What is meant by Identifiable Data?

Given the volume of data that organisations are gathering about their customers, the question of what is identifiable becomes important. An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals. But what does that mean? Let us consider the following example. A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context. A combination of identifiers may be needed to identify an individual. Just a name may not be enough. Consider the name Pat Murphy. How many Pat Murphys are there in Ireland? We would need more to identify someone in this case. Luckily GDPR provides a non-exhaustive list of identifiers, including:

  • name;
  • ID number;
  • location data; and
  • an online identifier, such as IP addresses and cookie identifiers which may be considered personal data.
  • Other factors can identify an individual. Ok, so this one is not so helpful, but consider all the sources of data that you have and see which lead to potential identifiability. Email addresses, social network identifiers, etc..

Assuming these points, then the question becomes, can you identify an individual directly from the information that you or your organisation holds?

By considering all the information you are processing (or have access to process) about individuals, then if you can distinguish an individual from other individuals, that individual will be identified (or identifiable). If you have a customer name and address/phone number. That individual is identifiable. Consider the representation of an individual on a CCTV camera, that is likely also to be considered to be identifiable data.

You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual. Even age and address may be sufficient, or just an ID number. It is important to be aware that information you hold may indirectly identify an individual and therefore this could reasonably constitute personal data.

However, as with many legal and regulatory issues, it gets more complex. Even if you may need additional information to be able to identify someone, they may still be identifiable. Consider the fact that there is information that may be obtained from another source. Yes, it is kind of hypothetical, but in some circumstances there may be a slight hypothetical possibility that someone might be able to reconstruct the data in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of GDPR. You must consider all the factors at stake.

However, in any case, you have an obligation to consider the identifiability of individuals in your data and make appropriate arrangements and protections. It is also important to consider the potential for identification to change over time (for example as a result of technological developments). Hence, at SeekLayer, we have developed the Face404 system that actually provides support to redact and remove identifiable faces from CCTV video, which is required if you are ever releasing or otherwise using CCTV video, even if the use is for in-house activities such as training.

As in all cases, you should seek legal advice if you are unsure of your rights and/or obligations under data protection laws.

DISCLAIMER: This blog post does not constitute legal advice. It is a reflection on the thoughts and opinions of members of the SeekLayer team.

What constitutes Personal Data?

Personal Data is the new gold. It fuels the new internet economy and it impacts on almost every organisation that interacts with customers. So the question is, what constitutes personal data?

Personal data is information that relates to an identified or identifiable individual. This could be as simple as a name or a number, or could include other information such as an IP address or a cookie identifier, or other various other types of data.

We all have our own personal data, such as our photos, SMS messages, emails, and other content. Some of this data is maintained on our own computing devices, whereas other content is maintained by other organisations on our behalf. For this type of personal data, the data we create, it is clear that it is our data, even if it is stored by some organisation on our behalf. Where it gets more tricky is when an individual’s representation is captured in the data of another. Consider an example of a CCTV camera in a store. The CCTV camera captures you as you go into the store and again as you leave with a shopping bag of items you have just purchased.  At what point does this data, the CCTV data gathered by the store, include your identifiable information?  If it includes your personally identifiable information, then it is your personal data. This is the challenge facing organisations and is why we developed the Face404 service from SeekLayer.

If it is possible to identify an individual directly from a piece of data, then that information could be considered to be personal data. However, this gets complex. Even if the person is not identifiable from a piece of video, you should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual. 

Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it  actually ‘relates to’ the individual. For example, you may have information suggesting that an individual loves craft beer, but unless this information can be related back to an individual, then it is not actually personal information. 

When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.

It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.

Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR. If information that seems to relate to a particular individual is inaccurate (i.e. it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual. However, information which is truly anonymous is not covered by the GDPR.

DISCLAIMER: This blog post does not constitute legal advice. It is a reflection on the thoughts and opinions of members of the SeekLayer team.