The IT Law Wiki



Personal data is

recorded information or opinion, whether true or not, about an identifiable individual. Personal information can be almost any information linked to an individual, including name, address, sex, age, financial details, marital status, education, criminal record or employment history. It does not include health information or personal information collected by a health service provider in order to provide a health service.[1]
information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or an opinion.[2]


Personal data is

recorded information about an identifiable individual, including:
  • The individual's name, address or telephone number;
  • The individual's race, national or ethnic origin, colour, or religious or political beliefs or associations;
  • The individual's age, sex, sexual orientation, marital status or family status;
  • An identifying number, symbol or other particular assigned to the individual;
  • The individual's fingerprints, blood type or inheritable characteristics;
  • Information about the individual's health care status or history, including a physical or mental disability;
  • Information about the individual's educational, financial, criminal or employment status or history;
  • The opinions of a person about the individual;
  • The individual's personal views or opinions.[3]

European Union[]

Personal data is

[a]ny information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.[4]

This definition is meant to be broad. The principles of protection must apply to any information concerning an identified or identifiable person. In order to determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used either by the controller or by any other person to identify the said person. Some examples of “personal data” are a person’s address, credit card number, bank statements.[5]


Personal data is

data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.[6]

United Kingdom[]

Personal data is

data which relate to a living individual who can be identified —

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.[7]

United States[]

Personal data (also called personal information) is any recorded information about an identifiable individual, such as a person's religion, age, financial transactions, medical history, address, or blood type. The term includes both identifying personal information and nonidentifying personal information.

Figure 1 provides a taxonomy of personal data and the application of U.S. federal privacy laws.

Figure 1

The Federal Trade Commission has defined personal data as

information from or about consumers, including, but not limited to: (1) first and last name; (2) home or other physical address, including street name and name of city or town; (3) email address or other online contact information, such as an instant messaging user identifier or a screen name; (4) telephone number; (5) date of birth; (6) gender, racial, ethnic, or religious information; (7) government-issued identification number, such as a driver's license, military identification, passport, or Social Security number, or other personal identification number; (8) financial information, including but not limited to: investment account information; income tax information; insurance policy information; checking account information; and credit, debit, or check-cashing card information, including card number, expiration date, security number (such as card verification value), information stored on the magnetic stripe of the card, and personal identification number; (9) employment information, including, but not limited to, income, employment, retirement, disability, and medical records; or (10) a persistent identifier, such as a customer number held in a "cookie" or processor serial number.[8]


  1. Victoria (Australia) Information Privacy Act 2000.
  2. Australian Privacy Act 1988 s 6(1).
  3. Access to Information and Protection of Privacy Act SNL2002 CHAPTER A-1.1 (St. John's, Newfoundland and Labrador, Canada).
  4. EU Directive on the Protection of Personal Data, Art. 2(a).
  5. See Article 29 Data Protection Working Party, Opinion 4/2007 on the concept of personal data.
  6. Data Protection Act 2003 (Ireland).
  7. U.K. Data Protection Acts, 1988 and 2003.
  8. Order to File Special Report, at 14.

See also[]