2. KEY DEFINITIONS
Unless otherwise stated these are taken from the The EU-General Data Protection Legislation (GDPR) and Data Protection Act 2018 (the Act), which together are referred to as the "Data Protection Legislation" below
'Data' falling under Data Protection Legislation is defined as information which:
- is processed wholly or partly by automated means (that is information in electronic form);
- is processed in a non-automated manner which form part of, or is intended to form part of, a 'filing system' (that is, manual information in a filing system)
- The GDPR does not cover information which is not, or is not intended to be, part of a ‘filing system’. However, under the Data Protection Act 2018 (DPA 2018) unstructured manual information processed only by public authorities constitutes personal data. This includes paper records that are not held as part of a filing system. While such information is personal data under the DPA 2018, it is exempted from most of the principles and obligations in the GDPR and is aimed at ensuring that it is appropriately protected for requests under the Freedom of Information legislation
2.2 Personal Data
Personal data only includes information relating to natural persons who:
can be identified or who are identifiable, directly from the information in question; or
who can be indirectly identified from that information in combination with other information.
The legislation defines personal data as:
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Further guidance on the factors to be considered in determining whether information is personal data is available in the UK Information Commissioner's Guidance on Personal Data.
2.3 Special Categories of Personal Data
Personal data relating to racial or ethnic origin, political opinions, religious beliefs, membership of trade union organisations, physical or mental health, sexual life, sexual orientation, genetic and biometric data.
2.4 Data Subject
An identified or identifiable living individual who is the subject of personal data. Dead people cannot be data subjects, nor, in the UK and most other EU Member States, can 'legal individuals', such as companies.
See 2.2 Personal Data
2.5 Data Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal datahe natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
- Data Controller in Common: Data Controllers who share personal data on Data Subjects for different purposes are referred to as 'Data Controllers in Common'. Each Data Controller remains individually responsible for the processing they have carried out on the personal data.
- Joint Data Controller: Data Controllers who share personal data on Data Subjects for the same purpose, and who would be jointly liable for any breach under Data Protection Legislation, are referred to as 'Joint Data Controllers'.
2.6 Data Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Data Controllers need to ensure that their relationship with a Data Processor is governed by a formal Data Processing Agreement.
2.7 Data Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.8 Data Processing Agreement
A contract between a Data Controller and a Data Processor, which will be entered into before the Data Processor begins processing personal data on behalf of the Data Controller, and which set out the responsibilities of both parties in respect of that processing, as well as any indemnities required by the parties.
Information created, received and maintained as evidence and information by an organisation or person in pursuance of legal obligations or in the transaction of business. (Records Management Standard BS ISO 15489)
2.10 Privacy Notice
The notice used by a Data Controller to provide a Data Subject with information relevant to the processing of their personal data, usually at the time of its collection. The University has Privacy Notices for staff and students available.
Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2.12 Public Task
Data Protection Legislation allows, as a criterion for lawful processing of a Data Subject's personal data, the fact that the processing is necessary for the purposes of performing the University's public tasks, namely the University’s Statutory Instruments: “for the objects of providing education, carrying out research, and promoting teaching, research and general scholarship” and the administration thereof.
This criterion applies to circumstances where the personal data to be processed does not contain Special Categories of Personal data. Where this type of personal data is to be processed, the University must satisfy an additional criterion for lawful processing to take place.