What is Personal Data?
On the face of it, a simple question. However, in some situations, the question of whether information is personal data can be quite complex.
Why does it matter?
As a business, it is important that you know what personal data you hold on your computers or manually in filing systems about your workers, customers, website users, suppliers and others.
This is because businesses have wide ranging obligations under data protection law in relation to personal data, including providing an individual who has made a subject access request with a copy of their personal data. In responding to such a request, you need to be confident that you are providing information to which the individual is entitled, and not, for example, commercially sensitive non-personal data or personal data relating to someone else.
The starting point
Under data protection law, personal data is information that relates to an identified or identifiable living person. Information relating to a deceased individual is not therefore personal data.
Who is an ‘identified’ or ‘identifiable person’?
If you hold information that uniquely identifies an individual, or distinguishes the individual from others, then it is likely to be personal data.
You may be able to identify someone directly from the data you hold, for example, if you have a person’s name and address, their online username or an identification/reference number.
You may also be able to identify someone from the data you hold in combination with other information that you might obtain from another source, for example a public register or social media. You need to think about what a sufficiently determined individual (such as an investigative journalist) would do to obtain the information needed to identify the person; could they obtain the missing information? If so, the individual is likely to be identifiable from the data you hold in combination with that other data.
Does the information ‘relate to’ the identified or identifiable person?
The information has to be about the person in some way.
So, a work email address, such as firstname.lastname@example.org, will be the personal data of the person concerned as it relates to them (it discloses their name and where they work). However, if the person sends an email from their corporate email address, the content of the email will only be the person’s personal data if it discloses something about them (for example, where they were on a particular date and time) or has an impact on them. If the email contains information about, for example a product/service or the wording for a marketing campaign, then even though the individual has thought about and composed the email, it is not their personal data, as they are writing the email as a representative of the business and it relates to the business, not them. However, if within the email, the person expresses an opinion about another individual within the business, then this is likely to be the personal data not only of the individual writing the email but also the person about whom the person is expressing an opinion.
Information may also change from being non-personal data to personal data, depending on the circumstances. For example, in a business context, a person’s reasons for making a decision or giving a certain piece of advice will not ordinarily be personal data. However, if someone makes a complaint about the decision or advice, then the thoughts of the person making the decision or giving the advice come into play and any information (including documents and emails) around the decision or advice used to investigate the complaint potentially becomes that person’s personal data.
How can we help?
If you need any assistance with identifying personal data, particularly in the context of responding to a data subject access request, or any other aspect of data protection law, then please get in touch with us and we will be delighted to help.
For more information on how to respond to an employee who has made a subject access request, please see our article “An employee has asked for a copy of all their personal data. Do we have to provide everything?” or if you need any further legal assistance in a GDPR matter, please contact our team of data protection solicitors.