in sheet then you may provide such a copy, as long as you ensure that you do not include personal data bout others at the same time. For example, there is one page where their name appears with their sign in details, but there are also a number of other individuals above and below their name. If you provide a copy to the client to show that they had signed in, you should blank out the names of the other individuals that appear on the same page to ensure that their personal data is kept confidential. Once the personal data of others is blanked out, you may provide the information to the client who requires the information about themselves.
Identifiers could in principle include any piece of information, or combination of pieces of information, that allows someone to be identified - it does not need to be a specific piece of information such as DOB, NI number, etc. So for example if you can link a person with their name and the type of business they were attending to when signing in, that could be sufficient to act as an identifier - as you can imagine it will depend from one case to another and on the cirumstances
So if there is no identifying logo/company name on the sheet it is not a breach and would only be so if the list of names where attached to a location/company.
well if they can in some way identify the person that had signed in, as mentioned it will depend on the circumstances and the names themselves - so a XXXXX XXXXX may not be identifiable from the simple information provided, whereas someone with a very unusual or unique name may be - and as such each case will be treated individually. That is why it is best to blank out all unnecessary data
So is the company also in breach if the list is available for anyone to view?
No, because it is obvious that by having the list available on the sign in desk for example, those signing it would be implying their consent to have their details there. But if this gets used in other ways, different to those for which the consent as given, then that is where the potential breach occurs
Thank you for your help
You are most welcome. Please take a second to leave a positive rating for the advice I have provided as that is an important part of our process. Thank you and feel free to bookmark my profile for future help: