Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

In detail

How do we directly identify someone?

If you are able to identify an individual solely from the information that you are processing, the information may be personal data. In some instances, it will be clear that an individual is directly identifiable.

Example

It will be obvious that an individual is directly identifiable, for example if you hold their name and address.

Mr Isaac Wright
Information Avenue
Nowhere
DP9 8UK

A corporate email address can directly identify the individual (as it is a unique identifier), as well as providing further information about the individual (ie where they work).

Example

johnsmith@example.com

From this, you can learn that an individual named John Smith works at the company ‘Example’.

What if we don’t know the individual’s name?

You do not need to hold an individual’s name in order to identify them. If you hold any identifier, or combination of identifiers, this can be sufficient to identify a single individual. An individual is also identifiable if you are able to distinguish that individual from other members of a group.

Example

The elderly man who lives at number 15 Purple Street and drives a Porsche Cayenne.

Example

A description of an individual may be personal data if it is processed in connection with a neighbourhood watch scheme, for the purpose of identifying an individual as a potential witness to an incident.

Example

Megan Smith’s foster mum, from Year 4 at Broomfield Junior School.

Further reading

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines will no longer be directly relevant to the UK regime and will not be binding under the UK regime. However, they may still provide helpful guidance on certain issues.

Article 29 Working Party Opinion 4/2007 on the concept of personal data WP136