What type of information is protected by the Data Protection Act?
The Act regulates the use of “personal data”. To understand what personal data means, we need to first look at how the Act defines the word “data”.
Data means information which –
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or
(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).
Paragraphs (a) and (b) make it clear that information that is held on computer, or is intended to be held on computer, is data. So data is also information recorded on paper if you intend to put it on computer.
Relevant filing system (referred to in paragraph (c) of the definition) is defined in the Act as:
any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
This is not an easy definition. Our view is that it is intended to cover non-automated records that are structured in a way which allows ready access to information about individuals. As a broad rule, we consider that a relevant filing system exists where records relating to individuals (such as personnel records) are held in a sufficiently systematic, structured way as to allow ready access to specific information about those individuals. For further guidance see the FAQs about relevant filing systems.
“Accessible record” (referred to in paragraph (d) of the definition) means:
- a health record that consists of information about the physical or mental health or condition of an individual, made by or on behalf of a health professional (another term defined in the Act) in connection with the care of that individual;
- an educational record that consists of information about a pupil, which is held by a local education authority or special school (see Schedule 11 of the Act for full details); or
- an accessible public record that consists of information held by a local authority for housing or social services purposes (see Schedule 12 for full details).
Accessible records were included in the definition of “data” because pre-existing access rights to information were not restricted to automatically processed records, or records held in non-automated systems falling within the definition of “relevant filing systems”. So, to preserve all these pre-existing access rights, the definition of “data” covers accessible records even if they do not fall in categories (a), (b), or (c).
The Freedom of Information Act 2000 created a new category of data which extended the definition of “data” in the Data Protection Act to include any information held by a public authority which would not otherwise be caught by the definition. Where information requested under the FOI Act includes information about identifiable individuals, public authorities must consider whether its release would breach the Data Protection Act. The new category of data (which is often referred to as “category (e) data”) is designed to ensure that before releasing any personal information under the FOI Act, public authorities consider whether this would be fair. Processing category (e) data is exempt from most of the rights and duties created by the Data Protection Act.
You can find more detailed information in our Technical guidance note – What is data?
What is personal data?
Personal data means data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
It is important to note that, where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be “personal data”.
An organisation holds data on microfiche. The microfiche records do not identify individuals by name, but bear unique reference numbers which can be matched to a card index system to identify the individuals concerned. The information held on the microfiche records is personal data.
The definition also specifically includes opinions about the individual, or what is intended for them.
A manager’s assessment or opinion of an employee’s performance during their initial probationary period will, if held as data, be personal data about that individual. Similarly, if a manager notes that an employee must do remedial training, that note will, if held as data, be personal data.
We have produced A quick reference guide – What is personal data? and there is also a detailed Technical guidance note on determining what is personal data.
Sensitive personal data means personal data consisting of information as to –
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c ) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. In particular, if you are processing sensitive personal data you must satisfy one or more of the conditions for processing which apply specifically to such data, as well as one of the general conditions which apply in every case. The nature of the data is also a factor in deciding what security is appropriate.
The categories of sensitive personal data are broadly drawn so that, for example, information that someone has a broken leg is classed as sensitive personal data, even though such information is relatively matter of fact and obvious to anyone seeing the individual concerned with their leg in plaster and using crutches. Clearly, details about an individual’s mental health, for example, are generally much more “sensitive” than whether they have a broken leg.
Many individuals choose to make their political allegiance public, for example by wearing badges or rosettes or by putting a sticker in their window. There is acondition for processing sensitive personal data that covers information made public by the individual concerned.
Religion or ethnicity, or both, can often be inferred with varying degrees of certainty from dress or name. For example, many surnames are associated with a particular ethnicity or religion, or both, and may indicate the ethnicity and religion of the individuals concerned. However, it would be absurd to treat all such names as “sensitive personal data”, which would mean that to hold such names on customer databases you had to satisfy a condition for processing sensitive personal data. Nevertheless, if you processed such names specifically because they indicated ethnicity or religion, for example to send marketing materials for products and services targeted at individuals of that ethnicity or religion, then you would be processing sensitive personal data. In any event, you must take care when making assumptions about individuals as you could be collecting inaccurate personal data.
What activities are regulated by the Data Protection Act?
Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data.
The definition of processing is very wide and it is difficult to think of anything an organisation might do with data that will not be processing.
Who has rights and obligations under the Data Protection Act?
This Guide describes how the Act protects the rights of individuals whom the data is about (data subjects), mainly by placing duties on those who decide how and why such data is processed (data controllers). We generally use the terms “organisation” and “you” rather than “data controller”, and “individual” instead of “data subject”.
