To me, there are two ways of thinking about data. One is the categorisation by the regulations and the other is the different forms that data is stored in.
In GDPR, there are two categories of data named, those being personal data and special category data. Just to make things nice and simple the Information Commissioners Office, or ICO, have added a comment that any data held on children requires special attention.
When data is collated, processed, stored and deleted, it can be in one of three general forms; a) physical, b) electronic, or c) voice. Each form that data is held in is equally important in the eyes of the regulation.
Personal Data and Special Category Data
Ignoring data relating to children for a bit, personal data is anything from which it is possible to identify an individual. A name, a mailing address, an IP address, an image, a National Insurance number, a date of birth…and more are all classified as personal information. From each of these, or from a combination of these, the identity of an individual can be established and this is why these data elements (as they are called) form the basis for this regulation.
Special category data is a sub-set of data types that have been defined as misuse of them can actually affect the rights and freedoms of that individual and, therefore, lead to discrimination. Because of the risk to rights and freedoms of an individual any data collected, processed, stored, and destroyed from the below list will required more protection. The high-level descriptors of special category data are:
- Ethnic Origin.
- Trade Union Membership.
- Biometrics (where used for id purposes).
- Sex Life.
- Sexual Orientation.
Generally, unless capturing this type of data will affect the service provided, products available, or service level available, special category data should not be collected – unless you can collect it anonymously for research purposes.
Bringing the use of personal data relating to children back into the picture (schools love this part), they are considered, in law, to be vulnerable and entitled to more protection than an adult. So, from a practical perspective, treating personal data relating to children in the same way as special category data would be more that adequate.
The Three Forms of Data
The three form of data, two of which are very similar, need to be understood so that you do not become subject to any pitfalls.
Physical is easy right? Anything stored on paper – job done. Not so fast. Photographs are stored on paper and can be used in publications, how are you going to cater for those processes. Some physically held data will be basic personal information and some might be health data. So even in the simplest scenario the policies and procedures that allow the processes to utilise, and control, them become very important.
From the people I have encountered, data held electronically seems to provide the biggest headache. This is where appropriate cyber controls come to the fore, like anti-virus software and data encryption requirements. Also, of course, there is the question of imagery, including CCTV and security cameras. The wrong kind of imagery being available online is already coming under scrutiny, but knowing what is allowable for your organisation is important. Posting imagery to social media, or your website, is also something that should be signposted and evidenced as allowable. This means is has to be part of your policy and have a relevant consent controls and process to do all of this with minimal impact to the organisation.
Voice data is the recording of any conversation and can often be the three forms to standardise. Recorded calls to clarify disputes in business are now increasingly being clarified with an email, so that voice recording can be disposed of. The same duty of care relates to public authorities (and/or mediators) who may use recordings of interviews as evidence.
Your Processes and Controls
All of the policies and procedures that control any data your organisation processes should have been considered using the principle of Data Protection by Design. This basically translates to:
- Do the right things.
- Only ask for information you need.
- Treat the information with the care and security it merits.
- Destroy it as soon as it is appropriate to do so.
Any wrongdoing, including a data breach, can result in penalties being imposed by the ICO. Penalties are not always financial, but when they are, they can be substantial. There is one calculation method available that uses gross turnover as a key determinant of any fine to be imposed.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through firstname.lastname@example.org , or visit
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.