Following the UK model, even though an email address can only occasionally be used by typical people to identify an individual, they generally can be used by someone with the know-how.
An IP address may or may not be personal data credit card numbers and email addresses would be. Information that the person "lives in Belgium" is not personal data because many people live in Belgium, but if you add enough other information ("emigrated in 1982, born in Kajo Keji") that could easily identify a specific person. The key, though, is the ability to identify an individual.
Instead, any such guidance will re-state the rule and say "If this statement is true then it is if not, it is not". The main problem is that you will never get any examples of what is "safe", for instance nobody will say "However, if the subject is identified only as 'Tom', that is not personal data". This UK guidance based on the Data Protection Act 1998 seems to assume the same basic principles as to what it is, and may be useful as a semi-algorithmic way to make the determination. With all due sympathy to your need, the citation you give is as much of a definition as there is, and there are no definitive or even reliable lists that distinguish "is personal" vs. Does the combination of data you store make it personally identifying? If so, what is the smallest amount you could remove so that none of the rest could be combined to become a PID. So the bad news for you is that you have probably inadvertently made more data fall under the PID category than you realised. In health data, there's been significant work on proving how data that was assumed to be anonymous is actually traceable to an individual because enough context allowed narrowing the scope. No one field by itself, without other context, is likely to be PID (Personally Identifying Data) but be wary of the ability to infer context even if you don't specify the role of the data.Įg: if you just received the number 6 without even a label, it means little.Ī number in the format of a phone number or US Social Security Number might be reasonably inferred as to its role and then is certainly PID.
#Dato personale gdpr software
Even an email address used for login is personal data in that it identifies an individual and tells a hacker that they use your software.Įxamples of what is not personal data includes information about judicial persons (companies and other organisations that are sufficiently large that individual information cannot be inferred) or properly anonomized data where the data set is sufficiently large that identifying any particular individual is highly improbable (several dozen people at least depending on how revealing the data is).Īs a software developer, here's a model for thinking about it that may help you:Ĭan you make a valid Primary Key with some portion of that data?
things that in combination can reduce the set of people it could be to a small number of individuals.īasically, if you collect and store information about individuals in any way you are caught by this regulation. Less obvious things include job or profession, memberships of organisations, friends and associates, town/suburb etc. Obvious things include names, dates of birth, physical addresses, electronic addresses, social media profiles etc. Note that you have to consider the data collection as a whole - even if there are no names in your data, if there is enough info in it that you can work out who the individual is (or probably is) its personal data. So if the data can in any way be tied to a specific individual then it is personal data. I consider it to be a practical problem and hope for great answers.Īny information relating to an identified or identifiable natural person I hope this question is not regarded too wide. I would like to see a definition/list of examples of relevant personal data that software engineers and developers would find usable when developing software intended for use in the EU. In my opinion, the above definition is pretty wide and the directive texts are quite heavy. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’) an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person As a developer of software intended for use by EU citizens, I am committed to complying with the personal data requirements of the forthcoming legislation ( EU Regulation 2016/679).
0 kommentar(er)
