Personal data only includes information relating to living natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information. Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
Information about a deceased person does not constitute personal data and therefore is not subject to any of the Data Protection Laws we talk about.
Information about companies or public authorities is not personal data.
However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.In your company you are likely to be processing personal data of customers, other staff members and possibly that of suppliers.
An employee submits a holiday request form, this would be classified as Personal Data, so as soon as another member of the team deals with the request, either by writing on the form to approve or otherwise, or complete it on an electronic system, this is processing.
As mentioned above personal data is considered information that can identify an individual and distinguish them from other individuals.
A name is perhaps the most common means of identifying someone.
However, the law states that, sometimes individuals can be identified by combining different information such as employee number, initials and shift rota. So personal data doesn’t have to immediately identify someone.
The Laws provides examples of what might be considered ‘personal data’, including:
It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
Even if you may need additional information to be able to identify someone, they may still be identifiable.That additional information may be information you already hold, or it may be information that you need to obtain from another source.
A lot of organisations use ‘unique reference numbers’ (URN) to identify customers. if you had a Spreadsheet with a list of URN’s and next to each was personal information, such as date of birth, billing address etc, but without the name, there is no identification of an individual. If the manager had the ‘Key’ to the URN’s, so he could see what URN related to a name, no matter where in the world this key is, as long as the data can be changed to identify an individual, it will be personal data. If there was no ‘Key’ and absolutely no way of identifying an individual from the URN, it is not personal data.