Personal data is defined in the UK GDPR as:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
This means personal data has to be information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.
This could be something that names the person (like their name), or something that helps you work out who they are (like a staff number, address, location, or an online username).
Yes. Some personal data is very private and could cause more harm if it is shared or used the wrong way. The UK GDPR calls this special category personal data. It includes information about a person’s:
Personal data about criminal convictions or offences also needs extra protection.
Most of the time, it is easy to tell if something is personal data. Sometimes it is not so clear, please see the attached Personal Data Flow Chart to assist you.
You should look at what you have and ask: “Could this help someone figure out who the person is?”
If you are not sure and require further guidance, please contact the Data Protection Officer – DPAofficer@tendringdc.gov.uk