Data: When is it personal?

Data protection is not fundamentally a data issue, but a human rights issue. As such, data protection legislations always relate to processing personal information.

To understand your legal data protection obligations, it is necessary to understand what is considered personal data. This is an area that can cause confusion. An individual’s name? That’s certainly personal information. But what about an email address? Or a photograph? Or an ID number that, when combined with other information you hold, could be used to identify someone?

When the EU’s General Data Protection Regulations (GDPR) comes into effect in May 2018, it will bring with it a new definition of personal data.

For years, we have understood personal data in terms of the Data Protection Act 1998: that personal data is any data, whether by itself or when combined with any other data you possess or are likely to possess, by which a living individual is identifiable.

This includes any opinions or decisions pertaining to an individual, such as notes from performance review meetings, or recruitment notes on a candidate’s suitability for a role.

Under GDPR, the definition of personal data has been expanded and is considered “any information relating to an identified or identifiable natural person”.

This means that if any data you hold can identify an individual, either directly or indirectly, then it is considered personal data. If an individual can be identified by reference to “an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” then it is personal data.

This means that IP addresses, for example, count as personal data. Data that has been pseudonymised could also be personal data if it is possible to relate that information to an individual.

For example, it may be possible to identify an individual within a company with only date of birth, gender, and salary information.

Significantly, personal data includes data which identifies a living individual either “in personal or family life, business or profession”.

For organisations, this includes work email addresses, company car details, and work phone numbers. An email address, whether it is a.smith@company.co.uk or ITmanager@company.co.uk or even shared email addresses can identify an individual, either on their own or by processing other data.

To meet your data protection obligations, you will need to have a process in place to identify whether data is personal, and commit to regular reviews of that data.

Under GDPR you will have significantly more legal liability if you are responsible for a breach of personal data. If you are in doubt as to whether a piece of data is personal or not, it is always best to err on the side of caution and assume it is.

Visit the Information Commissioner’s website for further data protection and GDPR guidance for organisations.

Computing Security Awards 2017
A Personal Data Breach Story