Unpacking Personal Data under the GDPR

The GDPR defines personal data as:

"... any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

Article 5 Principles relating to processing of personal data

To be clear, the 'data' element of 'personal data' refers to recorded information that is, or is intended, to be stored and processed electronically as part of a filing system.

The other key word here is 'processing'.  According to the GDPR this is defined as:

"... any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"

The definition of 'identify' is not limited to relatively definable, discrete data elements like name, address or geographic location. For example, it also refers to a photograph where the individual is identifiable or to an opinion about an individual that contains a combination of data that, put together, makes the person identifiable.  A simple photograph of a person without an accompanying name or other data can still be identified by some who knows the person by sight, e.g a neighbour. This photo may also contain additional information, for example, taken at an event and thus communicating more information than intended and thus falls under the protection of the GDPR.

Lawful processing of personal data requires one of the following:

• Consent of the data subject, (the definition of consent under the GDPR is much narrower than most current DPAs which means you will likely need to rely on another lawful basis with which to process personal data)
• is necessary for the performance of a contract with the data subject,
• is necessary for compliance with a legal obligation,
• is necessary to protect the vital interests of a data subject (e.g. a medical emergency),
• is necessary for the performance of a task carried out in the public interest or
• is necessary for the purposes of legitimate interests.

Sensitive Personal Data

ARTICLE 9 Processing of special categories of personal data

Sensitive data/Special categories consist of: racial or ethnic origin, political opinions, religious or philosophical beliefs,  trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

Processing sensitive data is prohibited unless one of the following requirements is met:

• that the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
• processing is necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent;
• processing carried by a not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for the defence of legal claims;
• processing is necessary for reasons of substantial public interest;
• processing is necessary for the medical, health and safety needs and requirements of data subject;
• processing is necessary for reasons of public interest in the area of public health or
• processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Full GDPR text on 'special categories' can be found here: Art. 9 GDPR Processing of special categories of personal data

In short...

Any data you hold in a structured format (e.g. a database) about students, staff and parents that can be used to identify them individually is covered by the GDPR and you will need a lawful basis with which to process it.

This all looks like a minefield with every explanation begging more questions than they answer.  Ultimately, the bottom line is, if what you are storing and processing can be used to identify an individual and you are not treating that data with due care, you will be in breach of the current law as well and the new GDPR.  A practical approach therefore is to take a risk based approach. If you think it might be personal data, simply treat it as such.

The GDPR encourages 'Pseudonymisation' of personal data, which essentially makes data anonymous unless key data, kept separately, is available to unlock it. Pseudonynmised data is still covered by the GDPR but with relaxed requirements since it now cannot be used to identify any individual person. We'll write more on pseudonymisation in a future article.

What next?

Since the GDPR has upped the bar and tightened existing privacy laws, you should consider, at a minimum, a formal review of the personal data for student, parent and staff you maintain including the methods you use to collect and store it.

Worth reading: This article, written by Philip Brining, is the clearest I've read so far on the nuances of personal data.