Personal data definition
Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. IP addresses and cookie strings are now seen as personal data and there is no distinction between personal data about individuals in their private, public or work roles.
The Data Protection regulations also have a separate category of "special" personal data, more commonly referred to as sensitive personal data. This is personal data that is afforded extra protection. See below under Sensitive Personal data. Financial data, social security numbers and child data are not protected as sensitive under the UK GDPR.
Sensitive personal data
Sensitive personal data or special categories of personal data, are explained under 'Personal Data' above. However, the following categories of data are considered sensitive under the GDPR Regulation. Explicit consent of the data subject is required for processing sensitive data unless you can rely on some other EU or Member State law. Sensitive data includes:-
- A persons racial or ethnic origin
- Their political opinions
- Details of their religious or philosophical beliefs
- If they have any trade union membership
- Data concerning a person's mental or physical health
- Any information concerning their sex life or sexual orientation
- Any genetic data about that person
- Any biometric data which when processed can uniquely identify a person
Separately under UK law the recording of any information relating to any actual or alleged criminal records, convictions or activities including court proceedings is also considered sensitive information.