The General Data Protection Regulation (GDPR) applies to the processing of “personal data” – but what exactly is personal data under the GDPR?
GDPR Personal Data
Personal data is information that relates to an identified or identifiable individual. The Data Protection Act 2018 (DPA 2018), which implements and supplements the GDPR in the UK, defines an individual as an “identified or identifiable living individual” (section 3(2)).
Identifiable Living Individual
An identifiable living individual as defined under the DPA 2018 is a living individual who can be identified, directly or indirectly, and in particular with reference to the following:
- an identifier such as a name, an identification number, location data or an online identifier, or
- one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
The ICO states that online identifiers may include IP addresses and cookie identifiers.
The ICO also states that the identifiers listed in the GDPR/DPA 2018 are non-exhaustive. The key point to bear in mind is whether they identify, or are capable of identifying an individual.
Once a person dies the GDPR and the Data Protection Act 2018 cease to apply, save in so far as data relates to other living individuals, and so may also constitute their personal data.
Also the GDPR and DPA do not apply to companies, but data relating to individuals within a company will potentially amount to personal data.
Also personal data may not just relate to one individual. For example in a complaint to the police, this will create personal data about both the suspect and the complainant. The personal information will overlap in certain parts. For example the suspect may have a right to access to the details of the complaint, but the suspect will not have a right to access to the complainant’s home address and date of birth as it is not his personal data.
This means that if you can identify an individual from the data you are processing, then that information is likely to be personal data.
If you cannot directly identify an individual from the data you are processing, then you will need to determine if an individual can nevertheless still be identified indirectly. You will need to consider whether the information you are process might be used to identify someone.
Even if an individual can be identified directly or indirectly, data is not personal data unless it relates to the individual.
What amounts to information “relating to” an identified or identifiable living individual has in the past not been an easy question to resolve. The Courts have, prior to the inception of the GDPR and the DPA 2018, adopted restrictive, and sometimes unclear, approaches to what amounts to personal data. The Court of Appeal in 2003 drew a distinction between “biographical” and “focus” data. The former is where there is recording of data that goes “beyond the putative data subject’s involvement in a matter or an event” and the latter is where the data subject is the focus of the information “rather than some other person with whom he may have been involved or some transaction or event in which he nay have figured or had an interest” . This definition was criticised for narrowly interpreting the meaning of personal data, and subsequent guidance was drawn up by the Information Commissioner’s Office (ICO) seeking to clarify the position.
The ICO states that in determining whether information relates to an individual you need to:
Take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
The ICO does nevertheless state that data can reference an identifiable individual and still not be personal data about the individual, if the information does not relate to them. This is consistent with a Court of Appeal ruling in 2017 Ittihadieh v. 5 to11 Cheyne Gardens RTM Company Limited and Others  EWCA Civ 121. The Court found that the fact that a document contains a person’s name does not necessarily mean that this will be personal data.
Inaccurate information may also still be personal data if it relates to an identifiable individual.
The ICO acknowledges that there will be circumstances where it may be difficult to determine whether data is personal data. The ICO recommends that:
as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the data and, in particular, ensure you hold and dispose of it securely.