Data privacy essentially boils down to the question of whether we are dealing with ‘personal data’ or not. What seems a simple yes or no at first might spark arguments and discussions among team members and co-operation partners like vendors.
‘Personal Data’ is also referred to as ‘Personal information’ or ‘Personally Identifiable Information’ (PII) and they can be used interchangeably.
Legal definitions are rather straightforward – personal information means information about an identifiable individual (Canada’s PIPEDA). EU’s GDPR defines ‘Personal Data’ as any information relating to an identified or identifiable natural person. IAPP’s Glossary provides 6 different references to ‘Personal Data’ or ‘Personal Information’, the essence of ‘something we know about someone’ remaining the same.
To sum it up – if a bit or bits of information can be linked to someone, the information is deemed as ‘Personal Data’ by privacy regulations. This triggers the need to acknowledge relevant privacy considerations.
References:
PIPEDA – https://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-1.html#h-416888
GDPR – https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
IAPP’s Glossary – https://iapp.org/resources/glossary/