2. KEY DEFINITIONS
Download this section as a print-friendly PDF document.
Unless otherwise stated these are taken from the Data Protection Act 1998 (DPA 1998).
'Data' falling under the DPA 1998 is defined as information which is:
- being processed by means of equipment operating automatically in response to instructions given for that purpose, or is recorded with the intention that it should be processed by means of such equipment
- recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system
- not covered by the first two categories but forms part of an 'accessible record'
Any information that relates to an identified or identifiable person (the Data Subject), or which in combination with other information in the possession of, or that is likely to come into the possession of, the Data Controller would permit their identification. The Data Protection Directive 1995 (DPD 1995) further defines an identifiable person as one who can be identified by reference to 'an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity'.
Further guidance on the factors to be considered in determining whether information is personal data is available in the UK Information Commissioner's Guidance on Personal Data on the Data Protection General Documents page.
Personal data relating to racial or ethnic origin, political opinions, religious beliefs, membership of trade union organisations, physical or mental health, sexual life, offences or alleged offences.
A living individual who is the subject of personal data. Dead people cannot be data subjects, nor, in the UK and most other EU Member States, can 'legal individuals', such as companies.
A person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed. The fact that an individual or institution holds or processes personal data does not make them a Data Controller, if they do not determine the purpose and manner of that holding or processing.
- Data Controller in Common: Data Controllers who share personal data on Data Subjects for different purposes are referred to as 'Data Controllers in Common'. Each Data Controller remains individually responsible for the processing they have carried out on the personal data.
- Joint Data Controller: Data Controllers who share personal data on Data Subjects for the same purpose, and who would be jointly liable for any breach under the DPA 1998, are referred to as 'Joint Data Controllers'.
Any person, other than an employee of the Data Controller, who processes the data on behalf of the Data Controller. An employee of the Data Controller is regarded by the DPA 1998 as constituting part of the Data Controller. Data Controllers need to ensure that their relationship with a Data Processor is governed by a formal Data Processing Agreement.
Obtaining, recording or holding the data or carrying out any operation or set of operations on the data. This includes collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. It is irrelevant whether these actions are manual or automated.
A contract between a Data Controller and a Data Processor, which will be entered into before the Data Processor begins processing personal data on behalf of the Data Controller, and which set out the responsibilities of both parties in respect of that processing, as well as any indemnities required by the parties.
Information created, received and maintained as evidence and information by an organisation or person in pursuance of legal obligations or in the transaction of business. (Records Management Standard BS ISO 15489)
The notice used by a Data Controller to provide a Data Subject with information relevant to the processing of their personal data, usually at the time of its collection. The University has fair processing notices for staff and students available.
Consent or explicit consent are not defined in the Act. These factors should be considered:
- If a Data Subject's consent is to be relied on to provide a criterion for lawful processing, then the fact of consent cannot be simply assumed by the University (e.g. where a form is sent stating that in the absence of a negative response from a Data Subject their consent will be assumed).
- For 'explicit consent' to be relied on to provide a criterion for lawful processing, some clear form of affirmative action (e.g. written consent, clicking on an 'I accept' button on a webpage) is likely to be required.
- Consent may be withdrawn by the Data Subject at any point
In Scotland there is an automatic presumption that a person of 12 years or more is of sufficient age and maturity to understand and exercise their rights under the DPA 1998.
The DPA 1998 allows, as a criterion for lawful processing of a Data Subject's personal data, the fact that the processing is necessary for the purposes of legitimate interests pursued by the University, or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject. This criterion applies to circumstances where the personal data to be processed does not contain sensitive personal data. Where sensitive personal data is to be processed, the University must satisfy an additional criterion for lawful processing to take place.