The ICO exists to empower you through information.

In detail

What is identifiability?

If you can distinguish an individual from other individuals, then that person is ‘identified’ or is ‘identifiable’. Often an individual’s name together with some other information will be sufficient to identify them.

A name is perhaps the most common means of identifying someone. However, whether any potential identifier, including a name, actually identifies an individual depends on the context.

By itself, the name ‘John Smith’ may not always be personal data because there are many individuals with that name. However, if the name is combined with other information (such as an address, a place of work, or a telephone number) this is often sufficient to clearly identify one individual.

Example

‘John Smith, who works at the Post Office in Wilmslow.’

This may normally be enough information to directly identify an individual. However, if it is a common name and there is more than one John Smith who work at this organisation, you would need further details to directly identify them, such as:

‘John Smith with blonde hair and green eyes with a tattoo on his right arm, who works at the Post Office in Wilmslow.’

This additional information helps to single out that particular individual.

What information can be an identifier?

The UK GDPR provides a non-exhaustive list of common identifiers that, when used, may allow the identification of the individual to whom the information in question may relate. These identifiers include:

  • name;
  • identification number;
  • location data; and
  • an online identifier.

What are online identifiers?

The UK GDPR specifically includes the term ‘online identifiers’ within the definition of what constitutes personal data.

These may include information relating to the device that an individual is using, applications, tools or protocols. A non-exhaustive list is included in Recital 30:

  • internet protocol (IP) addresses;
  • cookie identifiers; and
  • other identifiers such as radio frequency identification (RFID) tags.

Other examples of online identifiers that may be personal data include:

  • MAC addresses;
  • advertising IDs;
  • pixel tags;
  • account handles; and
  • device fingerprints.

The use of these may leave traces which, when combined with unique identifiers and other information received by servers, may be used to create profiles of individuals and identify them.

When assessing if an individual is identifiable, you must consider whether online identifiers, on their own or in combination with other information that may be available to those processing the data, may be used to distinguish one user from another, possibly by the creation of profiles of the individuals to identify them.

This may be either as a named individual or simply as a unique user of electronic communications and other internet services who may be distinguished from other users.

Example

Using cookies or similar technologies to track an individual across websites involves the processing of personal data if this tracking involves online identifiers that are used to create a profile of the individual.

Example

Using facial recognition for the purpose of uniquely identifying an individual involves processing special categories of personal data.

In this context, facial recognition techniques record the unique features of an individual’s face in order to distinguish one person from another. This is then linked to a specific individual and stored for reference for future comparison in identification, authentication and/or verification.

Example

An individual’s social media ‘handle’ or username, which may seem anonymous or nonsensical, is still sufficient to identify them as it uniquely identifies that individual. The username is personal data if it distinguishes one individual from another regardless of whether it is possible to link the ‘online’ identity with a ‘real world’ named individual.

What else can identify an individual?

The UK GDPR makes it clear that other factors can identify an individual. These include:

“…one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

These sorts of characteristics can help to uniquely identify a particular individual as they tell you something about them.

What if we are still unsure if information is personal data?

There will be circumstances where it remains uncertain whether particular data is personal data. If this is the case we consider that, as a matter of good practice, you should still treat the information collected as though it is personal data. You still need to protect information because of the risk that otherwise someone may, with greater or lesser certainty, be able to infer something about a particular individual. For example if it was published and combined with information held by other organisations. In some cases the information will be personal data and the UK GDPR will apply to it. In particular you should:

  • keep the information secure;
  • protect it from inappropriate disclosure;
  • be open about how you are collecting the information ; and
  • ensure that you are justified in any processing.

Further reading

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR. EDPB guidelines will no longer be directly relevant to the UK regime and will not be binding under the UK regime. However, they may still provide helpful guidance on certain issues.

Article 29 Working Party Opinion 4/2007 on the concept of personal data WP136