Personal data is an important consideration for any business. It covers many types of sensitive information that must be treated respectfully in order to protect your clients, employees and your own legal interests.
Understanding what does and doesn’t classify as personal information can be tricky, with many caveats and pitfalls that must be fully understood before requesting sensitive information from employees.
Here, we will be covering the key facets of the General Data Protection Regulation (GDPR) and how businesses should handle sensitive data, as well as what is meant by “identifiers” and “related factors.”
We will discuss the implications of identifying an individual directly from given information, what is meant by the term “relates to” in a GDPR sense and how different organisations may process the same data for different purposes.
Personal data is defined in UK GDPR as any information that is related to an identified or identifiable natural person.
This definition is slightly ambiguous, so let’s dive into the ins and outs of personal data.
What are identifiers and related factors?
You may come across “identifiers” and “related factors” in relation to GDPR and be unsure as to how they are defined . Identifiers typically refer to forms of personally identifiable information (PII), which include name, age, location and other personal information.
If you can distinguish one person from another using the data in question alone, then that person is considered “identifiable”.
Context plays a big role in whether this information is always personal. For example, the information from a common name like ‘John Smith’ doesn’t necessarily narrow down personal data to a unique individual, and may need other data, such as an address, a place of work or a telephone number to be considered personally identifiable.
UK GDPR also stipulates the importance of ‘online identifiers’ that come under the umbrella of personal data – these include information that relates to devices connected to the internet, applications or protocols. This information includes:
• IP addresses
• cookie identifiers
• advertising IDs
• pixel tags
• MAC addresses
• device fingerprints
• account handles.
“Related factors” are also commonly referred to in GDPR. These typically refer to other factors that can be used to help identify an individual. These might not be considered PII but could be used in conjunction with other data to identify a person.
Under UK GDPR, these are more open-ended, and include “factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
If you’re unsure as to whether any data held by your company is considered personal data or not, treat that data with caution. If you’re ever unclear, be sure to treat any and all associated data as personal and protect it under GDPR guidelines.
Can we identify an individual directly from the information we have?
When handling potentially sensitive data, we ask ourselves whether we can identify an individual solely from the information that is being processed. If this is the case, this information is most likely personal data.
The most common forms of directly identifiable data are full names, addresses or email addresses that contain the individual’s full name.
There are caveats to this – such as common names, like John Smith, which are not specific enough to trace to a unique individual.
Consider the depth and breadth of the dataset here. If your dataset includes a common name but is limited to a single street, that name alone becomes an identifier due to the low likelihood of there being two people with the same name living on the same street.
What is the meaning of “relates to”?
When data is considered as “relating to”, it refers to information that may not be immediately clear as personal. This is another term for “relating factors”.
If the related data being processed can be used to discover more or explicitly personal data, then that data would fall under the category of “relates to,” and should be handled with the same due care as personal data.
The most common forms of this information include:
• criminal record
• medical history
• bank statements
• bills.
Again, context is key – consider the specificities of your data and whether it could reasonably be used to identify someone. A criminal record with a reasonably standard charge like a traffic offence is very unlikely to identify someone from a nationwide dataset.
However, a highly specific charge included within a smaller dataset could fall into this bracket.
What happens when different organisations process the same data for different purposes?
Certain information can be personal in the hands of one organisation and not personal in the hands of another. The classification of personal data can depend on what the organisation is using the information for.
For example, if an organisation uses an image for an article or website that has bystanders present, this information only becomes personal if another business intends to use this same image to identify the bystanders.
Occurrences like this should be handled on a case-by-case basis.
How do you process an employee’s GDPR request?
Employees have a right to submit a request to retrieve their personal data held by a business – including their own employer. This is known as a subject access request. An employee also has the right to ask whether personal data is being processed about them.
If you receive a subject access request, you must check the identity of the person making the request to make sure your employee isn’t at risk of a fraudulent claim.
GDPR grants businesses one month to process this request, so make notes of key dates from the moment a request is made. It is possible to extend this period by two further months, but only if the data is particularly complex or large.
It is also important for explicit clarification within the subject access request to be sure that you fully understand what data the employee wants. The deadline to retrieve this information is paused when clarification is requested, which is why it is important to timestamp dates during this process.
Once everything is clear and above board, the employer must make a reasonable effort to retrieve the information asked for. If a request is excessive and ‘unreasonable’, an employer may refuse the request – they will, however, be required to explain what they have done to reach this conclusion. Again, the initial effort to fulfil the request must be made.
Searching for requested data isn’t just limited to digital systems, either. A request can include finding data stored in folders, email chains, other servers and paper filing systems.
Once the data is found, the employer must take care to only send the files to the employee that concern them. Some files may also include the personal data of other employees – this cannot be shared with the employee making the request, so this data must stay within the business.
Other examples of files that cannot be shared are files that are covered by legal professional privilege, business planning data, management forecasting documents and other files that would prejudice businesses if the information reached the public.
Finally, once all the shareable documents have been decided on, the documents must be sent to the employee making the request alongside a letter that explains why the data is being processed, how long the company will keep this data for, if this data is being supplied to third parties and what data specifically is being processed.
Employers are not under any legal obligation to state exactly how long this data will be kept, but it is law that a business should endeavour to keep the data “no longer than is necessary” while following the rules on data protection.
If the employee is unhappy once they’ve received the data and believe it has not been processed properly, they can complain to the Information Commissioner’s Office (ICO).
If all the rules and regulations have been followed, this process should not go any further. However, if any breaches have been found, it could lead to an investigation that could result in further business reviews and potential fines.
What makes a GDPR request complex?
If you feel it is fair to request an extension to your data request deadline, you must be able to explain what makes the request so complex.
Typically, complex requests encounter at least one or multiple of these issues:
• The requested data involves lots of sensitive information regarding other people.
• Technical difficulties have been encountered while retrieving the information, such as data stored in paper files that must be sorted by hand.
• Needing to request specialist legal advice due to sensitive content within the documents.
• Clarifying potential issues that concern information that must be disclosed to a child or legal guardian.
• Having to manually search large amounts of unstructured manual records (only applicable to public authorities).
It is also important to remember that a request cannot be considered complex solely because there is a large volume of information.
Can a fee be charged for a GDPR request?
In the majority of cases, you will not be within your right to charge a fee to complete a request on behalf of an employee.
However, there is an exception allowing employees to charge a “reasonable fee” to cover the administrative costs of completing a request.
This can only be charged if the request is manifestly unfounded (the employee makes the request with malicious intent), excessive or if the employee requests further copies of their data after a request is made.
Get in touch
If you’re unsure whether data held by your business falls under the umbrella of personal data, we can help. Thanks to Beecham Peacock’s extensive range of services for employers, we can support your business to improve your data handling practices and level up security throughout your firm.
Contact us today to find out more.