Personal data

Personal information is a concept in data protection law, meaning information relating to an individual. There however different definitions in the UK and EU.

UK Definition

The UK Data Protection Act says that personal data is:

“personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;[1]

Additionally the Durant case has been throught to blur the definition even further, by inotrudcing a so-called "focus" test (that is, to ask if the individual is the "focus" of the data).[2]

European definition

The Data Protection Directive on the other hand states that personal data is

(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;[3]

Less rights in the UK

The main consequence of the differing definitions is that it is possible in the UK to argue that a data set that clearly relates to an individual is not "personal data" and therefore not subject to data protection rights.

For instance, if your journey details are held on an electronic travel card, but no part of the data set identifies you, because you have not given the database company your name or address, then UK law may not consider this data as "personal data". You would then not have the same rights for the data to be corrected, deleted; or to access the data yourself.

Online profiling and "personal data"

Companies who are engaged in online profiling in the UK argue that these profiles are not personal data, as defined in the UK. These profiles are often created for behavioural advertising.

One result of this has been to tighten up the E-Privacy Directive to create a model of consent for non-esssential cookies.

References