Hidden Data and the GDPR DPA18

Published on: 10th November 2018

The GDPR / DPA18 legislation clearly gives the right to individuals to know all the information that an organisation knows / uses and stores about them. It expects that the organisations will be able to clearly identify, define and protect that data. In the past couple of weeks we've noticed a few areas that seem to be overlooked in many organisations however, and may prove to be the tip of the iceberg as far as this secret / hidden and "uncontrolled" data collection is concerned.

The situation that triggered this line of investigation was looking into the firmware and software that is used on routers. Looking into BT's SmartHub it is possible to view IP addresses in activity logs on the network, and indeed identify individual device behaviour across the cabled and wireless connections . BT's routers are in use in thousands of businesses in the UK and many of those businesses will be allowing their staff to access the internet via the BT router. All that traffic is being monitored and logged by the router.

Hidden Personal Data and GDPR DPA18Under the GDPR/DPA18 Recital 30, IP addresses are currently considered Personal Data. This router data relating to IP addresses should therefore be considered in scope for management and disclosure when it comes to writing the organisation's GDPR policy and presenting this to the public (and the organisation's broadband users). I suspect that this is not even considered at all in most organisations, and consequently is a whole set of data sources that are unrestricted and probably unknown and uncontrolled. Even if the broadband router is only used for providing employee access to the internet, there should be some kind of opt in or contractual documentation to ensure it comes under a lawful basis for data processing.

The BT router is not alone in tracking IP addresses and communications traffic over internal and external networks. Many routers will have access logs generated as part of their software and control systems. This IP monitoring is done partly to facilitate Virtual Private Network communications, and internal packet routing to different devices, and to control in and outbound access to the network. The logs allow you to see if there are any unexpected or unwanted uses of the network that need to be blocked. This software is often complemented with Firewall security which also can track and log IP addresses of inbound and outbound communications.

It raises the question of what lawful bases apply to these devices and software systems? It makes us wonder if many organisations are disclosing this data in their Article 30 Records, and whether they are interrogating this data set as part of the response to any Subject Access Requests. If I invoke my right to be forgotten, I would expect this data to be removed if it identified me in any way, unless there is demonstrable and documented evidence of a higher legal basis for continuing to process it.

While the GDPR and DPA18 both consider external IP addresses to be Personal Data (as demonstrated by their position on Cookie handling on websites), which many would argue are only loosely tied to a particular individual in the majority of cases, these internal IP addresses are almost always completely identifiable to specific devices, and in turn individuals. This makes this store of Personal Data something that should be clearly identified and managed in the organisation's GDPR/DPA18 policies and procedures.

These peripheral-level logs are unbiquitous and often hard to delete. The BT SmartHub only resets the log when it is restarted. (This is not very advisable as a regular method of data purging however, as restarting frequently can slow down broadband connection speeds which are partly calculated on the basis of connection stability.) Other devices have different purging mechanisms and timescales.

While it is clearly important to consider these fiddly and "hidden" data stores, it is going to be interesting to see whether the appetite for this fine detail will result in action or avoidance.

PYXI GDPR Team: 10th Nov 2018 11:09:00