By the end of this module you with be able to answer questions on:
Data Protection phrases;
Special Category Data;
Know how to find the Articles of GDPR
Know how to find the Recitals of GDPR
Some of the phrases you will read about during this course.
It is important to understand the definitions of the phrase.
Personal Data - The definition used in the law is;
Personal data’ means any information relating to an identified or identifiable living natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Category Data (formally known as Sensitive Data) is;
Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
Data Subject - That's you....Me....or any identifiable natural person (Living)
Processing - How your data is used by organisations...the law says;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor - is the person or organisation that uses your data, the law says:
Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Controller - is the person or organisation that decides what they are going to do with your data, it says in the law:
Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Personal data only includes information relating to living natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information. Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
Information about a deceased person does not constitute personal data and therefore is not subject to any of the Data Protection Laws we talk about.
Information about companies or public authorities is not personal data.
However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.
In your company you are likely to be processing personal data of customers, other staff members and possibly that of suppliers.
An employee submits a holiday request form, this would be classified as Personal Data, so as soon as another member of the team deals with the request, either by writing on the form to approve or otherwise, or complete it on an electronic system, this is processing.
As mentioned above personal data is considered information that can identify an individual and distinguish them from other individuals.
A name is perhaps the most common means of identifying someone.
However, the law states that, sometimes individuals can be identified by combining different information such as employee number, initials and shift rota. So personal data doesn’t have to immediately identify someone.
The Laws provides examples of what might be considered ‘personal data’, including:
location data; and
an online identifier. ‘Online identifiers’ includes IP addresses and cookie identifiers which may contain personal data.
It is important to be aware that information you hold may indirectly identify an individual and therefore could constitute personal data.
Even if you may need additional information to be able to identify someone, they may still be identifiable.
That additional information may be information you already hold, or it may be information that you need to obtain from another source.
A lot of organisations use 'unique reference numbers' (URN) to identify customers. if you had a Spreadsheet with a list of URN's and next to each was personal information, such as date of birth, billing address etc, but without the name, there is no identification of an individual. If the manager had the 'Key' to the URN's, so he could see what URN related to a name, no matter where in the world this key is, as long as the data can be changed to identify an individual, it will be personal data. If there was no 'Key' and absolutely no way of identifying an individual from the URN, it is not personal data.
Special category data is personal data that is particularly sensitive and therefore requires more protection under the law.
Special category data includes personal information about a persons:
trade union membership;
genetics;biometrics (where used for ID purposes);
sex life; or
In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination because of sexual orientation or religious belief.
In order to be able to process personal data you must be able to show that you have a ‘lawful bases’ for doing so. In the laws these are called ‘conditions for processing’.
1 Consent: The data subject has consented to the processing of his or her data for one or more specific purposes.
2 Contract: The processing is necessary for –
(a) the performance of a contract to which the data subject is a party; or
(b) the taking of steps at the request of the data subject with a view to entering into a contract.
3 Vital interests: The processing is necessary to protect the vital interests of the data subject or any other natural person.
4 Public functions: The processing is necessary for –
(a) the administration of justice;
(b) the exercise of any functions conferred on any person by or under any enactment;
(c) the exercise of any functions of the Crown, the States or any public authority; or
(d) the exercise of any other functions of a public nature with a legal basis in Jersey law to which the controller is subject and exercised in the public interest by any person.
There is stronger legal protection for special category data which means that it can only be processed in more limited circumstances.
There are separate safeguards for personal data relating to criminal convictions and offences. We will explore these principles further in this course.
When are you allowed to process special category data?
In order to process special category data you need to meet certain legal conditions. These are listed in the relevant Laws as Articles or placed in a Schedule. They are all broadly the same in each law, so in GDPR they are:
(a) Consent: The data subject has given explicit consent to the processing of their personal data for one or more specified purposes.
(b) Employment & Social Security: Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security.
(c) Vital Interests: processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) Not-for-Profit Organisation: processing is carried out in the course of the controllers legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) Public Function: processing relates to personal data which are manifestly made public by the data subject;
(f) Legal Defence: processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) Public Interest: processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) Medical Purposes: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
(i) Public Health: processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
(j) Research: processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
What is important to remember, everything relating to a natural living person that can identify them, whether that is a single piece of data (a name) or separate data when put together (Christian name and Data of Birth), is all personal data. Personal data will include health data, race, sexual orientation etc , but this type of data is categorised in Law as 'Special Category', which requires more security to protect and safeguards in place when processing.
It also reflects the significant harm if data is disclosed inappropriately. If my name and postcode for example were hacked from a database, it is not going to cause me harm, so it would be a minor breach of the law. If adding to that data, some medical information came out about me, the harm caused could be significantly increased, so the breach would be serious.
That is why we have two levels of 'Personal Data' the 'Special Category ' data needs more protection.