Legal Services


Legislation - Definitions


Please find below some key definitions used in data protection legislation.

Personal data is defined as that which relates to living individual who:

  • Can be identified from that data
  • Can be identified from that data and any other information which is in the possession of, or likely to come into the possession of, the data controller.

The Act does not apply to information about deceased people, but you may still owe a duty of confidentiality after death.

Data is defined as any information which is:

  • Processed automatically or recorded with the intention to process automatically
  • Recorded as, or with the intention that it be, part of a manual 'relevant filing system' (i.e. a structured system identifying individuals)
  • Contained in a health, educational or social services record.

A health record, for the purposes of data protection legislation is one relating to the physical or mental health of an individual which has been made by, or on behalf of a health professional in connection with the care of that individual.

Sensitive data is classified as information about:

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Physical or mental health
  • Sexual life
  • Commission of offences or alleged offences.

Data subjects are any person from whom data/information is obtained. This means that, with the exception of anonymised or aggregated information, the majority of data collected from human subjects, whether held electronically or on paper — will fall within the scope of data protection legislation.

A data controller is responsible for the manner in which any personal data is processed. The data controller has the benefit of processing the data and decides what personal data should be processed and why. The University is the data controller. Individual members of staff or students who process data on behalf of the University are data users.

Processing of data is widely defined and covers all manner of use including obtaining, recording, holding, altering, retrieving, destroying or disclosing data.