Data Protection


Personal Data Overview

The data we are protecting is related to people, there are different levels of sensitivity each requiring it to be handled accordingly.


Definition of personal data

Personal data meaning any information relating to an identified or identifiable person.

This definition means a wide range of personal identifiers would constitute personal data, including name, identification number, location data or online identities. This reflects changes in technology and the way organisations collect information about people.

It applies to both personal data held electronically and in manual filing systems. This could include chronologically ordered sets of manual records containing personal data and email.

Personal data that has been pseudonymised – eg key-coded – falls within the scope of the GDPR.

Categories of data

As defined by data protection legislation.

Personal data

Information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual. 

Pseudonymised data

Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual. 

Pseudonymising personal data can reduce the risks to the data subjects and help you meet your data protection obligations.  But it is effectively only a security measure. It does not change the status of the data as personal data.

Anonymous data

Anonymised data which does not relate to an identified or identifiable natural person or personal data that has been rendered anonymous in such a manner that the data subject is not or no longer identifiable. 

Special category perosnal data (sensitive)

This is personal data about an individual’s: race; ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where this is used for identification purposes); health data; sex life; or sexual orientation.  It is data that is seen as being particularly sensitive and that needs to be processed by organisations with extra care and attention 

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing. 

Special category data: criminal records, children and vulnerable adults

These types of data warrant a higher degree of sensitivity when handling.

  • Special category personal data: children and vulnerable adults 
    • Vulnerable adults: individuals, who for whatever reason, may find it difficult to understand how their information is used.  
  • Special category perosnal data: criminal records & DBS checks 
    • This type of data warrants a higher degree of sensitivity when processing.  

Special category personal data

Sensitive personal data is known as “special categories of personal data” and it is data that is seen as being particularly sensitive and that needs to be processed by organisations with extra care and attention.

The special categories specifically include health, trade union membership, ethnic origin, religious / philosophical belief, sexual orientation, genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

Determining the lawful basis for processing

When you are processing personal data, you must establish your ‘lawful basis to do so’.

Please be aware that you need a lawful basis for processing each of the data categories i.e. 'a lawful basis' to process 'personal data' and a separate lawful basis to process 'special category' data (these can sometimes be the same lawful basis).

To help you find your lawful basis, please read our guidance here

Holding personal data no longer than necessary

What to do when you have identified data that you no longer require.

You should undertake the following steps:

  • Document the location of the data.
  • Document a summary of the data for your records.
  • Undertake an exercise to try to identify if there are any other copies of the data elsewhere e.g. have any copies been made by other members of your team/department?
  • Document where any copies are, and then await further guidance.

We are not advising staff to delete data at this stage. The programme is in an investigation phase and we are looking to identify the areas where data is held. Once this stage has completed we will establish processes for cataloguing data and for the secure deletion of data that is not required. This is to ensure that we have a record of what has been deleted.