topic Re: GDPR - What is considered personal data? in Privacy

GDPR - What is considered personal data?

Francois1208 — Sun, 25 Feb 2018 17:49:02 GMT

Hi community,

I have a very practical question: Since the regulation defines personal data as “Any information relating to an identified or identifiable natural person…”, does it mean first + last name is considered personal data? Historically we identified PII as a combination of several elements like name + address or name + social. If first + last is indeed considered personal information under GDPR the impact is much more significant so we want to make sure we're addressing it appropriately.

I haven't been able to get a straight answer yet so I figured someone here might be able to help.

Thanks!

Re: GDPR - What is considered personal data?

Caute_cautim — Sun, 25 Feb 2018 18:42:24 GMT

First of all it must belong to a living entity, not a deceased one.

"Any information relating to an identified or identifiable living natural person (data subject)."

A data subject is defined as the individual whose data is being collected and can be identified from the data.

Does this answer your question?

Re: GDPR - What is considered personal data?

Caute_cautim — Sun, 25 Feb 2018 18:46:16 GMT

So out of the data available, that you hold - can you identify the person, from the information you hold i.e. can you identify their activity by location (GPS), by IP address and/or MAC address; bio metric data, DNA or by association with their abode i.e. address, bank numbers, social number etc etc.

All of these, could identify that living person.

Re: GDPR - What is considered personal data?

sminkmar — Sun, 25 Feb 2018 19:39:06 GMT

Suggest you have a look the EU's independent data protection authority's website for a definition: https://edps.europa.eu/node/3110#personal_data

They give examples too:

"The name and the social security number are two examples of personal data which relate directly to a person. But the definition also extends further and also encompasses for instance e-mail addresses and the office phone number of an employee. Other examples of personal data can be found in information on physical disabilities, in medical records and in an employee's evaluation."

Recently attended a session hosted by the deputy EU data protection supervisor where they even stated IP addressed may be considered personal data. Might make sense to keep an eye on their website as they promised to come up with guidance documents.

Re: GDPR - What is considered personal data?

Caute_cautim — Sun, 25 Feb 2018 19:33:30 GMT

Good point: I am seeing so many different interpretations of the facts - we should always go back to the original source for the true facts.

Re: GDPR - What is considered personal data?

Caute_cautim — Sun, 25 Feb 2018 19:35:54 GMT

Well given that there was a European Court case, which was upheld on the very fact that IP addresses and/or Mac Addresses could identify the activity of the individual involved - then this is also the stance taken by my organisation as well. However, only the lawyers, who are obviously waiting for the 25th May 2018 to delivery their lawsuits and challenges will this be tested fully.

Re: GDPR - What is considered personal data?

sminkmar — Sun, 25 Feb 2018 19:44:31 GMT

And it goes further than "just" IP addresses. Imagine you have an outsourcing center (helpdesk, customer support, etc) somewhere in Asia (India, Phils, you name it). Seemed to be sort of an issue if data is shared (and if it was via screen only) with those folks.

Re: GDPR - What is considered personal data?

Caute_cautim — Sun, 25 Feb 2018 19:54:10 GMT

Yes, the Data Processor - A person or body acting on behalf of the data controllers to store or process the data.

I know, every contract has to be reviewed, from a risk management perspective, and agreed with the clients and appropriate Technical & Organisational Measures (TOMs) have to be agreed and put in place.

Re: GDPR - What is considered personal data?

Caute_cautim — Sun, 25 Feb 2018 19:58:35 GMT

https://www.irishtimes.com/business/technology/european-court-of-justice-rules-ip-addresses-are-personal-data-1.2835704

@Caute_cautim wrote:
Well given that there was a European Court case, which was upheld on the very fact that IP addresses and/or Mac Addresses could identify the activity of the individual involved - then this is also the stance taken by my organisation as well. However, only the lawyers, who are obviously waiting for the 25th May 2018 to delivery their lawsuits and challenges will this be tested fully.

Re: GDPR - What is considered personal data?

Witheaaxw — Sun, 25 Feb 2018 20:23:33 GMT

There is a really good paper on this on the ICO (Information Commissioners Office) web site in the UK with lots of examples https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf . It builds up the scenarios really well - ultimately you have to make a sensible decision. For me it boils down to some simple questions:

- Is it an organised electronic or paper store

- can identify a living person (or use identifiers to get to that living individual e.g. IP address)

- the attributes and information that relate to that living person are personal information.

Re: GDPR - What is considered personal data?

Francois1208 — Sun, 25 Feb 2018 20:23:49 GMT

Thanks for the replies. So it sounds like having someone's first and last name could be considered personal data if I can identify who that person really is. For example there could be many John Smith at my company but I wouldn't consider that personal information if I don't have anything else to say who it is (e.g. phone #, employee ID, job title, etc.). Conversely if the name is unique then I should assume it is considered personal (assuming I'm just talking within the boundaries of my companies information systems).

