Personal data
General Data Protection Regulation
|
Personal data is defined in UK GDPR as
“... any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This we think means that the referent needs to be able to sheet back, in your hands, to a specific individual. So a permanent or at any rate public identification number (a passport, NI or driver’s licence number) would; a car licence plate would not (the registered owner may not be the driver); a randomly generated unique identifier designed specifically to mask an individual’s identity when being processed would not be, as long as the controller did not have any means — even if separately segregated — or decrypting or reverse engineering that individuals’ details.
In that latter case — where you hold encrypted data in one place and a key elsewhere — you have pseudonymised information, and you are still in the cross-hairs for GDPR.