Personal data
General Data Protection Regulation
|
Personal data is defined in UK GDPR as
“... any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This we think means that the referent needs to be able to sheet back, in your hands, to a specific individual.
Recital 26 of GDPR says:
“…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”
So a permanent or at any rate, public identification number (a passport or NI number or driver’s licence) would; a randomly-generated unique identifier known only to its generator, and designed specifically to mask individuals’ identity when being processed would not be, as long as the controller processing the data did not have the means — even if separately segregated — of decrypting or reverse engineering that individuals’ details.
In that latter case — where you hold encrypted data in one place and a key elsewhere — you have pseudonymised information, and you are still in the cross-hairs for GDPR.