What is personal data and specific (sensitive) personal data?
Definition of personal data
The processing of personal data often raises questions about what personal data and specific (sensitive) personal data is. This text approaches these issues from the perspective of the General Data Protection Regulation.
According to Article 4 of the EU General Data Protection Regulation, personal data ‘means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.
As for the data archive, it divides the material containing personal data into three groups:
- Materials containing direct identifiers (or immediate identifiers)
- Materials containing strong indirect identifiers
- Materials containing indirect identifier
Direct identifiers for individuals
Direct identifiers are such that can be used to directly identify a person. These include for instance the following:
- Social security number
- Photograph including the person’s face
- Biometric identifiers (e.g. fingerprint, iris)
- Name specific email address
Strong indirect identifiers of individuals
A strong indirect identifier refers to an identifier which allows a limited number of individuals to identify a person unambiguously. Strong indirect identifiers include for instance the following:
- Bank account number (Bank employees can unambiguously identify the person)
- Computer IP address (The IP address can be used by people monitoring the network to determine to whom the computer belongs)
- Student number (the student number allows the employee to conclude the student’s identity)
- Various customer numbers
- Phone number
- Vehicle registration number
- Postal address
- Unusual professional title
- Position that a single person may hold at a time (e.g. President of an association)
- Rare disease
Indirect identifiers can typically be combined to identify a person. This involves the processing of personal data. Thus, a single piece of information is not sufficient to identify a person. For instance, by combining a person’s place of residence, age, gender and occupation, it may be possible to identify the person. There are plenty of indirect identifiers, for instance:
- Age, sex, ethnic background
- Revenue, household size, marital status
- Municipality of residence, postal code
- Birth date, date of death, time of the incident
- Profession, workplace contact information, employer
When processing personal data, it should be noted that in smaller environments (e.g. at the workplace) the person’s age itself may indicate who is concerned. In this case, the indirect identifiers are the workplace and age.
Special categories of personal data (sensitive)
Special categories of personal data (“sensitive personal data”) is personal data indicating the person’s (Article 9):
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Processing of genetic or biometric data for the unambiguous identification of a person
- Health-related information
- Information on the sexual behaviour and orientation of a natural person
The processing of particular sensitive personal data is prohibited unless there are grounds for this in legislation (more details in Article 9).
A social security number is not a particular item of personal data, but the Finnish law defines the situations in which it may be used.