Getting Started

What is Personal Data?

Learn what counts as personal data under Jamaica's Data Protection Act, with everyday examples for real businesses.

Beginner 12 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What personal data is, and what is not
  • The difference between direct and indirect identifiers
  • What makes data "sensitive" and why it needs extra care
  • How this applies across different industries

Overview

Personal data is the starting point for everything in data protection. Almost every duty in the Act is triggered when your business handles personal data, so it helps to know exactly what that means.

In simple terms, personal data is any information that relates to a living person who can be identified from it.

Why this matters

If information is personal data, the Act's rules apply: you need a good reason to collect it, you must keep it secure, you can only keep it as long as you need it, and the person has rights over it. If information is not personal data, those rules do not apply. So this is the first question to ask about any information you hold.

What the law says

Under the Act (see the definitions in ), personal data means information that relates to an individual who can be identified from that information, either on its own or together with other information you hold or can get.

There are two important ideas here:

  • Direct identifiers point to a person on their own. Examples: full name, TRN, passport number, email address, phone number.
  • Indirect identifiers identify someone when combined with other details. Examples: a job title plus a workplace, or a date of birth plus a postal area.
Note. You do not need a name for something to be personal data. If the information can be linked back to a specific person by any reasonable means, it counts.

Personal data versus anonymous data

If data is truly anonymous, meaning no one can be identified from it by any reasonable means, it is not personal data and the Act does not apply to it.

Watch out. Removing names is not the same as anonymising. A "de-identified" record can often be re-identified by combining it with other data. Treat partially masked data as personal data unless you are confident it cannot be traced to anyone.

Sensitive personal data

Some personal data is more sensitive and can cause greater harm if mishandled. This includes information about a person's:

  • health
  • race or ethnic origin
  • religious or political beliefs
  • biometric data (such as fingerprints used to identify someone)
  • criminal record

Sensitive personal data needs extra care and a stronger justification before you collect or use it.

Real-world examples

  • Healthcare. Patient names, diagnoses, and test results are personal data, and the medical details are sensitive personal data.
  • Schools. Student records, grades, and parent contact details are personal data.
  • Retail. Customer names, loyalty-card history, and delivery addresses are personal data.
  • Hotels. Guest names, passport details, and booking history are personal data.
  • Any business with staff. Employee files, payroll, and TRNs are personal data.

Common mistakes

  • Assuming "business" contact details are not personal data. They usually are.
  • Treating CCTV footage of identifiable people as something other than personal data. It is personal data.
  • Believing that masking a few fields makes a dataset anonymous.

Best practices

  • Make a simple list of the personal data your business collects and where it lives.
  • Note which items are sensitive, and give those stronger protection.
  • Collect only what you genuinely need.

Put this into practice

A privacy notice starts with knowing what personal data you collect. Map it once and the rest gets easier.

Start your privacy notice

Frequently asked questions

Often yes. An address like firstname.lastname@company.com identifies a specific person, so it is usually personal data.

Key takeaways

  • Personal data is any information that can identify a living individual, directly or indirectly.
  • Identification can happen by combining pieces of information, not just by a single name.
  • Sensitive personal data (such as health, race, or religion) needs extra protection.
  • Truly anonymous information that cannot identify anyone is not personal data.

Related

Ask the Privacy Assistant

Beta