Overview#

Personal data is data related to a Digital Subject

Personal data has many different definitions within both Regulatory compliance and Standard compliance.

Personal data certainly would include Personally Identifiable Information and Patient Data and some definitions include using Identity Correlation

Personal data and Contexts#

Personal data may be classified within two broad categories:

• Personal data that are Identity Attributes
• Personal data that when used with Identity Correlation could provide Identification of the entity (Personally Identifiable Information (PII))
• Personal data only refers to Natural Persons.

Organizational Entities may be Sensitive Data or have a Data Classification of Confidential data but NOT Personal data or (Personally Identifiable Information (PII))

Personal data and Medical Care#

Personal data within the context of Medical Care we refer to as Patient Data is considered Personal data. This Patient Data is interpreted differently even within the different contexts within Medical Care

HIPAA#

Within HIPAA Protected Health Information is considered Personal data even though it is not directly able to provide Identification.

European Commission (GDPR PSD2)#

According to the European Commission "Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. Personal data can be anything from a name, a photo, an email Address, bank details, posts on social networking websites, medical information, or a computer’s IP Address." [1]

Personal data only includes information relating to Natural Persons who:[4]

• can be identified or who are identifiable, directly from the information in question; or
• who can be indirectly identified from that information in combination with other information.
• Personal data may also include special categories of Personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
• Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still Personal data.
• If Personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what Personal data is in order to understand if the data has been anonymised.
• Information about a deceased person does not constitute Personal data and therefore is not subject to the GDPR.
• Information about companies or public authorities is not personal data.

However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute Personal data.

Any information related to an identified or identifiable Natural Person that could be used to directly or indirectly identify that Natural Person is covered by GDPR. Such data includes: (but is not limited to)

• Customer data, purchasing histories, pictures, emails, names and phone numbers;
• IP addresses and motor vehicle registration numbers;
• B2B and B2C information;
• Biometric information such as fingerprints, faces, voice prints and eyeballs.

entities are responsible for any Personal data they collect, whether that data resides in a customer database, employee database, or even a supplier database. What’s more, Custodian of personal data collected by a company — even if they just store the data and don’t have access to it — need to comply with the GDPR or risk being fined.

Specific mention and inclusion of data relating to:

• sexual orientation
• religious or philosophical beliefs
• ethnic origins
• political opinions
• trade union membership
• Patient Data
• Genetic Data

is included.

Not only is the Personal data itself covered by the General Data Protection Regulation, but everything that’s done with the data, too. "Processors [of data] also have a Responsibility," Hammarstrand said. "What’s new in this legislation is they have a direct responsibility. They could actually be reviewed and fined if they are not complying with the legislation."

More Information#

There might be more information for this subject on one of the following:

• Best Practices For Unique Identifiers
• Blockchain
• Childrens Online Privacy Protection Act
• Consent Receipts
• Data Breach
• Data Classification
• Data Controller
• Data Ownership
• Data Privacy
• Data Processor
• Data Protection
• Data Subject Access Request
• Data portability
• Data processing
• Data subject
• Department of Motor Vehicle
• Fair Information Practices
• Financial Data
• FormBook
• General Data Protection Regulation
• Genome
• Homeland Advanced Recognition Technology
• Hyperledger Indy
• Identity Custodian
• Internet of Things
• Law Enforcement Consideration
• Life Management Platform
• Loyalty Card
• OpenPDS
• Personal Information Protection and Electronic Documents Act
• Personal data
• Phishing
• Pretexting
• Privacy Considerations
• Privacy Enhancing Technologies
• Privacy Paradox
• Privacy and Economics
• Private data
• Real Risk
• Right of access
• Right to be forgotten
• SAFE-BioPharma
• Shared Responsibility Model
• Solid
• Universal Integrated Circuit Card
• User-agent
• User-centric Identity
• Verizon Data Breach Investigations Report
• Warp

---

• [#1] - General_Data_Protection_Regulation - based on information obtained 2016-07-10
• [#2] - the rules only apply to personal data about individuals - based on information obtained 2019-07-16
• [#3] - GDPR Recital 14 – GDPR applies to natural persons, not legal persons - based on information obtained 2019-07-16
• [#2] - What is personal data? - based on information obtained 2019-09-03