Hello!

Firstly, thank you for taking the time to read my post. I appreciate any and all feedback here. I have an idea I want to begin developing, but I want to first check how the DPA (Data Protection Act) applies, if in fact it does. My idea isn't overally complicated, but a certain element of it in particular, the data storage, is something I want some advice on. I think starting with an example would be best.

I run through the following steps:

  1. Take a given name and date of birth
  2. Pass it through a one-way mathematical function
  3. Keep the resulting hash, received from the function, and store it in a database
  4. Destroy the original, plain text version of the information (name, dob, etc)


Given I no longer have the original, plain text information, I cannot personally identify any one individual. The hash, which looks like randomly generate data (for example, "5170dbfbc715b4288f75141e48c504f40a851e931015a6f06 970b30b" is the hash form of the string "movedx 2014-06-08"), cannot be reversed. The original data can never been obtained from the hash without brute forcing it, which would likely take more time than our sun's life span has to offer. Therefore, my question is: am I in fact still storing sensitive information? To extend the example further, I want to collect and store some additional information beside this hash:

  1. Overall satisfaction
  2. Recommendation
  3. 1-5 star rating


Basically metadata. Nothing that's directly relevant to the individual's person.

Would the DPA apply if I wanted to allow others to provide the same details, generating the same hash (which is always the same if the information is exactly the same), and then looking up the hash in the database to see if there is a result (returning the metadata if there is)? In short, I want to create a system that provides a "lookup table" others outside of my company can use, but without storing any personal information.

All help appreciated.

- M