Data Protection Animation Series: What is personal data?
It's important to be able to recognise how your organisation collects and uses personal data. This is because you have responsibilities for how you handle any personal data under data protection laws.
Personal data is defined as any information relating to an identified or identifiable living person.
In simpler terms, this means any information about a person where it would be possible to know or to find out who that person is—in other words, they are distinct from the crowd. If you want a more detailed guide, the Information Commissioner's Office has it.
Information can be personally identifiable even if the obvious identifiers, such as names and addresses, are not included.
Context is often important. For example, if you are a small community group and the information held about people includes only a date of birth, it could be personal data if there is a reasonable chance that someone would be able to identify that person—either by knowing who they are or being able to find out—especially if the pool of potential people is limited by an outside factor such as the geographical area you operate in.
There are many possible types of personal data—from people's names and contact information, to details of their physical characteristics, health, relations to family members and more. This might be information they've given to you, or it might be information that you've generated about them, such as their attendance at events.
This 'information' doesn't just cover data kept in electronic form. It can cover all pieces of personal data wherever and however it is kept—emails, spreadsheets, databases, photographs, video, and information kept in paper filing systems or rolodex—can all contain personal data.
The people you hold data on might include the people who use your services (including children and their parents), your trustees, members, staff and volunteers, and other people who you engage with. These people can be referred to as data subjects when talking about data protection.
Because this is information is about people, their right to privacy depends on it being kept safe and handled responsibly.
Data protection laws—the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA)—govern the use of personal data by organisations. Charities and even very small, volunteer-led clubs are no exception to this and will need to consider how their use of data complies with these laws.
If you are the organisation responsible for deciding how this data is collected or used, then you are known as the controller of this personal data. Controllers must ensure that this data is handled in line with the data protection principles and the other requirements outlined in the GDPR and DPA.
This hopefully helps you to understand what personal data is. The next step is to think about what personal data you collect and use, and keep a record of what you do with this data.
NICVA's Data Protection Toolkit contains some handy guidance on how to document what you do with this personal data.
We'll be launching a new animation each of the next four months on a different data protection topic. Stay tuned to this blog and NICVA Enews for more!