What is Personal Data?
Personal Data is any information relating to a natural person who could be identified directly from the information itself, or indirectly through combining it with other information.
If the information is about a person who is deceased, a company or a public authority, then it is not personal data, though it might involve commercial secrets or require consideration of how it might impact on people.
Examples of personal data include:
- Personal Characteristics, e.g. name, gender, age
- Identification Documentation, e.g. passport, ID card
- Contact Information, e.g. address, email, telephone number
- Performance & Progression Data, e.g. module marks, PDR conversations
- Education & Employment details, e.g. School, University, previous employment
- Financial Details, e.g. salary
- Professional Body Membership Information
- Online Identifiers, e.g. username, IP address
In order to lawfully process personal data you must identify a lawful basis for processing according to article six of the GDPR.
What is Special Category Data?
Some personal data is classed as Special Category Data because it is sensitive, and this means it needs more protection. GDPR defines Special Category Data as information which reveals a person’s:
- Racial or Ethnic Origin
- Political Opinions
- Religious or Philosophical Beliefs
- Trade Union membership
- Genetic & Biometric Data
- Physical or Mental Health Information
- Sex Life or Sexual Orientation
In order to lawfully process Special Category Data, you must identify a lawful basis and a separate condition for processing according to Articles six & nine of the GDPR. You would also need to complete a Data Protection Impact Assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing the special category data. Examples of high risk include exposing people to fraud or identity theft, damage to reputation, discrimination, or accidental reversal of pseudonymisation.