What Counts as Personal Data Under UK GDPR?
One of the most common questions from UK businesses and compliance professionals is deceptively simple: what actually counts as personal data? Get this wrong and you risk either over-redacting (wasting time and obscuring legitimate information) or under-redacting (exposing personal data and breaching UK GDPR).
The legal definition
Under Article 4(1) of the UK GDPR, personal data means any information relating to an identified or identifiable natural person. A person is identifiable if they can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
The key word is identifiable. You don't need to know someone's name for the data to be personal — if a combination of data points could reasonably be used to identify them, it's personal data.
Direct identifiers
These unambiguously identify a specific individual on their own:
Full name
First name + surname, or initials that identify someone in context
National Insurance number
Format AB 12 34 56 C — uniquely assigned to one person
NHS number
10-digit identifier unique to each NHS patient
Email address
Personal email, and often work email (firstname.lastname@)
Phone number
Mobile and landline, including work direct dials
Home address
Full or partial residential address including postcode
Date of birth
Full DOB, or DOB + partial name in combination
Passport / driving licence
Government-issued ID numbers
Indirect and contextual identifiers
These may not identify someone on their own, but in combination with other data they can:
- Job title — "the Head of HR at Acme Ltd" may identify a specific individual
- UK postcodes — a full postcode covers on average 15 properties. Combined with a name or DOB, it is identifying. Even partial postcodes (district code) can narrow identification in some contexts.
- IP addresses — classified as personal data by the ICO where they can be linked to an individual
- Cookie IDs and device identifiers — personal data if they can be linked to an individual
- Photos and CCTV footage — identifying where the individual is recognisable
- Medical conditions — where linked to an identified or identifiable person
- Salary information — personal data for employees or individuals
The combination test: Ask yourself — could a determined person, using this data alongside other reasonably available information, identify the individual? If yes, it's personal data under UK GDPR.
Special category data — extra protection required
Certain categories of personal data require stricter handling and an explicit lawful basis for processing. Under Article 9 of the UK GDPR, these are:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (used for identification)
- Health data
- Sex life or sexual orientation
For UK healthcare organisations and NHS trusts, health data is by far the most common special category. NHS numbers, diagnoses, treatment records, and referral letters all fall into this category and require enhanced protection.
UK-specific identifiers you must know
The UK has several national identifiers that don't exist in other jurisdictions. If your documents contain any of these, they are personal data and typically require redaction before disclosure:
NHS Number
A 10-digit number assigned to every person registered with the NHS. It is unique to one individual and should always be treated as personal data. The format uses a Modulus 11 checksum algorithm for validation.
National Insurance Number (NIN)
Format: two letters, six digits, one letter (e.g. AB 12 34 56 C). Used by HMRC and DWP to identify individuals for tax and benefits. Always personal data — often also sensitive given its financial context.
UK Postcodes
A full UK postcode (e.g. SW1A 1AA) identifies a very small geographic area — sometimes a single building. Combined with any other identifier, it is personal data. Even partial postcodes warrant consideration.
Pseudonymous vs anonymous data
Not all de-identified data is outside the scope of UK GDPR:
Pseudonymous data — data where direct identifiers have been replaced with artificial identifiers (pseudonyms), but re-identification is possible using a key held elsewhere. This is still personal data under UK GDPR and must be handled accordingly.
Truly anonymous data — data where re-identification is not reasonably possible. This falls outside the scope of UK GDPR. However, the bar for true anonymisation is high. Simply removing a name is rarely sufficient.
The ICO's Anonymisation Code of Practice provides detailed guidance on when data can genuinely be considered anonymous.
Practical implications for document redaction
When preparing documents for disclosure — whether for a DSAR response, court bundle, research publication, or third-party sharing — you need to identify and redact:
- All direct identifiers (names, NHS numbers, NIN, email, phone, addresses)
- Indirect identifiers that in combination could identify someone
- Special category data unless you have explicit grounds for disclosure
- Any metadata in the document file itself (author name, track changes, creation date)
DesktopRedact automatically detects all of the above PII types in PDFs and DOCX files — locally on your machine, nothing sent to the cloud.
Join Waitlist