Getting Started
What is Personal Data?
Learn what counts as personal data under Jamaica's Data Protection Act, with everyday examples for real businesses.
What you will learn
- What personal data is, and what is not
- The difference between direct and indirect identifiers
- What makes data "sensitive" and why it needs extra care
- How this applies across different industries
Overview
Personal data is the starting point for everything in data protection. Almost every duty in the Act is triggered when your business handles personal data, so it helps to know exactly what that means.
In simple terms, personal data is any information that relates to a living person who can be identified from it.
Why this matters
If information is personal data, the Act's rules apply: you need a good reason to collect it, you must keep it secure, you can only keep it as long as you need it, and the person has rights over it. If information is not personal data, those rules do not apply. So this is the first question to ask about any information you hold.
What the law says
Under the Act (see the definitions in ), personal data means information that relates to an individual who can be identified from that information, either on its own or together with other information you hold or can get.
There are two important ideas here:
- Direct identifiers point to a person on their own. Examples: full name, TRN, passport number, email address, phone number.
- Indirect identifiers identify someone when combined with other details. Examples: a job title plus a workplace, or a date of birth plus a postal area.
Personal data versus anonymous data
If data is truly anonymous, meaning no one can be identified from it by any reasonable means, it is not personal data and the Act does not apply to it.
Sensitive personal data
Some personal data is more sensitive and can cause greater harm if mishandled. This includes information about a person's:
- health
- race or ethnic origin
- religious or political beliefs
- biometric data (such as fingerprints used to identify someone)
- criminal record
Sensitive personal data needs extra care and a stronger justification before you collect or use it.
Real-world examples
- Healthcare. Patient names, diagnoses, and test results are personal data, and the medical details are sensitive personal data.
- Schools. Student records, grades, and parent contact details are personal data.
- Retail. Customer names, loyalty-card history, and delivery addresses are personal data.
- Hotels. Guest names, passport details, and booking history are personal data.
- Any business with staff. Employee files, payroll, and TRNs are personal data.
Common mistakes
- Assuming "business" contact details are not personal data. They usually are.
- Treating CCTV footage of identifiable people as something other than personal data. It is personal data.
- Believing that masking a few fields makes a dataset anonymous.
Best practices
- Make a simple list of the personal data your business collects and where it lives.
- Note which items are sensitive, and give those stronger protection.
- Collect only what you genuinely need.
Put this into practice
A privacy notice starts with knowing what personal data you collect. Map it once and the rest gets easier.
Start your privacy noticeFrequently asked questions
Key takeaways
- Personal data is any information that can identify a living individual, directly or indirectly.
- Identification can happen by combining pieces of information, not just by a single name.
- Sensitive personal data (such as health, race, or religion) needs extra protection.
- Truly anonymous information that cannot identify anyone is not personal data.
