In the definition of personal data, we know that to count as personal data, the data must relate to a person who can be identified from that data. Much was made of the scope and meaning of “relating to” in the Durant judgment. But what do we mean by an identifiable person, and how do we go about the identifying?
A difficulty encountered here is that the process of identifying reveals the inherent circularity of the definition. This is because you tend to end up identifying the person to whom the data relates by relying on personal data of the same kind you are trying to validate. This raises the question of how that data was validated, and so on, in a permanent regress.
One way of preventing this regress has been to privilege certain kinds of personal data as more personal or foundational than other sorts – “biographical” data for instance. Or birth certificate data – the first data, the official point at which a name and a date were attached to a body. This can be used as the “person” against whom further data can be validated. But this is nothing more than a conventional stop in the data regress.
Does this matter? Well, there might not be much point in trying to work out what “relating to” means if you can’t separately identify the person from the data you are attempting to relate to them.
And what happens when someone else claims to be you?
Identity fraud, it seems to me, exploits the problem of separate identifiability just as much as the physical insecurity of the data itself.
The more personal data you have, the easier it is to claim to be someone else because of the difficulties in refuting the claim by establishing who is really whom. If the same personal data are held equally, what else will determine the issue? Who or what else do you appeal to? In the end, it tends to stop because the fraudster has no interest in going on forever, not because it has been resolved who is whom to the satisfaction of a third party.
Biometrics are sometimes thought to be the answer to this problem of separate identifiability, because the body is separate from the person but the person is trapped in the body (or so it is thought).
That it is the answer seems to me to be a dangerous simplification, firstly because it overlooks the difference between the body and information about the body; and secondly because if it is widely believed to be the answer there arises a tremendous premium on faking the relationship between biometric data and other personal data (which is not as difficult as is sometimes made out).
And actually I’m not sure there is an answer.