Personal data has no easy, clear-cut legal definition. The definition set out in the Data Protection Act 1998, enacted following European legislation in the form of Directive 95/46/EC, leaves businesses and their advisers dealing with a significant amount of uncertainty.
“Personal data” are defined in the 1998 Act as:
… data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
In short, any information which can be used to identify an individual constitutes personal data. For example, a list of customer names and addresses will count as personal data, as may a database of customer email addresses.
The broad-brush approach of the 1998 Act has proven troublesome to businesses, as they are subject to legal obligations in relation to wider range of personal data than a common sense view might suggest.
To use a simple example, “The most recent customer is called Patrick Smith, who has red hair and lives at 54 Evergreen Terrace” is personal data which clearly identifies Patrick. “The most recent customer does not have brown, blonde or dark hair and lives on Evergreen Terrace” should also be considered to be personal data as it is possible that, using this information, one could ascertain the identity of Patrick.
Incomplete data on individuals may still count as personal data. For instance, should a company have a list of reference numbers for individuals which correspond to a list of information cards relating to customers, then the reference numbers (although not on the face of it overtly personal) will be personal data.
A distinction can be drawn between personal data and sensitive personal data, a leak of the latter being much more serious. Sensitive personal data includes data relating to a person’s race, sexuality, health, criminal record or affiliations (such as political persuasion or trade union membership).
Often, we think of personal data as data belonging to customers. But the definition does not only apply to customers; it extends to all individuals including employees. Should a record be kept by an employer of their employees’ performance, this will amount to personal data, as will any record of what is intended for them. As a general rule, and unless advised otherwise by a lawyer or other data protection professional, businesses should assume that any information relating to individuals may be considered personal data by the law, and treat it accordingly.