What are personal data?
- Personal data
-
Information that can be linked to a person:
- Name, personal ID number
- Photos, videoes and sound recordings
- Log from the use of access cards
- Information from a source
- Blood samples
- Google searches for a person
Personal data can be divided into three groups:
Directly identifiable information. Can easily be linked to a specific person, such as their name, address and personal ID number.
Indirectly identifiable information. A combination of several pieces of descriptive information that can be linked to a specific person, such as their gender, age, diagnosis, profession and place of residence.
De-identified/pseudonym information. Identifying elements in the information have been removed. This can be additional information, such as name, institution, department and profession. In stead, a connection key can be created. The connection key is used to retrace who the information is about. Even though the information is anonymous when additional information is removed or the connection key is not in use, this is covered by regulations relating to personal data.
Anonymous information is not personal data, since it cannot be linked to an identifiable person. Such information is therefore not covered by the Privacy regulation.
Read more about Personal data (datatilsynet.no)(NO) on the Norwegian Data Protection Authority’s website.
- Special categories (sensitive personal data)
-
The GDPR defines special categories of sensitive personal data as information relating to:
- Health
- Sex life or sexual orientation
- Racial or ethnic origin
- Political opinions, philosophical or religious beliefs
- Genetic and biometric data
- Trade union membership
The same demands apply to data regarding whether a person has been suspected of, charged with, indicted for or convicted of a criminal act.
Other information about persons in vulnerable situations shall also be protected as sensitive information. For example vulnerable informants such as children, young people or people on the run, and persons who share intimate information.
You are responsible for ensuring that the information is protected in accordance with the need for confidentiality. Strict requirements apply to how these special categories (sensitive personal data) shall be protected.
Avoid it if you can. Protecting sensitive information is demanding. You should therefore always consider whether it is absolutely necessary to use these special categories (sensitive personal data).
Check with your place of study or work what solutions and procedures you have for protecting these special categories (sensitive personal data).
Read more about these special categories (sensitive personal data) (datatilsynet.no)(NO) and processing of special categories (sensitive personal data) - prohibitions and exceptions (datatilsynet.no)(NO).
- Personal ID numbers
-
Consist of 11 digits (date of birth and national ID suffix). Used for secure identification of individuals. Everyone who is born in Norway or moves here is assigned a unique identification number.
Must be treated with caution, because they can be misused, among other things in connection with identity theft. Personal ID numbers must only be used when there is an objective need for it, and the identity cannot be verified in another way, for example by using student or staff numbers.
Must not
- be sent openly by e-mail or shared online
- be used to confirm a person’s identity in a telephone enquiry
Check the procedures for the use of personal ID numbers at your place of study or work.
Read more about personal ID numbers (datatilsynet.no)(NO) on the Norwegian Data Protection Authority’s website.