What does it mean to 'process personal data'?
I just want to offer some clarity on what personal data actually means, in the context of GDPR anyway.
We've had a few comments and posts about whether or not things like plaster casts or practice management patient numbers on a lab ticket constitute personal data.
Here is the official definition in GDPR:
"personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
It's a riveting read, really, I promise!
The definition of personal data is quite broad and fairly all-encompassing - frustratingly!
It doesn't just include obvious things like name, DOB and address. It also includes more seemingly-unrelated things like identification numbers on practice management software, IP addresses and so forth.
And of course clinical photographs, dental records, x-rays impressions etc. which are a 'special category' of data and warrant further protections. Note how the legislation says that personal data is any information relating to "an identified OR identifiable" person - i.e. someone who CAN be identified, "directly or indirectly".
So the question we must consider isn't just - "can the person be directly identified from the information?"...
Clearly if an x-ray got lost in transit and a bloke finds it on the road, it's going to be difficult for that person to identify the patient - let alone cause them any harm or distress.
In that context, the risk is of course incredibly low. But it doesn't mean that the x-ray isn't personal data.