Understanding Different Types of Data about People
What is Personal Data?
Personal Data is any information relating to a living person who could be identified directly from the information itself, or indirectly through combining it with other information.
If the information is about a person who is deceased, a company or a public authority, then it is not personal data, though it might involve commercial secrets or require consideration of how it might impact on people.
Examples of personal data include:
- Personal Characteristics, e.g. name, gender, age
- Identification Documentation, e.g. passport, ID card
- Contact Information, e.g. address, email, telephone number
- Performance & Progression Data, e.g. module marks, PDR conversations
- Education & Employment details, e.g. School, University, previous employment
- Financial Details, e.g. salary
- Professional Body Membership Information
- Online Identifiers, e.g. username, IP address
In order to lawfully process personal data you must identify a lawful basis for processing according to article six of the UK GDPR.
What is Special Category Data?
Some personal data is classed as Special Category Data because it is sensitive, there is a greater risk involved in using it, meaning it requires more protection. GDPR defines Special Category Data as information which reveals a person’s:
- Racial or Ethnic Origin
- Political Opinions
- Religious or Philosophical Beliefs
- Trade Union membership
- Genetic & Biometric Data
- Health Information (mental or physical health)
- Sex Life or Sexual Orientation
In order to lawfully process Special Category Data, you must identify a lawful basis and a separate condition for processing according to Articles six & nine of the GDPR.
You would also need to complete a Data Protection Impact Assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing the special category data. Examples of high risk include exposing people to fraud or identity theft, damage to reputation, discrimination, or accidental reversal of pseudonymisation.
Other sensitive types of information
Whilst not classified as 'special category', there are other types of personal data which the law recognises as requiring additional care and protection:
- Children must be given specific protection as they may be less aware of the risks, consequences, and their rights in relation to the use of their personal data,
- Appropriate measures must be taken regarding personal data relating to criminal convictions and offences to protect the rights and freedoms of individuals, there are specific rules for processing this type of data; and
- Collecting and using personal data relating to individuals’ gender identity could interfere with their fundamental rights or open someone up to discrimination, so additional care is needed. We recommend this data is treated as 'special category'.
If you are planning to use these types of personal data you should complete a Data Protection Impact Assessment.
What is anonymous data?
Anonymous information is data which does not relate to an identified or identifiable individual (data that is not personal data). Anonymisation is the process of turning personal data into anonymous information so that an individual is not (or is no longer) identifiable.
In addition to protecting individual’s identities, anonymisation can help:
- Reduce reputational risks caused by inappropriate or insecure disclosure or publication of personal data,
- Develop greater confidence in publishing anonymous information in rich, re-useable formats (supporting more transparent decision-making); and
- Avoid challenging issues such as when handling FOI requests involving personal data.
Data protection law does not apply to anonymous information. Using anonymisation techniques to turn personal data into anonymous information counts as processing personal data and data protection law will apply.
If you are deciding whether the data is anonymous, you will need to consider all the ways ‘reasonably likely’ to be used to identify the person the data relates to. For example, linking anonymised data with other sources of information by searching the web, news archives, electoral registers, or social networking platforms. Whilst 100% anonymisation is desirable, a level of inherent risk of identification may remain. Data protection law does not require anonymisation to be completely risk-free, you need to take appropriate steps to ensure identification is sufficiently remote that the information is ‘effectively anonymised’.
What is aggregated data?
Aggregate data refers to numerical or non-numerical information that is collected from multiple sources, measures, variables, or individuals and compiled into a data summary, to make comparisons, or analyse trends etc. For example, combining graduation rates to identify the total number of individuals who graduated with a first-class honours degree and disclosing the information as a percentage of the total number of graduations.
Aggregated data could be derived from personal data, if it does not directly or indirectly reveal a person’s identity it is not considered personal data in law. However, if personal data is being processed to turn it into aggregated information, data protection law will apply to the anonymisation activity.
To disaggregate, aggregated data is broken down into smaller component parts. For example, the university may publish its graduation rate as aggregated data, if the rate was then broken down by academic school, specific programme, or by gender or race and ethnicity, these would become disaggregated data sets. As data is disaggregated the risk it may become possible for individuals to be identified by combining or connecting data sets increases, and it may become necessary to treat disaggregated data as personal data.
What is genetic, biometric, and human tissue data?
Genetic data is defined as data relating to the inherited or acquired genetic characteristics of a person which give unique information about the physiology or the health of that person and which result, in particular, from an analysis of biological sample from the individual. It includes data derived from chromosomal, DNA or RNA analysis, or from analysis of another element enabling equivalent information to be obtained.
In most cases genetic data is processed to learn something about a specific identified individual and to inform an action in relation to them. This data is personal data and for the purpose of the UK GDPR it is sensitive ‘special category’ data.
Analysis of genetic data which includes enough genetic markers to be unique to an individual is personal data and ‘special category’ genetic data, because the sample is unique to a person and provides a link back to their specific genetic identity. Genetic information may be considered personal data where it has been sufficiently anonymised or aggregated and it can no longer be linked back to a specific genetic identity, sample, patient record, or other identifier.
Biometric data is personal data resulting from specified technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allow or confirm the unique identification of that person. It can be information about a particular person and information which is capable of identifying a person. Examples include physiological and behavioural characteristics:
- Retinal patterns
- Facial structure recognition
- Hand geometry
- Handwritten signature
- A particular way of walking or gait
Biometric data is also sensitive 'special category' data whenever you use it for the purpose of uniquely identifying an individual, to control their access, or make a decision about them. For example, using fingerprint scanners to verify an individual before they enter a room. To use this personal data you will need to treat it as special category.
Human tissue samples
Human tissue samples may provide a source from which biometric data can be extracted, information extracted from samples may result in the collection of personal data, but they are not biometric data themselves. The processing of human tissue samples are covered under different legislation, except where they are combined with personal data, such as patient name, NHS number etc.
For more external information on using human tissue samples in research:
- MRC Regulatory Support Centre E-learning page
- Use of human tissue in research - NHS Health Research Authority
What about photographs, video and sound recordings?
Where an individual interacts with the university and the interaction involves making a recording using video, sound recording, or photography, and the recording captures either:
- their biometric data, such as their image, voice, walking gait etc., and/or, using video, sound recordings and photography; or
- personal information they may disclose about themselves or other people
The recording will be processing personal information about the individual that may allow the individual to be identified. The content of the recording may also involve processing sensitive special category data.