At a glance
- Understanding whether you are processing personal information is critical to understanding whether the GDPR applies to your activities.
- Personal information (personal information) is information that relates to an identified or identifiable individual.
- What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
- If it is possible to identify an individual directly from the information you are processing, then that information may be personal information.
- If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
- Even if an individual is identified or identifiable, directly or indirectly, from the information you are processing, it is not personal infromation unless it ‘relates to’ the individual.
- When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
- It is possible that the same information is personal information for one controller’s purposes but is not personal information for the purposes of another controller.
- Information which has had identifiers removed or replaced in order to pseudonymise the information is still personal information for the purposes of GDPR.
- Information which is truly anonymous is not covered by the GDPR.
- If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal information, as it relates to that individual.
What is personal information?
- The GDPR applies to the processing of personal information that is:
- wholly or partly by automated means; or
- the processing other than by automated means of personal information which forms part of, or is intended to form part of, a filing system.
- Personal information only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
- Personal information may also include special categories of personal information or criminal conviction and offences information. These are considered to be more sensitive and you may only process them in more limited circumstances.
- Pseudonymised information can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal information.
- If personal information can be truly anonymised then the anonymised information is not subject to the GDPR. It is important to understand what personal information is in order to understand if the information has been anonymised.
- Information about a deceased person does not constitute personal information and therefore is not subject to the GDPR.
- Information about companies or public authorities is not personal information.
- However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal information.
What are identifiers and related factors?
- An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.
- A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.
- A combination of identifiers may be needed to identify an individual.
- The GDPR provides a non-exhaustive list of identifiers, including:
- identification number;
- location information; and
- an online identifier.
- ‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal information.
- Other factors can identify an individual.
Can we identify an individual directly from the information we have?
- If, by looking solely at the information you are processing you can distinguish an individual from other individuals, that individual will be identified (or identifiable).
- You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual.
- If an individual is directly identifiable from the information, this may constitute personal information.
Can we identify an individual indirectly from the information we have (together with other available information)?
- It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal information.
- Even if you may need additional information to be able to identify someone, they may still be identifiable.
- That additional information may be information you already hold, or it may be information that you need to obtain from another source.
- In some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the information in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of GDPR. You must consider all the factors at stake.
- When considering whether individuals can be identified, you may have to assess the means that could be used by an interested and sufficiently determined person.
- You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments).
What is the meaning of ‘relates to’?
- Information must ‘relate to’ the identifiable individual to be personal information.
- This means that it does more than simply identifying them – it must concern the individual in some way.
- To decide whether or not information relates to an individual, you may need to consider:
- the content of the information – is it directly about the individual or their activities?;
- the purpose you will process the information for; and
- the results of or effects on the individual from processing the information.
- information can reference an identifiable individual and not be personal information about that individual, as the information does not relate to them.
- There will be circumstances where it may be difficult to determine whether information is personal information. If this is the case, as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the information and, in particular, ensure you hold and dispose of it securely.
- Inaccurate information may still be personal information if it relates to an identifiable individual.
What happens when different organisations process the same information for different purposes?
- It is possible that although information does not relate to an identifiable individual for one controller, in the hands of another controller it does.
- This is particularly the case where, for the purposes of one controller, the identity of the individuals is irrelevant and the information therefore does not relate to them.
- However, when used for a different purpose, or in conjunction with additional information available to another controller, the information does relate to the identifiable individual.
- It is therefore necessary to consider carefully the purpose for which the controller is using the information in order to decide whether it relates to an individual.
- You should take care when you make an analysis of this nature.
GDPR - See Articles 2, 4, 9, 10 and Recitals 1, 2, 26, 51