However, it is important to understand:
- what these terms mean and their significance; and
- the difference between a data controller and a data processor, as they are treated differently under the Act.
Data subject means an individual who is the subject of personal data.
In other words, the data subject is the individual whom particular personal data is about. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
A data controller must be a “person” recognised in law, that is to say:
- organisations; and
- other corporate and unincorporated bodies of persons.
Data controllers will usually be organisations, but can be individuals, for example self-employed consultants. Even if an individual is given responsibility for data protection in an organisation, they will be acting on behalf of the organisation, which will be the data controller.
In relation to data controllers, the term jointly is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons share a pool of personal data that they process independently of each other.
A network of town-centre CCTV cameras is operated by a local council jointly with the police. Both are involved in deciding how the CCTV system is run and what the images it captures are used for. The council and the police are joint data controllers in relation to personal data processed in operating the system.
A government department sets up a database of information about every child in the country. It does this in partnership with local councils. Each council provides personal data about children in its area, and is responsible for the accuracy of the data it provides. It may also access personal data provided by other councils (and must comply with the data protection principles when using that data). The government department and the councils are data controllers in common in relation to the personal data on the database.
Data controllers must ensure that any processing of personal data for which they are responsible complies with the Act. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals.
Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
A utilities company engages a company which operates call centres to provide many of its customer services functions on its behalf. The call centre staff have access to the utilities company’s customer records for the purpose of providing those services but may only use the information they contain for specific purposes and in accordance with strict contractual arrangements. The utilities company remains the data controller. The company that operates the call centre is a data processor.
Data processors are not directly subject to the Act. However, most data processors, if not all, will be data controllers in their own right for the processing they do for their own administrative purposes, such as employee administration or sales.
An organisation engages a company which provides business services to administer its employee payroll function. The organisation also engages a marketing company to carry out a satisfaction survey of its existing customers. The business services company will need information about the organisation’s employees, and the marketing company will need information about its customers. Both companies will be processing the information on behalf of the organisation, and so they are both data processors. However, they will also be processing personal data about their own employees and, in respect of that personal data, they will be data controllers.
Data controllers remain responsible for ensuring their processing complies with the Act, whether they do it in-house or engage a data processor. Where roles and responsibilities are unclear, they will need to be clarified to ensure that personal data is processed in accordance with the data protection principles. For these reasons organisations should choose data processors carefully and have in place effective means of monitoring, reviewing and auditing their processing. We have published a good practice note on Outsourcing: a guide for small and medium-sized businesses, which gives more advice about using data processors.
Who determines the “purpose and manner” of processing?
A person is only a data controller if, alone or with others, they “determine the purposes for which and the manner in which any personal data are processed”. In essence, this means that the data controller is the person who decides how and why personal data is processed. However, we take the view that having some discretion about the smaller details of implementing data processing (ie the manner of processing) does not make a person a data controller.
A Government department decides to help people in fuel poverty (the broad purpose). It also decides to use benefit records, which are clearly personal data, to identify who it will target (arguably, the broad manner). It then commissions a private-sector company to do certain matching according to clear criteria, but allows the company to use some discretion in deciding how they do this (eg what software to use). In this example, the department would be the data controller and the company would be a data processor, even though it decides the details of the processing method.
So, when deciding who is a data controller, we place greatest weight on purpose – identifying whose decision to achieve a “business” purpose has led to personal data being processed.
What about processing that is required by law?
The Data Protection Act says:
Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.
Our view is that this provision applies wherever there is a statutory duty that involves the publication or use of personal data. We do not think that it should be interpreted more narrowly – as applying only where there is an express statutory duty to process personal data – because obligations imposed by legislation other than the Data Protection Act do not usually refer to processing personal data.
So, if performing a legal duty necessarily involves processing personal data, the person required to process such data will be the data controller and will be legally responsible for ensuring that the processing complies with the Act.
An Electoral Registration Officer is required by law to draw up, maintain and publish the electoral roll. The Data Protection Act makes it clear that the Electoral Registration Officer is a data controller for the electoral roll information.
This is the case even if processing personal data is an inevitable, but not the main, part of performing the legal duty. If performing a legal duty directly or indirectly involves processing personal data, the organisation under the duty will be the data controller in relation to such data processing.
