Personal data#
Definition of personal data#
Personal data is information about living people who can be identified using the data that you are processing, either directly or indirectly. For example, a person’s name, address or other unique identifier such as their Social Security number.
“Data related to the deceased are not considered personal data in most cases under the GDPR.”
Direct identifiers#
The information would particularly include, but not limited to:
date of birth
place/city of birth
names of the parents
photograph of the face
The set of attributes would clearly be able to identify the individuals by means of their common traits (like their name, and address) and distinguishable or unique traits (like eye colour, hair colour, or height), even depending on certain contexts (like membership information).
Indirect identifiers#
Indirect identifiers could include health, economic, cultural or social characteristics. Any information that, either alone or in aggregate could allow people to identify individuals. Especially when a certain combination of these identifiers and additional ones are used to identify a person, care must be taken to manage the data properly. Additional identifiers could include information from a third party or a different source.
What does sensitive data look like and how do we deal with it?#
Particularly sensitive data include data relating to a person’s:
racial/ethnic identity
political opinions
religious/philosophical beliefs
trade union membership
genetic and biometric data
physical or mental health
sexual life or orientation
As per the design of the UK data protection, anyone responsible for using personal data is instructed to follow a set of ‘data protection principles’. They should ensure that the information is:
used fairly, lawfully and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
Personal data policies#
There are various policies in place in different countries to protect the rights of individuals over their personal data.
For example, in Australia personal data is regulated under the Australian Privacy Act 1988. In the European Union, the GDPR (General Data Protection Regulation) applies to the processing of personal data. Similarly, in the UK, it falls under the regulation of the UK Data Protection Act 2018, which is the UK’s implementation of the GDPR, and may be required to carry out a Data Protection Impact Assessment (DPIA) as a part of their accountability obligations.
Processing means doing anything with a person’s information, including collection, storage, analysis, sharing, deletion and destruction. To ensure that you are up to date with the requirements of managing sensitive data, please review the national/institutional policies that apply to your research. See [HCH+15] for recommended practices for sharing clinical trial data.