Personal data: Difference between revisions

From The Jolly Contrarian
Jump to navigation Jump to search
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 4: Line 4:
“... any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”}}
“... any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”}}


This we think means that the referent needs to be able to sheet back, in your hands, to a ''specific'' individual. So a permanent or at any rate public identification number (a passport, NI or driver’s licence number) would; a car licence plate would not (the registered owner may not be the driver); a randomly generated unique identifier designed specifically to mask an individual’s identity when being processed would not be, as long as the controller did not have any means — even if separately segregated — or decrypting or reverse engineering that individuals’ details.  
This we think means that the referent needs to be able to sheet back, in your hands, to a ''specific'' individual.  
 
Recital 26 of GDPR says:
 
{{quote|
“…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person ''or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable''. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”}}
 
So a permanent or at any rate, public identification number (a passport or NI number or driver’s licence) would; a randomly-generated unique identifier known only to its generator, and designed specifically to mask individuals’ identity when being processed would not be, as long as the controller processing the data did not have the means — even if separately segregated — of decrypting or reverse engineering that individuals’ details.  


In that latter case — where you hold encrypted data in one place and a key elsewhere — you have [[pseudonymised information]], and you are still in the cross-hairs for [[GDPR]].
In that latter case — where you hold encrypted data in one place and a key elsewhere — you have [[pseudonymised information]], and you are still in the cross-hairs for [[GDPR]].
Line 10: Line 17:


{{sa}}
{{sa}}
* [[Anonymised data]]
*[[Pseudonymised information]]
*[[Pseudonymised information]]

Latest revision as of 08:20, 24 June 2024

General Data Protection Regulation
Index: Click to expand:
Tell me more
Sign up for our newsletter — or just get in touch: for ½ a weekly 🍺 you get to consult JC. Ask about it here.

Personal data is defined in UK GDPR as

“... any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

This we think means that the referent needs to be able to sheet back, in your hands, to a specific individual.

Recital 26 of GDPR says:

“…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

So a permanent or at any rate, public identification number (a passport or NI number or driver’s licence) would; a randomly-generated unique identifier known only to its generator, and designed specifically to mask individuals’ identity when being processed would not be, as long as the controller processing the data did not have the means — even if separately segregated — of decrypting or reverse engineering that individuals’ details.

In that latter case — where you hold encrypted data in one place and a key elsewhere — you have pseudonymised information, and you are still in the cross-hairs for GDPR.


See also