How to classify personal data
So much data is now held about all of us. Some of it is general, some is very specific to us.
General data gives businesses information about trends and the demographics of its customers.
It helps businesses create marketing avatars and target offers and products.
Personal data about individuals can also be used to help businesses target current and former customers, or can be held on file to comply with the law.
It’s vital that businesses understand how to classify that personal data, to ensure it is protected properly.
What is personal data?
Knowing what is, and isn’t personal data, is important. That determines how you should treat it.
Under the Data Protection Act 1998, personal data:
- Relates to an identifiable individual
- Is processed by automatic means, usually on computers
- Is processed in a non-automatic method and held in a filing system
- Forms part of an accessible record such as health records, landlords’ tenant records, or educational records
In other words, if you have data which identifies someone, or has the potential to, and you hold it in this way, this is classified as personal data.
This definition is set to be expanded greatly when the General Data Protection Regulation comes into effect in May 2018.
Then, personal data will also include someone’s IP address, and DNA profiles or genetic material which could identify someone.
The Information Commissioner’s guide to how to classify personal data
There are several questions you need to ask when you’re presented with data:
- Could a person be identified from the data, or the data and other information which you have?
- Does the data relate to the identifiable individual – either in their personal life, family life, business, or profession?
- Is the data ‘obviously about’ an individual?
- Does the data provide particular information about an individual?
- Will the data be used to inform or influence decisions affecting this individual?
- Does this data have biological significance to this individual?
- Does this data concentrate on this person rather than on some other person?
- Could it have a potential impact on an individual’s personal, family, business, or professional life?
If you’ve answered yes to any of these questions, the data is highly likely to be classified as personal data under the Data Protection Act.
Check out the ICO flow chart to help you here.
The message is this: if in any doubt, treat data as personal data and keep it securely. It’s far better to be safe than sorry.
How can this affect your arrangements for document and waste handling?
Personal data must be held securely, whether it’s on databases or in paper documents.
Taking on a secure document storage facility may be a good choice for your business. Ask us about our On Time Shred document storage.
If you’re disposing of these documents, hard drives, USB sticks, mobile phones, and image cards for cameras, you must do so securely to ensure this information doesn’t fall into the wrong hands.
A data breach could be costly, both in terms of a fine and the damage to your business’ reputation.
It’s important that anyone disposing pf data knows how to classify personal data and understands that it should be securely shredded.
Taking on an outsourced shredding company which complies with the data protection legislation, uses vetted staff, and gives you a certificate of destruction is an excellent way of doing this.
It also frees up the time of your staff to concentrate on your core business.