If you process information that is within the scope of personal data as defined under the UK General Data Protection Regulation (GDPR), then your use of personal data will be subject to data protection legislation. Recognising information that is within the scope of the statutory definition of personal data is an important first step for organisations towards determining if and how data protection legislation will apply to its use of personal data.
Personal data is defined in the GDPR as:
“’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.”
Essentially, this means that personal data has to be information which relates to an identifiable living individual; information relating to a deceased person is not considered to be personal data. Information relates to an individual when it is about them; this will not always be obvious and may depend on what an organisation uses such information for. For instance, KPI data may not be information which relates to an individual, however, where such KPI data is used to measure an individual’s performance then that would likely be considered as information which relates to an individual. That individual must also be identified or identifiable either directly or indirectly from one or more identifiers or factors specific to that individual. This can include more obvious, direct identifiers including names, addresses and e-mail addresses that can immediately identify an individual, and more indirect identifiers including date of birth, place of work, job title, IP addresses and gender.
Indirect identification can occur when information is combined with other information that then distinguishes and allows for the identification of an individual. Such information can come from information that your organisation processes, or it can consist of information which your organisation processes together with other information held outside of your organisation which leads to an individual being indirectly identified. This means organisations should, when deciding if information is personal data, consider what other information they process and what information others might reasonably have access to. If, after considering this, an organisation believes it may be possible to use that piece of information in combination with other reasonably accessible information then it may be that a person can be indirectly identified.
Special Category Data
Special category data is a subset of personal data that is considered more sensitive in nature and therefore requires a higher level of protection. This includes data revealing:
- Race;
- Ethnic origin;
- Political opinions
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data (where this is used for identification purposes);
- Health data;
- Sex life; or
- Sexual orientation.
Criminal Convictions Data
Criminal convictions data is also a subset of personal data and can include information relating to criminal convictions, criminal offences, criminal allegations and criminal investigations; this also requires a higher level of protection.
For organisations, recognising information as personal data is essential, because the GDPR grants individuals with strong rights in relation to their personal data, which organisations must comply with. How to process personal data, special category data and criminal convictions data lawfully will be discussed in an upcoming blog.
We have an experienced team that are able to advise on all issues relating to data protection. Please contact our team here if you would like more information or advice.
