Personal data#

Definition of personal data#

Personal data is information about living people who can be identified using the data that you are processing, either directly or indirectly.
For example, a person’s name, address or other unique identifier such as their Social Security number.

“Data related to the deceased are not considered personal data in most cases under the GDPR.”

Direct identifiers#

“A person is directly identifiable if it’s possible to identify them using nothing but information (identifiers) at hand, controlled and processed, without introducing additional data from external sources (for example, first and last name).”

The information would particularly include, but not limited to:

  • date of birth

  • place/city of birth

  • names of the parents

  • photograph of the face

The set of attributes would clearly be able to identify the individuals by means of their common traits (like their name, and address) and distinguishable or unique traits (like eye colour, hair colour, or height), even depending on certain contexts (like membership information).

Indirect identifiers#

Indirect identifiers could include health, economic, cultural or social characteristics. Any information that, either alone or in aggregate could allow people to identify individuals. Especially when a certain combination of these identifiers and additional ones are used to identify a person, care must be taken to manage the data properly. Additional identifiers could include information from a third party or a different source.

What does sensitive data look like and how do we deal with it?#

Particularly sensitive data include data relating to a person’s:

  • racial/ethnic identity

  • political opinions

  • religious/philosophical beliefs

  • trade union membership

  • genetic and biometric data

  • physical or mental health

  • sexual life or orientation

As per the design of the UK data protection, anyone responsible for using personal data is instructed to follow a set of ‘data protection principles’. They should ensure that the information is:

  • used fairly, lawfully and transparently

  • used for specified, explicit purposes

  • used in a way that is adequate, relevant and limited to only what is necessary

  • accurate and, where necessary, kept up to date

  • kept for no longer than is necessary

  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Personal data policies#

There are various policies in place in different countries to protect the rights of individuals over their personal data.

For example, in Australia personal data is regulated under the Australian Privacy Act 1988. In the European Union, the GDPR (General Data Protection Regulation) applies to the processing of personal data. Similarly, in the UK, it falls under the regulation of the UK Data Protection Act 2018, which is the UK’s implementation of the GDPR, and may be required to carry out a Data Protection Impact Assessment (DPIA) as a part of their accountability obligations.

Processing means doing anything with a person’s information, including collection, storage, analysis, sharing, deletion and destruction. To ensure that you are up to date with the requirements of managing sensitive data, please review the national/institutional policies that apply to your research. See [HCH+15] for recommended practices for sharing clinical trial data.