Information Categories. There are two broad categories of information relating to individuals that organisations may wish to collect, store and share, as detailed below: Personal Data as defined by UK GDPR: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person Special Categories’ of Personal Data: UK GDPR highlights Special Categories’ of Personal Data and defines these as: The racial or ethnic origin of the data subject; Their political opinions; Their religious beliefs or other beliefs of a similar nature; Whether a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1998; Genetic data; Biometric data for the purpose of uniquely identifying a natural person; Their physical or mental health or condition; Their sexual life.
Information Categories. It is understood that the vast majority of information sharing that takes place under this agreement will involve depersonalised information and there will be few, if any, reasons to share personal or sensitive information. However the following paragraphs deal with information in the public domain, depersonalised, personal and sensitive information in order to provide some guidance should personal information ever need to disclosed and shared between signatories. Information in the public domain Publicly available information (whether it relates to an individual or not) can include information available from the internet, newspapers, television, government guidance, public records and electoral roll. Although sharing and disclosure will not face any limitations with this information it is important to remember that copyright, contractual or other restrictions can apply (it is important to be aware of libel issues). Checks should also take place to ensure the information is accurate. Depersonalised (or Non-personal) information There are generally no legal restrictions on information exchange for depersonalised information but copyright, contractual or other restrictions can apply. Depersonalised data encompasses any information that does not and cannot be used to establish the identity of a living individual, and has had all personal identifiers removed. However signatories to this protocol understand that: The information Commissioner has stated that even a post-code or address can give away the identity of an individual, if there is only one person living there. If several (or even two) sets of depersonalised data were merged or compared to each-other, there is a risk that an individual could be identified. It is good practice where possible to give subjects information about how depersonalised data about them may be used. Non-disclosure of depersonalised information could infringe rights under the Freedom of Information Act. Personal Information Personal data (such as date of birth, gender and address) which relates to a living individual will be subject to careful management. The information Commissioner should be notified of all purposes for which personal data is processed by ‗automated means‘. All signatories to this protocol should ensure personal data is: Clearly marked and kept securely within a pass-worded computer system or physically secure with appropriate levels of staff access. Destroyed when no longer required for the purpose for which it...
