Our local data protection law regularly refers to the term ‘personal data,’ also commonly referred to as ‘personal information’ but do you know exactly what that means?
The following guidance from the Jersey Office of the Information Commissioner (JOIC), explains.
What is ‘Personal Information’?
The Data Protection (Jersey) Law 2018 (DPJL) applies to ‘personal data’ meaning any information relating to an identifiable, natural, living person who can be directly or indirectly identified in particular by reference to an identifier (the ‘data subject’).
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The DPJL applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the Law depending on how difficult it is to attribute the pseudonym to a particular individual.
By reference to (but not limited to) an identifier such as:
- A name, an identification number or location data;
- An online identifier;
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person;
- ‘Identifier’ means a number or code assigned to an individual by a controller or processor (organisation/charity etc.) for the purposes of its operations that uniquely identifies the individual and can include location data.
What to take into account when deciding whether the person is identified or identifiable
This means reasonably likely to be used by the controller or another person to identify the person, take into account factors such as the cost and amount of time required for identification in light of the available technology at the time of processing and technological factors.
Whether the personal data, despite pseudonymization, is capable of being attributed to that person by the use of information other than that kept separately for the purposes of pseudonymization.
Personal information may fall into a category called ‘special category data’
Special category data is personal data which the DPJL states is more sensitive, and so needs more protection. In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms if it is lost. For example, by putting them at risk of unlawful discrimination.
The types of personal information/personal data subject to additional protection under the DPJL, are listed under Article 1 of the DPJL:
- Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
- Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person;
- Data concerning health;
- Data concerning a natural person’s sex life or sexual orientation; or
- Data relating to a natural person’s criminal record or alleged criminal activity.
See the JOIC’s What is Special Category Data for further information.
Personal information/personal data means information that;
- Is being processed by means of equipment operating automatically in response to instructions given for the purpose.
- Is recorded with the intention that it should be processed by means of such equipment;
- Is recorded as part of a filing system or with the intention that it should form part of a filing system.
Need further guidance? The JOIC’s website is packed with a wealth of data protection resources for organisations.
