Information Commissioner’s Office (ICO) – The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-personal-data/

What is personal data?

Personal data only includes information relating to natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.

Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.

Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.

If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.

Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.

Information about companies or public authorities is not personal data.

However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.

What are identifiers and related factors?

An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.

A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.

A combination of identifiers may be needed to identify an individual.

The GDPR provides a non-exhaustive list of identifiers, including: name; identification number; location data; and an online identifier.

‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.

Other factors can identify an individual.

What is the meaning of relates to?

Information must ‘relate to’ the identifiable individual to be personal data.

This means that it does more than simply identifying them – it must concern the individual in some way.

To decide whether or not data relates to an individual, you may need to consider: the content of the data – is it directly about the individual or their activities?; the purpose you will process the data for; and the results of or effects on the individual from processing the data.

Data can reference an identifiable individual and not be personal data about that individual, as the information does not relate to them.

There will be circumstances where it may be difficult to determine whether data is personal data. If this is the case, as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the data and, in particular, ensure you hold and dispose of it securely.

Inaccurate information may still be personal data if it relates to an identifiable individual.

Individual Rights

The GDPR provides the following rights for individuals:

1. The right to be informed – Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’. You must provide privacy information to individuals at the time you collect their personal data from them. The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
2. The right of access – Individuals have the right to access their personal data.The right to rectification. This is commonly referred to as subject access. Individuals can make a subject access request verbally or in writing. You have one month to respond to a request. You cannot charge a fee to deal with a request in most circumstances. The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
3. The right to erasure
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling.

This part of the guide explains these rights.

Downloaded own personal data from instagram and facebook – pretty much my history of interaction with them – not particularly interesting but can explore ways of involving in my practice.

These definitions/guidelines are perhaps more interesting