Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

At a glance

  • The UK GDPR only applies to “personal data” so it is important to know what information you hold and whether it can be classed as personal data.
  • Article 4(1) defines personal data as information that relates to an identified or identifiable individual. This is more than identifying individuals. It must concern them in some way.
  • It is important to note that opinions and inferences are also personal data, maybe special category data, if they directly or indirectly relate to that individual.

In more detail

Introduction

It is important to be clear what personal data you hold and whether the UK GDPR applies to this data. 

The UK GDPR applies to the processing of personal data that is: 

  • wholly or partly by automated means; or
  • the processing, other than by automated means, of personal data which forms part of, or is intended to form part of, a filing system.

In other words, it applies to personal data processed, or partly processed, by computer as well as any personal data that is placed, or you intend to place, in a manual filing system. In practice, most personal data that you process will be caught by this definition.

What is personal data?

The UK GDPR Article 4(1) defines personal data as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

In other words, if you can identify a particular individual from the information, or when put together with other information you hold, then this is personal data.

In most cases it is straightforward to establish whether you can identify an individual. The UK GDPR provides a non-exhaustive list of identifiers, including: 

  • name;
  • identification number;
  • location data; and
  • online identifier (including IP addresses and cookie identifiers).

However, there are many other possible identifiers. In the context of political campaigning, examples include but are not limited to:

  • names and addresses;
  • electoral registration numbers on both the electoral register and the marked electoral register;
  • membership names and numbers.                      

Where linked to identifiers the following are also likely to constitute personal data:

  • subscription and financial details;
  • dates of birth and ages (both inferred or known);
  • attributes, opinions and characteristics (both inferred or known);
  • propensity to vote scores; and
  • communication preferences, eg by email, text, post or phone.

What is the meaning of “relates to”?

Information must “relate to” the identifiable individual to be personal data.

This means that it does more than simply identifying them – it must concern the individual in some way.

To decide whether or not data relates to an individual, you may need to consider the: 

  • content of the data (is it directly about the individual or their activities?);
  • purpose you are processing the data for; and
  • results of, or effects on, the individual from processing the data.

There are circumstances where it may be difficult to determine whether data relates to an individual. If this is the case, you should treat the information with care, ensure that you have a clear reason for processing the data and, in particular, ensure you hold and dispose of it securely.

Can opinions or inferences about people be personal data?

The definition of personal data is not restricted to factual information about an individual. Opinions and inferences are also personal data if the individual can be identified from that data, either directly or indirectly, and the information relates to that individual.

For example, if you are attaching inferences or opinions to individuals’ names or addresses then this information is very likely to be considered personal data, regardless of how certain you are that these inferences or opinions are correct.

Example

A political party makes inferences about the likely characteristics of people living in a particular polling district. The party combines this information with the names and addresses of individuals on the electoral register. They categorise individuals and give them a percentage score indicating likeliness to support the party.

This is personal data. This information relates to identifiable individuals as the inferred characteristics, categories and scores are appended to individuals’ names and addresses.

 

 

Example

A political party makes inferences about the likely characteristics of people living in particular polling districts. The party is given the information for districts as a whole. It makes no attempt to attach this information to individual names or addresses. It categorises the districts and gives percentage scores indicating the likely support in each area for the party.

This is not personal data. This information does not relate to identifiable individuals as the inferred characteristics, categories and scores are appended to broad areas.

 

Recommendations

  1. If you make inferences about people living in a particular area, you should do this in a way that avoids processing personal data where possible. For example, use as large as possible a mapping area to cover more properties or households; and use formats, such as heat maps. These ways provide an overview without processing personal data that allows the inference of detailed information about a particular place or person. However, even if you are not processing personal data, you should assess the risks of processing such information, especially if it could be particularly sensitive, such as inferred ethnicity or religious beliefs.
  2. You should fully assess the risks when developing or purchasing software that makes inferences about people in an aggregated form. You should assess carefully whether this software processes personal data or adds special category data. If it does, you need to assess the necessity of processing this personal data and fully comply with data protection law.

 

Further reading

For more information on the definition of personal data, see the Guide to the UK GDPR.