We are currently consulting on this draft guidance.
At a glance
- Personal data is information that relates to an identified or identifiable person.
- If you can identify someone from the information directly or indirectly, then it is personal data.
- Biometric data is a type of personal data.
- The data must meet specific requirements to be biometric data. These relate to qualities of the data itself, not how you use it.
- If you use biometric data for unique identification, it is special category biometric data.
- What is personal data?
- What is biometric data?
- What is special category biometric data?
- What about other special category data?
This guidance refers to the following data protection concepts. An understanding of these will help you to get the most out of this guidance.
Personal data is information that relates to an identified or identifiable person.
Article 4(1) of the UK GDPR defines personal data as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
If you cannot directly identify someone from information you hold, it may still be possible to indirectly identify them. You must consider the information you are using, together with all the means you, or anyone else, is likely to use to identify that person.
Information that is not personal data is outside the scope of data protection law.
Personal data does not include information:
- about the deceased; or
- that has been anonymised appropriately.
For more about personal information and anonymisation, see our draft guidance on anonymisation and pseudonymisation.
Article 4(14) of the UK GDPR defines biometric data as:
“personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.”
This means that personal data is only biometric data if it:
- relates to someone’s behaviour, appearance, or observable characteristics (eg the way someone types, a person’s voice, fingerprints, or face);
- has been extracted or further analysed using technology (eg an audio recording of someone talking is analysed with specific software to detect things like tone, pitch, accents and inflections); and
- can uniquely identify (recognise) the person it relates to.
This guidance provides more detail on the definition of biometric data and when it is likely to apply.
If you are using information that does not meet these criteria, you must still determine if you are processing personal data.
When you use biometric data for the purpose of uniquely identifying (recognising) someone, it is special category biometric data.
Article 9 of the UK GDPR describes several types of special categories of personal data which require extra care because they are likely to be more sensitive or ‘private’.
You must only process special category data if you can identify a valid condition for processing.
Not all biometric data is “special category biometric data.” This is only if you use it to uniquely identifying someone.
However, even if this is not your purpose, the biometric data you process may still include other types of special category data.
For example, biometric data may reveal information about someone's racial or ethnic origin or could include information about health, sex life or sexual orientation.