Personal data

Data protection legislation applies only to personal data about a living, identifiable individual.

Personal data is data about a living individual. That living individual must be identifiable, either directly or indirectly, usually through a so-called identifier (such as name, identification number, GPS location data or online identifiers such as a computer IP address).

Directly identifiable

Directly identifiable means identifiable from the information itself, for example, a name together with an address, age, telephone number.

Indirectly identifiable

Indirectly identifiable means not identifiable from the information itself, but from the information combined with data from another easily available source.

Example 1:

Recorded research interviews together with entries in a database linking the voice recordings to names; or a student matriculation number together with the EUCLID entry linking the number to the student record.

Example 2:

You remove the identifiers from a research dataset and store them separately. This leaves you with so-called pseudonymised data, which is still personal data as you can re-link the data and the identifier at any time, enabling you to re-identify individuals.

Important for determining whether individuals are indirectly identifiable is content, context and whether a ‘motivated intruder’ would be willing to spend the time, effort and expense to attempt to identify somebody.

Example 1:

You take a photo for a brochure showing students relaxing in George Square gardens. Without your knowledge, the daughter of a celebrity is in the photo with her new boyfriend. A journalist spotting the picture and attempting to identify the boyfriend would be considered a ‘motivated intruder’ – somebody who is willing to make the effort to identify somebody.

Example 2:

You pseudonymise a dataset and send the de-identified data without the identifiers and the key to a university in London. The London university will receive anonymous data as no researcher there would be interested in making the effort to re-identify individuals, they are only interested in conducting their research.

The personal data must be held by the University either electronically or in paper format in a ‘relevant filing system’.


Special categories of personal data

Some personal data is classed as special categories of personal data. This type of data is subject to stricter regulation under data protection legislation and can only be processed under certain circumstances.

Special categories of personal data