GDPR Tip: Are shoe sizes and video recordings personal data?

What is personal data, and where is the line between ordinary and sensitive personal data? If you’re unsure, you’re not alone. And the answer is not always simple.

Every day, AU helps researchers in the sometimes complex task of complying with GDPR rules. The Data Protection Unit at AU often finds that people are unsure about how to categorise personal data: is it personal data, and is it sensitive or not?

One of these people is Karen Thodberg, a senior researcher at the Department of Animal and Veterinary Sciences – ANIS Behaviour, stress and welfare (BSW). As an example, she highlights a research project she heads about occupational accidents on farms.

"We filmed the staff working with cows, and I intuitively thought that this was sensitive personal data. But it wasn't," she says.

GDPR

AU’s web pages about GDPR for researchers contain useful information on how to keep personal data safe when conducting research projects. Every autumn, AU’s data protection unit focuses on different aspects of GDPR based on researchers’ dilemmas and experiences. This time it is about personal data. 

Sensitive or not?

Søren Broberg Nielsen, AU's Data Protection Officer (DPO), admits that the area can be hard to navigate.

"For data to be categorised as sensitive personal data, it must pose more of a risk to the rights and freedoms of the data subject than ordinary personal data. And this was not the case in Karen Thodberg's research project," he says, and recommends looking at the list in the General Data Protection Regulation of what is categorised as sensitive. According to the list, the following personal data is categorised as sensitive:

  • Racial or ethnic origin  
  • Political opinions, religious beliefs or philosophical beliefs  
  • Trade union membership 
  • The processing of genetic data and/or biometric data for the purpose of uniquely identifying a natural person 
  • Data concerning health 
  • Data concerning a natural person’s sex life or sexual orientation

The processing of civil registration numbers (CPR nos.) and information about criminal offences belongs in a category of its own.

But what about ordinary personal data?

Personal data is many things

"A rule of thumb is that ordinary personal data is any information other than that which is sensitive or relates to criminal offences, and which could be attributed to a natural person – this may be age, gender, height, email address, weight, CV and exam results, to name just a few. Many are surprised that this type of information is not sensitive. But it’s not," says Søren Broberg Nielsen.

Sometimes the doubt is not about whether or not personal data is sensitive. In fact, just figuring out whether data is personal data can be challenging in itself. Because age, gender, height, etc., are not by definition personal data.

"If the information can be attributed to a natural person, it is personal data – and here the context is often decisive. For example, a shoe size is generally not considered personal data, but if only one person in a specific village has shoe size 49, it’s a different story. In the same way, finding rats on a property is not generally personal data – but if the property is owned by a natural person or a sole proprietorship, then it is personal data," explains Søren Broberg Nielsen.

GDPR Web Pages and Contact Information

It makes a difference to the processing of research data

So why is it so important to be able to categorise personal data correctly? Because it affects the way personal data needs to be processed in research to comply with the data protection rules.

"It's important to determine whether your research project involves personal data, and which type of personal data, otherwise you risk either making things too difficult for yourself, or worse, jeopardising the rights of individuals. Neither is appropriate," says Søren Broberg Nielsen and encourages researchers to familiarise themselves with AU's GDPR web pages, and if they are still in doubt, to contact their local data protection coordinator at the faculty.

More information 

Read the previous article from August with Caroline Howard Grøn in the series GDPR Tip on the difference between obtaining consent and using ‘scientific research purposes’ to gain a legal basis.

Next Time

Professor Niels Brügger on the use of personal data from social media in research.