These definitions help to explain some of the key concepts in data protection law.
Information about a living individual (Data Subject) from which that individual can be identified, either directly, or indirectly by using other data accessible to the Data Controller (e.g. student ID number), or likely to come into its possession. (Note that information about living individuals which appears to be anonymous may still be personal data because a key to the identities is held in another part of the same institution. Pseudonymised can fall within scope).
Special category personal data (sensitive)
Personal data relating to:
- Racial or ethnic origin;
- political opinions;
- religious or other beliefs;
- trade union membership;
- physical or mental health or condition (including disability);
- sexual life;
- genetic or biometric data for the purpose of uniquely identifying a natural person.
Information about criminal records is also to be considered under this definition. It is to be noted that the opinion of the Data Subject or the Data Controller as to the sensitivity of the data is not a relevant criterion in determining whether it is considered special category data under the law. (The use of the term "sensitive" with other, less technical meanings, is in general best avoided in the context of information processing).
In the case of the processing of special category personal data, the explicit consent of the Data Subject is normally required.
Processing has a broad definition. Personal Data is being "processed" when it is held, collected, maintained, recorded, altered, retained, used, disclosed, shared or destroyed.
Person about whom personal data is processed. (A Data Subject must be a living individual ('natural person'); data relating to the deceased is not covered by the provisions of data protection legislation).
The institution which determines how personal data is being processed, and is legally liable for ensuring that Data Subjects are informed of the nature of the processing being undertaken, for data security etc. Queen Mary, as a legal entity is the Data Controller, rather than individual departments or employees. The Students' Union and the University of London are separate Data Controllers, and passing personal data to them constitutes a Third Party Disclosure.
Joint Data Controllers
Data Controllers which are processing the same personal data for the same purpose(s), and share legal liability for the processing, including the obligation to keep Data Subjects informed of the processing purposes (and obtaining any necessary Data Subject consents).
Data Controllers in Common
Data Controllers which are processing the same personal data for different purposes: they are separately responsible for the processing, and for informing the Data Subjects of their own processing purposes (and obtaining any necessary Data Subject consents).
An institution or individual which acts under instructions from a Data Controller in processing personal data on its behalf. A Data Processor may have considerable delegated powers (such as responding to a subject access request directly as per the Data Controller’s procedures). Alternatively, a Data Processor could have one relatively straightforward function, such as sending out mailings or destroying confidential waste involving personal data. A provider of externally-hosted computing facilities will usually be a Data Processor. The Data Controller must control the work of the Data Processor by written contract terms; direct supervision is often desirable.
The formal statements delivered by the Data Controller, by which the Controller discharges their responsibility to inform Data Subjects of the identity of the Data Controller, and other necessary information to ensure fair processing, in particular relating to the purposes for which the data is being processed and Data Subjects' rights. For example, QMUL's privacy notice for its website is linked in the footer of all its website pages.
Data Subject Access Request
Data Subjects have a right of access to information about and a copy of, data which the Data Controller is processing about them. Such a request must be made in writing. Not to be confused with requests made under the Freedom of Information Act.
Acknowledgments: thanks to Goldsmiths, University of London for kind permission to base this on its material