Sometimes, an organisation is subject to a duty that requires processing personal data, but delegates its performance to another person. In these circumstances the person with the overall responsibility for achieving the purpose, or performing the function, bears the responsibilities of the data controller. We place greatest weight on purpose rather than manner of processing – identifying whose decision to achieve a business purpose (or to carry out a statutory function) has led to personal data being processed.
A government department that is responsible for paying benefits to individuals contracts with a private company to administer the benefits. The question is whether the government department remains the data controller for processing personal data on benefits, regardless of the scope given to the company in deciding how to do this at a practical level. The government department retains overall responsibility for administering the provision of the benefits, so it remains the data controller.
How long do data protection rights and duties last?
Your duties under the Act apply throughout the period when you are processing personal data – as do the rights of individuals in respect of that personal data. So you must comply with the Act from the moment you obtain the data until the time when the data has been returned, deleted or destroyed. Your duties extend to the way you dispose of personal data when you no longer need to keep it – you must dispose of the data securely and in a way which does not prejudice the interests of the individuals concerned.
Changes in an organisation’s circumstances do not reduce an individual’s rights under the Act. Even if an organisation goes out of business, individuals are still entitled to expect that their personal data will be processed in accordance with the data protection principles. However, responsibility for ensuring this happens may shift, depending on the circumstances.
A travel agency is run as a partnership by Mr A and Mr B. As a consequence of a downturn in business, the travel agency ceases trading abruptly. Its premises are locked up and its computers (which contain customer information) lie idle. Mr A and Mr B remain responsible for ensuring that their customers’ personal data remains secure and that whatever happens to it complies with the Data Protection Act. This duty will continue even if the partnership is dissolved.
A high-street retailer (which operates as a limited company) goes into administration. Control of the company’s assets – including an extensive customer database – passes from the board of directors to the administrators, who decide to sell some of the assets. Because the administrators now control the purpose and manner in which the database is used, they become data controllers in respect of the personal data it contains. The administrators must comply with the Data Protection Act in connection with any possible sale of the customer database.
What are the other key definitions in the Data Protection Act?
Most of the concepts explained above are defined in section 1 of the Data Protection Act. However, there are other important definitions. In particular, section 70 sets out supplementary definitions and section 71 lists provisions defining or explaining expressions used in the Act. The following is a list of some of the other defined terms used in the Act.
Inaccurate data: The Act states:
For the purposes of this Act data are inaccurate if they are incorrect or misleading as to any matter of fact.
Personal data may not be inaccurate if it faithfully represents someone’s opinion about an individual, even if the opinion proves incorrect (for example, a doctor’s medical opinion about an individual’s condition). In these circumstances, the data would not need to be “corrected”, but the data controller may have to add a note stating that the data subject disagrees with the opinion.
The Act provides that a data controller’s notification of processing must include “a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data”. Data controllers must therefore provide a description of possible recipients, including employees, agents and data processors, rather than a specific list of actual recipients.
The Act also provides that an individual making a subject access request is entitled to be given “a description of the recipients or classes of recipients to whom [personal data] are or may be disclosed”. This is so that individuals can have a better understanding of what is done with their personal data. However, the definition of “recipient” goes on to say, in effect, that people need not be identified as recipients just because information is disclosed to them as part of an inquiry they have legal power to make. This is to prevent an official investigation being compromised if an individual making a subject access request is tipped off that an investigation is or soon will be under way – such as a police, customs or trading standards investigation.
Third party, in relation to personal data, means any person other than –
(a) the data subject,
(b) the data controller, or
(c) any data processor or other person authorised to process data for the data controller or processor.
The usual meaning of the term “third party” is someone other than the two main parties involved, for example someone other than the husband and wife in divorce proceedings. In relation to data protection, the main reason for this particular definition is to ensure that a person such as a data processor, who is effectively acting as the data controller, is not considered a third party
Although a data controller’s employee to whom information is disclosed will be a “recipient”, they will usually not be a “third party”. This is because the employee will usually be acting in their employment capacity, and so will be acting on behalf of the data controller. If a data controller’s employee receives personal data from their employer outside the normal course of their employment, the employee will be a third party in relation to their employer.
A data controller may decide to disclose to one of its employees (Tom) personal data relating to another of its employees (Dick), for Tom to use as evidence in possible legal action (unconnected with Tom’s employment). In this situation, Tom is not receiving the information in the course of his employment with the data controller, so will be a third party.
The term “third party” is used in the Data Protection Act relating to accuracy; to “fair processing”; and in two of the conditions for processing. Although the term “third party” is not used in the Act’s provisions about subject access, further information can be found by reading the section explaining what to do when a subject access request involves personal data about another individual.