What is personal data?

The Data Protection Act 1998 (DPA) is based around eight principles of ‘good information handling’. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

If you hold information about individuals either on computer, within files or emails, or in certain types of filing system, you may be holding ‘personal data’. In most circumstances it will be fairly easy to decide whether the information you hold ‘relates to’ an ‘identifiable individual’ and is therefore ‘personal data’ regulated by the Act.

This quick reference guide comprises a series of questions which, when worked through in order, are intended to help you determine whether you hold personal data.

 

1. Can a living individual be identified from the data, or, from the data and other information your possession, or likely to come into your possession?

  • Yes. Go to question 2.
  • No. The data is not personal data for the purposes of the DPA

 

2. Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?

  • Yes. The data is ‘personal data’ for the purposes of the DPA.
  • No. The data is not ‘personal data’ for the purposes of the DPA.
  • Unsure See questions 3 to 8 below.

 

3. Is the data ‘obviously about’ a particular individual?

  • Yes. The data is ‘personal data’ for the purposes of the DPA.
  • No. Go to question 4.

 

4. Is the data ‘linked to’ an individual so that it provides particular information about that individual?

  • Yes. The data is ‘personal data’ for the purposes of the DPA.
  • No. Go to question 5.

 

5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?

  • Yes. The data is ‘personal data’ for the purposes of the DPA.
  • No. Go to question 6.

 

6. Does the data have any biographical significance in relation to the individual?

  • Yes. The data is likely to be personal data for the purposes of the DPA.
  • No. Go to question 7.
  • Unsure. Go to question 7.

 

7. Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?

  • Yes. The data is likely to be personal data for the purposes of the DPA.
  • No. Go to question 8.
  • Unsure. Go to question 8.

 

8. Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?

  • Yes. The data is ‘personal data’ for the purposes of the DPA.
  • No. The data is unlikely to be ‘personal data’.

 

If you are still unsure whether the information you hold is personal data for the purposes of the DPA see the detailed ICO guidance “Determining what is personal data” and “Determining what is data”.

Sensitive personal data is further defined in the DPA as data which consists of information on ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, commission of any offence, or the proceedings for any offence. Sensitive data presents a greater risk to data subjects and also the data controller (UEA). Should there be a breach, the level of fine imposed will take into account the sensitivity of the data, and therefore the harm to the data subjects. Greater harm will also mean a stronger case for greater compensation for the data subjects.

 

DPA technical security guidance

The DPA’s 7th Principle is:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”

This means:

  • The more sensitive the data the more stringent the security controls need to be
  • That technical and physical security controls are designed, implemented and tested
  • It is clear who is responsible and accountable for protecting that data
  • All relevant policies are complied with
  • Competent, trained staff are able to respond to any breach of these policies, procedures and controls implemented to protect the data

Determining how stringent the technical security controls need to be will be dependent on the potential harm that any identifiable individuals whose data is held may experience. It should also be considered the damage to the University’s reputation and what effective it may have on obtaining future datasets for researchers.

The key technical controls required for all UEA systems are:

  • Anti-malware is installed and kept up-to-date
  • Security patching and operating system kept up-to-date
  • Hard drives are encrypted
  • If the device is to be joined to any other network then it should have a software firewall installed

 

Further guidance on information security.