Processing of which Individual’s personal data is regulated by UK GDPR?

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 

1. What does UK GDPR refer to?

UK GDPR refers to UK legislation (originating from the EU), in particular EU General Data Protection Regulation No.2016/679, supplemented by the Data Protection Act 2018.

2. Which data is considered "personal data" by UK GDPR?

According to UK GDPR, "personal data" means any information relating to an identified or identifiable natural person.

For example;

  • a name,
  • an identification number,
  • location data,
  • an online identifier.

"Special categories of personal data" or "sensitive" information consist of peculiar and specific information about an Individual, such as data on physical, physiological, genetic, mental, economic, cultural, or social identity.

3. How is "processing" defined by UK GDPR?

Before answering the question asked by the third paragraph of this publication, let’s clarify meanings of "processing" and "operation", as well as their interconnection.

3.1. What does "processing" mean?

Processing (or a ‘processing operation’) of private data means an operation or a combination of operations that are performed by using personal data or units of personal data, whether or not they are obtained by automated means. 

3.2. Which operations does private data processing include?

An operation or combination of operations that are performed by using personal data or by using units of personal data, they include the following actions;

  • collection of personal data,
  • recording of personal data,
  • organisation of personal data,
  • structuring of personal data,
  • storage of personal data,
  • adaptation or alteration of personal data,,
  • retrieval of personal data,
  • consultation using personal data,
  • use of personal data,
  • disclosure by transmission of personal data,
  • dissemination of personal data, or otherwise making personal data available,
  • alignment or combination of personal data,
  • restriction of personal data,
  • erasure or destruction of personal data.

Generally, processing sensitive information of personal data is prohibited. However, an entity can process a special category of personal data if processing can satisfy one of conditions defined by UK GDPR.

Legal grounds for processing sensitive information are more demanding than those for processing private data of other identifiable types of personal information. A Controller must be able to demonstrate that the processing of sensitive information is strictly necessary and satisfy one of the conditions in Schedule 8 of the Data Protection Act 2018, or is based on explicit consent. 

3.3. What is the interconnection between "processing" and "operation"?

An operation or a combination of operations shall mean processing. An operation can include defined actions using personal data that are specified by UK GDPR.

4. Conclusions

  1. UK GDPR regulates processing of any information relating to an identified or identifiable natural person that comprise personal data.
  2. Processing is an operation or a combination of operations that include certain actions using personal data that are specified by UK GDPR.
  3. UK GDPR prohibits processing "sensitive" information unless it is subject to processing in specific circumstances or for specific purposes defined by UK GDPR, and Schedule 8 of the Data Protection Act 2018.
  4. Processing sensitive data requires a high level of protection. It demands extra care from controllers. So, it is advised to address information security responsibly, protecting sensitive personal data regarding legal and regulatory requirements.

 

Author: Dr. Elizabeth Sushko-West
Published: 21 June 2021
Updated: 2 May 2022

Legal Analyses & Legal Solutions:

X

Right Click

No right click