The "personal data collection" finding

# The "personal data collection" finding When you walk a site that has forms, your scan inventories **what personal data those forms ask users for** and surfaces it as a finding in the report. ## What it detects The recorder already classifies every form field when you walk your site. This finding reads that classification and groups the personal-data categories it found: - **email address** - **phone number** - **date (e.g. date of birth)** - **NHS number** - **postcode** - **name** - **password** Generic free-text, dropdowns, and number fields are **not** treated as personal data. ## What the statuses mean - **Pass** — the journey collects standard personal data (e.g. email, name). The finding lists it so you can confirm it's all covered by your privacy notice. - **Warn** — the journey collects **sensitive categories** (NHS number, password) that carry heightened UK GDPR handling obligations. Not a failure — a flag to make sure you've got the extra safeguards and a clear lawful basis. - **Not run** — no form fields were captured (the walk didn't go through a form, or the page didn't load). Re-record covering your signup / contact / booking forms to get the inventory. ## Does it affect my score? **No.** This finding is informational — collecting personal data isn't a vulnerability, so it never moves your security score. It's there so you have an honest "here's what your forms ask for" view. ## What to do with it For each category listed, confirm the field is: declared in your privacy notice, collected lawfully, encrypted in transit and at rest, and retained only as long as needed. Sensitive data (health identifiers, credentials) needs extra safeguards.