What is personal data?
Personal data, or personal identifiable information, refers to data that can be used to identify a person. The EU General Data Protection Regulation (GDPR) defined personal data as “any information relating to an identified or
identifiable individual”, and went on to define an identifiable person as “one who can be identified, directly or indirectly, in particular by reference to an identification number (e.g., social security number) or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity…”
Personal data includes direct and specific information such as names, phone numbers, IP addresses, national ID numbers, personal email addresses, banking and other financial information, date of birth, family background, place of birth, social media accounts, and so on. It also includes descriptions that can be used in conjunction with other information, to identify a person. For instance, the description “that fair man that dropped his daughter off in a Silver 2015 RAV4 with vehicle plate number ABC-123-DEF…” would qualify as personal data, as it sufficiently discloses the identity of the data subject to the target audience.
Sensitive personal data is a sub-category of personal data. It refers to a specific set of ‘special personal data’ that must be treated with extra security. Sensitive personal data includes genetic data (e.g., DNA information), biometric information (e.g., fingerprint data), health information and/or records, religious beliefs, sexual orientation, political views, racial or ethnic origin, trade union membership, criminal records, etc. Data controllers processing sensitive personal data must, in addition to having a legal basis for so doing (refer to the third instalment of our snapshot series for a discussion on the legal bases for processing personal data), ensure that such data is stored securely, using encryption and pseudonymisation techniques.