My brother and I make measuring instruments and as they get smarter they
record and playback lists of results. We were discussing what the position
was about us reading that data when they come back in for repairs.

One of the team said it would be 'interesting' but my brother argued that
it was personal data stored on a computer and without written permission
from the owner he didn't want us to touch it or we would possibly be up
a legal creek sans paddle.

With dive computers and rebreathers going the same way I'd guess they
have to consider the same problems. Our take is that we are deliberately
not going to know anything and if we have to work on the memory dump we
will either get written/faxed confirmation or just wipe it and build
new records to test.

So... Obviously if I get hauled out by my boots somebody's going to dump
the computer to confirm how I won the Darwin but if I just sent the
computer back for an upgrade/repair should the manufacturer even inspect
the profiles logged in it?

I aim to post this to the three groups I frequent, BSAC, YD and RBW because
although there is a lot of overlap they have a significantly different ethos.
Please feel free to confuse me by replying where you like.

From the ICO flowchart.

Q1. Can the data be used to identify a living person?
A. No. This is not personal data and there are no DPA issues.

A. Yes. Go to Q2

Q2. Is this data held electronically?
A. Yes. This is personal data and all requirements of the DPA apply.

Ownership of data and your right to access it, is a completely different matter.

I would think that you have a good arugment that as the owner has sent it to you to be repaired he has implicitly given you permission to view/playback (and if necessary delete) the data on it in the process of that repair.

So long as you aren't copying that info and keeping it yourself or selling it on to 3rd parties (if it might be commerically valuable), I doubt you would ever have a problem.

It may be worth modifying your stadard T&C's to say explcitly that you may view/destroy data on a divce sent for repair, and it would be nice pt promise that you won't pass it on to 3rd parties or keep it after you have fixed the tiem. Then you would be well covered.

Also I am guessing most stuff is not at all 'personally identifying' except that you know who gave the device to you.

Iain.

I would think that you have a good arugment that as the owner has sent it to you to be repaired he has implicitly given you permission to view/playback (and if necessary delete) the data on it in the process of that repair.

.

Not at all, this is no different than if I send a PC to be repaired. I have not implicitly given permission to view/playback datafiles on it.

Should the repairer require such access then specific permissions should be sought in the same way that any deletions disc formats etc. would need permission as well. The customer needs to be kept informed.

.

Hi Nigel,

My brother and I make measuring instruments and as they get smarter they record and playback lists of results. We were discussing what the position was about us reading that data when they come back in for repairs.

Depending on what is being measured, Matts has covered the DP aspect for Personal Data. I would think (and its an assumption) your biggest risk is commercially sensitive data from you clients. What benefit could you offer your clients from accessing and using the data? Without some benefit your current (and future clients) might not be too happy and think again in using your services.

One of the team said it would be 'interesting' but my brother argued that it was personal data stored on a computer and without written permission from the owner he didn't want us to touch it or we would possibly be up a legal creek sans paddle.

MattS covered this.

With dive computers and rebreathers going the same way I'd guess they have to consider the same problems. Our take is that we are deliberately not going to know anything and if we have to work on the memory dump we will either get written/faxed confirmation or just wipe it and build new records to test.

From this I assume (again) that you could identify an individual from their dive computer.

So... Obviously if I get hauled out by my boots somebody's going to dump the computer to confirm how I won the Darwin but if I just sent the computer back for an upgrade/repair should the manufacturer even inspect the profiles logged in it?

UK (and other companies operating in the UK – with a UK Branch): Depends on what their ICO Notification says they would do with Personal Data.

None UK companies: could be fair game.

HTH

Edward

Nigel I say this from the PoV of my own situation when I gave away a computer (desktop kind) and a Uwatec BT to two friends of mine.

The computer's memory, address book, browsing history etc as well as my personal file was wiped. The BT had my last X dives on it, I considered dunking it in the bath several times until this had been wiped and then decided that this was altogether too hard and I couldn't be bothered. Apropos the BT Richard made some comment about "serious dives", which really only meant that they were perhaps deeper than he was ever going to do, but so what.

That, of course, is about my supplying equipment I no longer have use for to friends, and I do mean friends (rather than acquaintances). Your situation is however somewhat different.

I consider that if, for example, you need to strip an item of its memory in order to effect a repair you should/would first need to get permission from the owner and the same applies if you have a requirement to read that information in order to effect the repair, service, whatever.

If you're particularly concerned about this a "Memorandum of Understanding" might be a good idea which states, in unequivocal terms, what you will, and more importantly what you will not, do with equipment in your possession. It should also state that anything that you might have to do which is in the "not" column will require the written authorisation of the owner.

FWIW