My ISP's newsgroup was subjected to a lively barrage of discussion about data protection yesterday, that almost amounted to a DOS (or at least denial-of-productive worktime) attack.
In brief, a customer asked who the company's data protection officer was, so he could send him the £10 fee for full disclosure of all data held on him. Innocent enough, but the ensuing discussion raised an number of interesting questions and exposed a good deal of uncertainty and maybe ignorance about the whole area. As one correspondent pointed out, the area is ripe for test cases, and the lawyers are hanging around like vultures.
My interest was stimulated because patient confidentiality and data protection is partly my responsibility at work.
In general, ISPs hold customer information for accounting purposes (which is exempt from notification under the DPA), but they also hold and process data which could be construed as personal data. This includes IP addresses (the identity of the owner can be discerned from the RIPE database and also email addresses in mail transport logs.
Personally, I think this is a bit of a storm in a teacup. I don't think that an IP address is a personal identifier: it identifies a device on the network which may or may not be used by the owner of its domain. On the other hand, if it proved to be legally necessary it would not be very difficult for an ISP to have grep extract log records pertaining to an individual's email address. Having to do so may deter archiving of historical log information, but this may be a good thing. I would expect my ISP not to disclose any records identifying me to a third party without my prior consent. I suspect that any ISP who does this deviously would very likely not disclose the fact to me if I asked.
The general issue is of some concern to me as a 'secondary' ISP: I run mail and webservers for a small number of domains (most but not all of which I own) on a strictly informal non-commercial basis, for purposes largely if indirectly concerned with my work and mainly at my own expense. Perhaps I too should notify, but the annual charge of £35 for the privilege is off-putting.
And then there are weblogs: I run two weblogs which occasionally receive posts from others, such that my computers come to store 'personal data' about them. I may also identify others by name in my own posts. Does this mean that all UK weblogs should be covered by DPA notification?