Personal Data and Special Category Personal Data – what has changed?
"The course of true love never did run smooth"
- Shakespeare, W., A Midsummer Night's Dream
The definition of personal data is obviously fundamental to the General Data Protection Regulation (GDPR). When considering data protection, your first question should always be – 'is this data personal data?' If it is not, the GDPR will not apply. Once you've determined that the data is personal data, you can assess whether the information is special category personal data, which is subject to increased protections.
Personal data – definition
Personal data is defined at Article 4(1) GDPR as: (i) any information; (ii) relating to; (iii) an identified or identifiable; (iv) natural person.
Taking each part of that definition in turn:
(i) any information means just that. The information can be objective or subjective. The content and format of the information is irrelevant. It can be any sort of information, available in any recorded medium (including, for example, sound and video recordings).
(ii) relating to means that one or more of the following three elements should be present:
Content – the information given is about a particular person, regardless of the purpose of the data controller or any third party, or the impact of that information on the data subject.
Purpose – the data is used, or is likely to be used, to evaluate, treat in a certain way or influence the status or behaviour of an individual.
Result – the use of the data is likely to have an impact on a person's rights and interests
Information may relate to an individual even if it does not focus on him or her.
(iii) an identified or identifiable – the GDPR provides that an identifiable person is one who can be identified, in particular by reference to an identifier such as name; ID number; location data; online identifier; or one or more factors specific to a person's physical; psychological; genetic; mental; economic; cultural; or social identity.
Location data, online identifiers (such as an IP address), and genetic factors are new with the GDPR.
Identifiers can be direct, eg a name, or indirect, eg a social security ID. Whether an identifier is sufficient to identify someone will depend on the circumstances of the case. For example, 'the woman in the black suit', may be sufficient to identify someone out of the passers-by standing at a traffic crossing, but possibly not in a crowded court-room or the House of Commons.
Indirect identification usually involves 'unique combinations', either large or small in size. Some are clear (eg the Prime Minister of Spain) but a combination of details on categorical level may also be sufficient (eg age category, regional origin etc).
When assessing 'identifiability', account should be taken of all the means reasonably likely to be used to identify someone from the data (by anyone, not just by the controller). This is considered in the round, including with reference to the purpose of the processing.
(iv) natural person means living human beings.
Special category personal data – definition
Once you know that you're dealing with personal data, the next question is whether it is 'special category' personal data. This was previously known as 'sensitive personal data'.
Special category personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and includes the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Genetic data (eg a person's gene sequence) and biometric data (eg facial images or fingerprints) are new inclusions for this category.
The processing of personal data relating to criminal convictions has its own section, and is subject to similarly strict requirements as those applicable to special category data (eg processing will be lawful if it is necessary for the administration of justice, or the safeguarding of children provided certain requirements are met).
What has changed from the previous regime?
The short answer is, not much. The GDPR definition of personal data is broadly the same as that in the old Data Protection Directive and the UK Data Protection Act. However, there are a few important additions which at the very least serve as clarifications on the existing law.
Some businesses, in particular many in the tech and retail sectors, may face additional compliance obligations due to the GDPR's express reference to 'location data', 'online identifiers', 'genetic data', and 'biometric data' (for special category personal data). Many types of cookies (in their capacity as 'online identifiers') will be now explicitly become personal data.
Although the definitions are largely unchanged, businesses will need to contend with a range of new and enhanced obligations in relation to the personal data they process – which we will explore in later editions of Love Data.