What does personal data mean in research?
Any information that can be used to identify a person directly or indirectly is personal data.
▸ GDPR Article 4(1): Definition of personal data
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of personal data include:
personal identity code
address
diagnostic informationpostal code combined with other information
A person can be identified indirectly even when a dataset contains no name, date of birth, or personal identity code. In research datasets in particular, combinations of multiple data points may enable identification.
Direct identifiers
Information that enables a person to be identified directly.
For example, a name or personal identity code.
Indirect identifiers
Information that, in combination, may enable a person to be identified.
For example, a rare diagnosis, a postcode, or a combination of multiple data items.
Social and health data are special categories of personal data
Individual-level social and health data are personal data, as individuals may be identifiable even if names, dates of birth or personal identity codes are removed.
Health data are also classified as special categories of personal data, which are subject to stricter legal requirements. This means that particular care must be taken throughout the entire research process.