“What is personal data?” under the DIFC Data Protection Law
The DIFC Data Protection Law 2007 applies in the jurisdiction of the Dubai International Financial Centre. This legislation governs the processing of “personal data”.
The DIFC Data Protection Law 2007 applies in the jurisdiction of the Dubai International Financial Centre. This legislation governs the processing of “personal data”. It protects the rights of “data subjects”, namely the people to whom personal data relates. The term “personal data” is defined in the DIFC Data Protection Law as “any information relating to an identifiable natural person”. An identifiable natural person is “a natural person who can be identified, directly or indirectly in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity”. The key part of the definition of identifiable natural person is the first ten words, namely “a natural person who can be identified, directly or indirectly”, as the subsequent words comprise a list of reference points.
In some cases it is clear that information is “personal data” for the purpose of the DIFC Data Protection Law. However, in recent times we have considered categories of information which may or may not be personal data, and the answer is not always clear. At the DIFC Data Commissioner’s website one reads the following: “Personal data is any information relating to an identified natural person or identifiable natural person. For example, personal data may include individual’s name, age, home address, race, sexual orientation, income, blood type, marital status, education, and employment information … [it] may include an employer’s appraisal or opinion of an employee.” The website further states: “Whether information relates to a particular individual will be a question of fact in each case. If a connection can be made between the information and an individual, then the information is personal data. Personal data can relate to more than one individual. For example, information concerning a joint bank account relates to both account holders and therefore is the personal data of each account holder and will be protected as such.”
This is helpful, but not comprehensive. Thus we have looked to how other jurisdictions, who have laws similar to the DIFC Data Protection Law, have addressed the question “What is personal data?” Our view is that “context is everything”, or at least context is most important in assessing whether information is actually personal data. While it is not possible to address the many different types of information which an organization operating in the DIFC may encounter, we thought it would be useful to outline some key issues in this article.
An individual is “identified” if it is possible to distinguish that individual from other members of a group. A name is the most common means of identifying someone. However, if there are two or more people within an organization of the same name the name of itself may not be personal data. When the name is combined with some other information about the person such as their address or telephone number that will usually be sufficient to identify the individual, and thus the name plus that additional information is together personal data. Yet it is not necessary to have a person’s name to identify the person if you have other information when, put together, is sufficient to identify them. For instance, in the employment context, information relating to the person’s position of employment, salary, commencement date and qualifications may be sufficient, when combined, to constitute personal data. A judgment call is required when assessing the combination of information. A practical approach is to ask whether such pieces of information would, in practice, reasonably be likely to be put together in this way, or whether it is unrealistic to assume that this would take place. What this means that if an organization puts in place mechanisms which prevent the combination of information in this way, it may be possible to avoid each of these items being identified as personal data.
The definition of personal data in the DIFC Data Protection Law refers to any information “relating to” an identifiable natural person. For guidance on the scope of “relating to” in this context it is useful to turn to the UK Information Commissioner’s Office, who, in a 2007 report, expressed the view that data which identifies an individual, even without a name associated with it, may be personal data where “it is processed to learn or record something about that individual, or where the processing of the information has an impact upon that individual”. For instance, a medical history, a criminal record or a record of a particular individual’s performance at work or in a sporting activity will be data which is obviously about a particular individual and it is the content of that information alone which determines that it relates to an individual. That said, it will be necessary to read that information in connection with the individual’s name. Further, there will be data which is not obviously about a particular individual but is information about their activities, such as a person’s personal bank statements or itemized telephone bills. In these circumstances the data relates to the person named on the statements or the bills and thus is personal data. The UK Office suggested the following questions: “Is the data being processed, or could it easily be processed, to learn, record or decide something about an identifiable individual? Or, as an incidental consequence of the processing, either could you learn or record something about an identifiable individual, or could the processing have an impact on or affect an identifiable individual?” If so, the data is likely to be personal data.
An interesting scenario is the minutes of a meeting held within an organization. There will be circumstances where part of the record of a meeting will be personal data as the data is obviously about or clearly linked to an individual. For instance, consider where an individual’s suitability for a particular role is discussed, with consideration given to the individual’s qualifications, personality and/or performance. That section of the minutes of the meeting will be personal data about that individual. If more than one candidate is considered in the meeting, there may be personal data in the minutes of the meeting referable to each of the identifiable individuals. The opinions of the people in the meeting about the individuals in question will also be personal data of the individual being discussed. If the meeting is actually to consider disciplinary action against a particular employee, it is likely that everything discussed at the meeting and recorded in the minutes is personal data about the individual.
The reports of the UK Information Commissioner’s Office and publications of the European Article 29 Working Party are not part of UAE law or the law of the DIFC. However, when it comes to applying the DIFC Data Protection Law of 2007 on a day to day basis, it is useful to have regard to these external materials. We look forward to further consideration of these topics by the DIFC Data Protection Commissioner and the DIFC Courts in due course.