Personal Data Overview

The data we are protecting is related to people, there are different levels of sensitivity each requiring it to be handled accordingly.

Contents

• Definition of personal data
• Categories of data
• Special category personal data
• Determining the lawful basis for processing
• Holding personal data no longer than necessary

This definition means a wide range of personal identifiers would constitute personal data, including name, identification number, location data or online identities. This reflects changes in technology and the way organisations collect information about people.

It applies to both personal data held electronically and in manual filing systems. This could include chronologically ordered sets of manual records containing personal data and email.

Personal data that has been pseudonymised – eg key-coded – falls within the scope of the UKGDPR, with added emphasis on ensuring robust pseudonymisation techniques to enhance data security.

Personal data

Information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual. 

Pseudonymised data

Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual. 

Pseudonymising personal data can reduce the risks to the data subjects and help you meet your data protection obligations.  But it is effectively only a security measure. It does not change the status of the data as personal data. Emphasis on using advanced pseudonymisation techniques to further protect data subjects.

Anonymous data

Anonymised data which does not relate to an identified or identifiable natural person or personal data that has been rendered anonymous in such a manner that the data subject is not or no longer identifiable. Stressed importance on ensuring data is truly anonymised and cannot be re-identifed. 

Special category perosnal data (sensitive)

This is personal data about an individual’s: race; ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where this is used for identification purposes); health data; sex life; or sexual orientation.  It is data that is seen as being particularly sensitive and that needs to be processed by organisations with extra care and attention.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing. Additional guidelines introduced for handling data related to criminal convictions, children, and vulnerable adults, ensuring higher protection standards. 

Special category data: criminal records, children and vulnerable adults

These types of data warrant a higher degree of sensitivity when handling.

• Special category personal data: children and vulnerable adults 
  • Vulnerable adults: individuals, who for whatever reason, may find it difficult to understand how their information is used.  
• Special category perosnal data: criminal records & DBS checks 
  • This type of data warrants a higher degree of sensitivity when processing.  

The special categories specifically include health, trade union membership, ethnic origin, religious / philosophical belief, sexual orientation, genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

Please be aware that you need a lawful basis for processing each of the data categories i.e. 'a lawful basis' to process 'personal data' and a separate lawful basis to process 'special category' data (these can sometimes be the same lawful basis).

To help you find your lawful basis, please read our guidance here. There is now more detailed guidance on how to determine the appropriate lawful basis for different types of data processing activities. 

When you identify personal data that you no longer require, it's important to handle it properly to comply with data protection regulations like the UK GDPR. Here are the steps you should follow:

Steps to Handle Unnecessary Personal Data

Review Data Retention Policies: Ensure you refer to the UCL data retention policy that outlines how long different types of data should be kept. Updated policies to reflect new regulatory requirements and best practices.

Data Minimisation: Only keep the data that is absolutely necessary for your operations. Regularly review and audit your data to identify any that is no longer needed. Continued emphasis on keeping only necessary data and regularly reviewing data holdings. 

Secure Deletion: When data is no longer required, it should be securely deleted. This means ensuring that the data cannot be recovered. Use appropriate tools and methods for secure deletion. Enhanced methods and tools for secure deletion of data, ensuring it cannot be recovered. 

De-identification: If complete deletion is not possible or practical, consider de-identifying the data. This involves removing or altering information that could identify individuals. More advanced techniques for de-identiying data when deletion is not possible. 

Documentation: Keep records of the data deletion or de-identification process. This documentation can be useful for demonstrating compliance with data protection regulations. Increased focus on maintaing detailed records of data deletion and de-identification processes.

Regular Audits: Conduct regular audits to ensure that data retention and deletion practices are being followed correctly. More frequent and thorough audits to ensure complaince with data retention and deletion practices. 

By following these steps, you can ensure that you handle personal data responsibly and in compliance with relevant regulations.