Personal data are any information relating to an identified or identifiable living person. It includes personal data relating to private, professional or public life.
- name and surname
- identification number (SS#, drivers license, school id, etc)
- location data (home address, GPS data, eircode)
- bank details
- posts on social networking websites
- on-line identifiers (email addresses, screen name, IP address, device IDs)
Personal data that has been de-identified, encrypted or pseudonymised but that can be used to re-identify a person remains personal data for the purposes of GDPR.
Examples of data that do not fall within the remit of GDPR
- a company registration number
- an email address such as firstname.lastname@example.org
- anonymised data.
A data subject is a living individual who is the subject of personal data
Thus, from the time of an individual's birth to the time of their death, a person will be a data subject where another party is collecting personal data about them.
Deceased persons are not data subjects under GDPR. However, it should be noted that other privacy rights may be enforceable by the estate of a deceased person.Close
A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. A data controller determines the purposes, conditions, and means of the processing of personal data.
Data controllers can be either individuals or "legal persons" such as companies, government departments and voluntary organisations.
Data controllers also include sections or units of the organisation (e.g. academic departments, research centre etc.) and employees (including research students) that control and are responsible for the data processing.
In practice, to find out who controls the contents and use of personal information kept, you should ask the following questions:
- who decides what personal information is going to be kept?
- who decides the use to which the information will be put?
In essence, you are a data controller if you can answer YES to these questions.Close
A data processor processes personal data on behalf of the data controller.
Examples of data processors include:
- payroll companies or accountants or similar who hold and process personal information on behalf of someone else
- "cloud" providers are also generally data processors
- if you hire a 3rd party to process data for your research (e.g. a transcription service to transcribe audio tapes of interviews) - the third party will be a data processor.
A data processor does not include the employees of a Data Controller (e.g. researchers employed on research projects in which personal data is collected, processed and stored
If you are a researcher, you might be a data processor if you are employed on a service contract that collects, stores or processes personal data.
The key question is whether or not you or your employer decides and is responsible for what happens to the dataClose
Data processing is performing any operation or set of operations on personal data.
It includes, but is not limited to:
- obtaining, collecting and recording data and storing data obtained
- aligning, combining, blocking data or erasing or otherwise destroying data
- retrieving, using or consulting data or organising altering or aadapting data
- disclosing, transmitting or disseminating data or otherwise making data available.
You have joint data controllers where two or more data controllers jointly determine the purposes and means of the processing.
GDPR requires the joint data controllers to identify their respective roles and responsibilities for compliance.
A formal agreement of roles and responsibilities of the joint data controllers should be in place.Close
"Special category personal data" are personal data that reveals the following:
- ethnic origin
- political opinion
- religious or philosophical beliefes
- trade union membership
- genetic data (new)
- biometric data for the purpose of uniquely identifying a natural person (new)
- data concerning health
- data concerning a natural person’s sex life or sexual orientation.
GDPR Article 9 prohibits any data processing of special category personal data unless the data controller can meet one or more conditions in addition to having an appropriate legal basis for the data processing.Close
‘Genetic data’ mean personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in questionClose
‘Biometric data’ mean personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic dataClose
Researchers must conduct a data protection impact assessment (DPIA) in relation to any new research project that might involve high risk data processing.
The DPIA is a tool to assist you to make an informed decision about the acceptability of data protection risks, and to enable you communicate these risks effectively with the individuals who might be affected.
If a DPIA does not identify mitigating safeguards against residual high risks, the Data Protection Commissioner must be consulted before proceeding with the project.
When are projects likely to be high risk?
The GDPR suggests that high risk projects might include the following types of data processing:
- where a new technology is being deployed
- where a profiling operation is likely to significantly affect individuals
- where there is large scale monitoring of a publically accessible area
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
- processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10
- a systematic monitoring of a publicly accessible area on a large scale
However, this should not be considered to be an exhaustive list.
If you are in doubt as to whether or not a DPIA should be undertaken, you should consult your organisation's data protection officer.
Additional information on DPIAs
The Irish Data Protection Commissioner has issued detailed guidance on DPIAs which can be found here.
The Article 29 Working Party (Art. 29 WP), an advisory body that provides expert advice to the EU Member States regarding data protection has provided the following guidance on DPIAsClose
GDPR's definition of data concerning health means "means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status".
- information about the person collected in the course of the registration for, or the provision of health care services, or a number, symbol (or similar) assigned to a natural person to uniquely identify that person for health purposes
- information derived from the testing or examination of a body part including from genetic data and biological samples or any information on, for example, a disease, disease risk (i.e. data concerning the potential the future health status of an individual)
- information that relates to any disability
- a living individual's medical history or
- the clinical treatment of the physiological or biomedical state of an individual independent of its source.
This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.
It is intended to be general guidance for educational and informational purposes only.
It is not legal advice.