Re: GDPR - What is considered personal data?

Francois1208 — Sun, 25 Feb 2018 20:28:06 GMT

That's great - just what I was looking for. Now the next question is how does what the ICO says hold true in regards to European regulations? Can we assume they all have the same definitions and views?

Re: GDPR - What is considered personal data?

Witheaaxw — Sun, 25 Feb 2018 20:30:16 GMT

It depends.

If your only information is "John Smith" who lives in London there are probably many 1000's so not PI.

If you say "John Smith" in my company where there are just 5 of them then probably PI, especially if you add with other information (age, job title, department etc).

Re: GDPR - What is considered personal data?

Witheaaxw — Sun, 25 Feb 2018 20:46:28 GMT

Yes, the GDPR was introduced to standardise the approach across the EEA - as the DPA directive went off in many different directions in each state (or region in the case of Germany). It comes into force on 25 May 2018. That said, there will be a period of adaption. There is scope for some limited divergence (but it is miniscule). What is missing is people that can apply the rules in a sensible, practical, risk based manner.

The GDPR quickly gets us into the IT Security realm and here the legislation is not a lot of help other than calling out for 'appropriate organisation and technical standards' - which is where the CISSP is incredibly helpful as a starter.

The challenge is for someone to put a practical slant on all the specialists (Data Protection Officer, Security Officer, Lawyer, IT professionals, Business User, Compliance (in Financial Services), Risk (in Financial Services), internal/external audit etc.). You get the challenge.

Slight challenge because the UK is (probably) leaving the EU. Nevertheless, the draft new DPA Bill seeks to implement the GDPR in full and deal with some of the gaps.

Re: GDPR - What is considered personal data?

Early_Adopter — Mon, 26 Feb 2018 02:31:43 GMT

Firstly, IANAL, so this is not legal advice, secondly 'Personal Data' is not equal to 'PII', and it sounds like you have the correct definition, which is broad and needs to be interpreted by your legal counsel.

First name plus last name is most definitely personal data, and you must have a contract or other legal grounds or consent to process this data. Though as NIST SP 800-122 has the following in its definition of PII:

'Name, such as full name, maiden name, mother‘s maiden name, or alias'

You might want to have them look at PII as well. You can certainly distinguish with a full name, and if not too common tracing is also quite easy.

Here's probably the best definition out there for a native English speaker:

What information does the GDPR apply to?

Personal data

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/

Hope this helps.

Re: GDPR - What is considered personal data?

Early_Adopter — Mon, 26 Feb 2018 03:03:43 GMT

Just realized there's a huge flash to bang on my post - sorry for being behind the curve.

John Smith is a name, therefore is personal data and by the GDPR can't be processed without the contract, other legal means such as John Smith explicitly giving his consent.

On the question of the UK leaving the EU, if it doesn't get adequacy as a third country under the GDPR it's pretty much game over for large sections of the UK's information economy. End state I would say is UK is bound to uphold the GDPR but has no say in subsequent revisions.

Re: GDPR - What is considered personal data?

Bhuwnesh — Mon, 26 Feb 2018 03:06:32 GMT

The personal data is something which help define/identify your identity and personal belonging. It may be anything like your health data , bank data, Name and age etc.

Re: GDPR - What is considered personal data?

arifhussain — Mon, 26 Feb 2018 03:28:14 GMT

Hi,

With only First name + Last name , the person can't be said as uniquely identified. As there might be many people with same name and surname. It has to be combined with some other information like address, ID number etc.

The real question is " If any european citizen travelling to another country and visited an hospital. Does the hospital be liable to protect european citizen health related data" ?

Lot many questions and scenarios require clarity, but GDPR is really good initiative.

Regards,

Arif

Re: GDPR - What is considered personal data?

Bhuwnesh — Mon, 26 Feb 2018 03:39:35 GMT

I got it first time 🙂 its your identity status 🙂 like I said . your name itself is not your identity. Its always a combination of many things . A name can belong to many people but the identifiable make it unique . Like your name + sir name +gender + status etc .

The GDPR is a European standards not to rest of the world. If you travel to other country and share your data then they have to protect your data as per local regulations/standards until unless you/others make a agreement for European GDPR.

Re: GDPR - What is considered personal data?

Caute_cautim — Mon, 26 Feb 2018 04:00:42 GMT

Just some small points, yes, it is a European Law, but it is not just about identifying individuals, it also affects all companies who are conducting business and services with European entities. Example: A New Zealand Bank who has outlets in Europe, would employ European citizens for instance, so they would have to deal with this legislation as well.

The implications are far wider, then you think, it is not just European bound.

It will affect organisations such as Google, Facebook and many others offering services around the world.