What is Personal Data
At a glance
- Understanding whether you are processing personal data is critical to understanding whether the GDPR applies to your activities.
- Personal data is information that relates to an identified or identifiable individual.
- What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
- If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
- If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
- Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
- When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
- It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
- Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.
- Information which is truly anonymous is not covered by the GDPR.
- If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.
What is personal data?
- The GDPR applies to the processing of personal data that is:
- wholly or partly by automated means; or
- the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
- Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
- Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
- Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
- If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
- Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
- Information about companies or public authorities is not personal data.
- However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.
What is special category data?
The GDPR defines special category data as:
- personal data revealing racial or ethnic origin
- personal data revealing political opinions
- personal data revealing religious or philosophical beliefs
- personal data revealing trade union membership
* genetic data;
* biometric data (where used for identification purposes)
- data concerning health
- data concerning a person’s sex life
- data concerning a person’s sexual orientation
This does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply. For further information, please see the Information Commissioner's Office's separate guidance on criminal offence data.
Special category data includes personal data revealing or concerning the above types of data. Therefore, if you have inferred or guessed details about someone which fall into one of the above categories, this data may count as special category data. It depends on how certain that inference is, and whether you are deliberately drawing that inference.
What are the rules for special category data?
You must always ensure that your processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the GDPR. To ensure that your processing is lawful, you need to identify an Article 6 basis for processing.
In addition, you can only process special category data if you can meet one of the specific conditions in Article 9 of the GDPR. You need to consider the purposes of your processing and identify which of these conditions are relevant.
Five of the conditions for processing are provided solely in Article 9 of the GDPR. The other five require authorisation or a basis in UK law, which means you need to meet additional conditions set out in the DPA 2018.
You must also identify whether you need an ‘appropriate policy document’ under the DPA 2018. Our template appropriate policy document shows the kind of information this should contain.
You must do a DPIA for any type of processing that is likely to be high risk. This means that you are more likely to need to do a DPIA for processing special category data. For further information, please see our guidance on DPIAs.
If you process special category data you must keep records, including documenting the categories of data. You may also need to consider how the risks associated with special category data affect your other obligations – in particular, obligations around data minimisation, security, transparency, DPOs and rights related to automated decision-making.
What are the conditions for processing special category data?
Article 9 lists the conditions for processing special category data:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)
If you are relying on conditions (b), (h), (i) or (j), you also need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the DPA 2018.
If you are relying on the substantial public interest condition in Article 9(2)(g), you also need to meet one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018.
What are the substantial public interest conditions?
The 23 substantial public interest conditions are set out in paragraphs 6 to 28 of Schedule 1 of the DPA 2018:
6. Statutory and government purposes
7. Administration of justice and parliamentary purposes
8. Equality of opportunity or treatment
9. Racial and ethnic diversity at senior levels
10. Preventing or detecting unlawful acts
11. Protecting the public
12. Regulatory requirements
13. Journalism, academia, art and literature
14. Preventing fraud
15. Suspicion of terrorist financing or money laundering
16. Support for individuals with a particular disability or medical condition
18. Safeguarding of children and individuals at risk
19. Safeguarding of economic well-being of certain individuals
21. Occupational pensions
22. Political parties
23. Elected representatives responding to requests
24. Disclosure to elected representatives
25. Informing elected representatives about prisoners
26. Publication of legal judgments
27. Anti-doping in sport
28. Standards of behaviour in sport
You should identify which of these conditions appears to most closely reflect your purpose. Our detailed guidance gives you some further advice on how the conditions generally work, but you always need to refer to the detailed provisions of each condition in the legislation itself to make sure you can demonstrate it applies.
For some of these conditions, the substantial public interest element is built in. For others, you need to be able to demonstrate that your specific processing is “necessary for reasons of substantial public interest”, on a case-by-case basis.
The public interest covers a wide range of values and principles relating to the public good, or what is in the best interests of society. It needs to be real and of substance. Given the inherent risks of special category data, it is not enough to make a vague or generic public interest argument. You should be able to make specific arguments about the concrete wider benefits of your processing.
For some of the conditions, you also need to justify why you cannot give individuals a choice and get explicit consent for your processing. In most cases, you must have an ‘appropriate policy document’ in place.
What are identifiers and related factors?
- An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.
- A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.
- A combination of identifiers may be needed to identify an individual.
- The GDPR provides a non-exhaustive list of identifiers, including:
- identification number;
- location data; and
- an online identifier.
- ‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.
- Other factors can identify an individual.
Can we identify an individual directly from the information we have?
- If, by looking solely at the information you are processing you can distinguish an individual from other individuals, that individual will be identified (or identifiable).
- You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.
- If an individual is directly identifiable from the information, this may constitute personal data.
Can we identify an individual indirectly from the information we have (together with other available information)?
- It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
- Even if you may need additional information to be able to identify someone, they may still be identifiable.
- That additional information may be information you already hold, or it may be information that you need to obtain from another source.
- In some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of GDPR. You must consider all the factors at stake.
- When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person.
- You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments).
What is the meaning of ‘relates to’?
- Information must ‘relate to’ the identifiable individual to be personal data.
- This means that it does more than simply identifying them – it must concern the individual in some way.
- To decide whether or not data relates to an individual, you may need to consider:
- the content of the data – is it directly about the individual or their activities?;
- the purpose you will process the data for; and
- the results of or effects on the individual from processing the data.
- Data can reference an identifiable individual and not be personal data about that individual, as the information does not relate to them.
- There will be circumstances where it may be difficult to determine whether data is personal data. If this is the case, as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the data and, in particular, ensure you hold and dispose of it securely.
- Inaccurate information may still be personal data if it relates to an identifiable individual.
What happens when different organisations process the same data for different purposes?
- It is possible that although data does not relate to an identifiable individual for one controller, in the hands of another controller it does.
- This is particularly the case where, for the purposes of one controller, the identity of the individuals is irrelevant and the data therefore does not relate to them.
- However, when used for a different purpose, or in conjunction with additional information available to another controller, the data does relate to the identifiable individual.
- It is therefore necessary to consider carefully the purpose for which the controller is using the data in order to decide whether it relates to an individual.
- You should take care when you make an analysis of this nature.