Personal Data

Key Points

  • This card represents the law post-GDPR implementation. Please see our summary GDPR card here
  • The definition of personal data is contained in Data Protection Act 2018, section 3
  • Personal data under the DPA 2018 has to be interpreted consistently with the definition of personal data in the GDPR
  • Personal data is defined in a more detailed way than under the Data Protection Act 1998 and there are tighter restrictions on employers, as data controllers, on processing personal data
  • This means that the GDPR and the DPA 2018 must be read side by side
  • The GDPR has direct effect across all EU member states although member states can make provisions for how it applies in each country. 

Personal data

The Data Protection Act 2018 (DPA 2018) implemented the provisions of the General Data Protection Regulation  EU 2016/679 (GDPR) and repealed and replaced the Data Protection Act 1998. The DPA 2018 does not replicate the wording in the GDPR so it is necessary to read the two pieces of legislation in tandem.

Personal data is defined by Article 4(1) of  the GDPR as 'any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particuar by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.

The DPA 2018 adopts the GDPR definition of personal data (section 3(2)-3(3)).

Information about a deceased person does not constitute personal data and is not therefore subject to the GDPR/ DPA 2018 (Recital 27 of GDPR, section 3(3) DPA 2018).

 

Processing

The GDPR (Article 4(2)) defines processing as 'any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction'. 

Section 3(4) DPA 2018 adopts the GDPR definition of processing.

Data subject means the identified or identifiable living individual to whom personal data relates (Section 3(5) DPA 2018) .

A data controller must comply with a prescribed set of principles in order to process personal data.

ICO Guidance on Personal Data

The Information Commissioner's Office has published guidance (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/) on the GDPR. It underlines the importance of understanding whether an employer is processing personal data. What identifies an individual could be as simple as a name or number or could include factors such as an IP address or a cookie identifier. If an individual can be identified directly from the information being processed, that information may be personal data. If an individual cannot be identified from that information, the data controller must consider whether the individual is still identifiable, taking into account all the information being processed together with all the means reasonably likely to be used to identify that person.

Article 4(1) of  the GDPR provides a non-exhaustive list of identifiers, including name, ID number, location data and an online identifier.

Even if an individual is identified or identifiable, directly or indirectly, from the data being processed, it is not personal data unless it 'relates to' the individual. When considering this, a range of factors should be taken into account, including the content of the information, the purpose or purposes for which it is being processed and the likely impact or effect of that processing on the individual.

Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of the GDPR. Information which is truly anonymous is not covered by the GDPR.

If information is inaccurate it is still personal data if it relates to a particular individual.

Personal data may also include special categories of personal data or criminal conviction and offences data. These ae considered to be more sensitive and there are strict rules for processing.