Personal data is a key concept when considering the UK data protection legal regime as the UK GDPR and the Data Protection Act 2018 only apply to information that can be classed as personal data.
When an organisation processes a person’s personal data, the individual is afforded the protection of, and the controlling or processing organisation is required to comply with, the principles, rights and obligations of the UK GDPR and its associated privacy rules.
Article 4(1) of the UK GDPR defines personal data as: |
---|
“any information relating to an identified or identifiable natural person ('data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. |
Types of personal data
The Information Commissioner’s Office splits personal data into three categories:
- General personal data, which in line with the above definition simply has to relate to a living identifiable individual.
- Special category data, which refers to data that is more sensitive in nature and as such is afforded a greater level of protection. This includes data about race, ethnicity, political opinions, genetics, health and sex life.
- Criminal data, which covers a wide range of information about offenders or suspected offenders in the context of criminal activity, allegations, investigations and proceedings.
When does information constitute personal data?
To determine whether information constitutes personal data, the following factors should be taken into consideration:
- Does the information allow you to distinguish an individual from others?
- Is an individual directly identifiable using the information being processed - e.g. a name and address?
- Is an individual indirectly identifiable, i.e. if you are able to use other information you have access to, to complete the identification, such as a code linked to a person’s name.
- Does the information "relate to" the individual? You should consider:
- the content of the data;
- the purpose for which you will process the data; and
- the results for the individual when processing the data.
A person’s medical records clearly “relate” to that person.
A business report that briefly mentions someone in passing may not constitute that person’s personal data.
What doesn’t constitute personal data?
Personal data relates to a living individual. As such, information concerning a company, a public authority or another legal entity will not be personal data.
However, personal data relating to persons acting as sole traders, employees, partners and directors will be considered to be personal data for the purposes of the UK GDPR.
For more information or advice on what constitute personal data, please contact Beverley Flynn or another member of the commercial and technology team.