Processing personal data

If an individual can be identified from the data, either on its own or in combination with other information that the data controller has, then it is personal data.

The GDPR applies to the processing of personal data where it is either:

• processed automatically (on computer or recording device) – this includes scanning a document; or

• forms part of a manual filing system.

Personal data includes an expression of opinion about the individual, or an indication of an intention to do something. This includes comments that you make about an individual in an email, which you will need to disclose to the individual if they request it. Simply making reference to someone, or including their name in an email, is not enough to make it personal data – it has to be about them in a meaningful way. For example, a record that an individual was at a meeting is personal information, but not everything that is said at the meeting will necessarily be personal because it may not all be about him or her.

If someone who didn’t know the system could find specific information by referring to an index or subdivisions within a file that is organised by criteria such as name, membership number, subject such as “absence”, “complaints”, “tribunal cases”, then it will be a filing system. However, putting something in date order does not make it protected data.