These definitions help to explain some of the key concepts in data protection law.
Information about a living individual from which that individual can be identified, either directly, or by using other data accessible to the Data Controller (e.g. student ID number), or likely to come into its possession. (Note that information about living individuals which appears to be anonymous may still be personal data because a key to the identities is held in another part of the same institution).
Sensitive personal data (special category)
Personal data relating to:
- Racial or ethnic origin;
- political opinions;
- religious or other beliefs;
- trade union membership;
- physical or mental health or condition (including disability);
- sexual life;
- criminal record.
It is to be noted that the opinion of the Data Subject or the Data Controller as to the sensitivity of the data is not a relevant criterion in determining whether it is Sensitive or not within the meaning of the Data Protection Act. (The use of the term "sensitive" with other, less technical meanings, is in general best avoided in the context of information processing).
In the case of the processing of sensitive personal data, the explicit consent of the Data Subject is normally required. This means that it is not appropriate either to use very wide-ranging definitions of purpose on consent forms/privacy notices to cover all possible data processing circumstances, or to rely on the right to opt out rather than the obtaining of explicit consent - although both of these approaches may be appropriate for non-sensitive personal data.
Processing has a broad definition. Personal Data is being "processed" when it is held, collected, maintained, recorded, retained, used, disclosed, shared or destroyed.
Person about whom personal data is processed. (A Data Subject must be a living individual; data relating to the deceased is not covered by the provisions of data protection legislation).
The institution which determines how personal data is being processed, and is legally liable for ensuring that Data Subjects are informed of the nature of the processing being undertaken, for data security etc. Queen Mary, as a legal entity is the Data Controller, rather than individual departments or employees. The Students' Union and the University of London are separate Data Controllers, and passing personal data to them constitutes a Third Party Disclosure.
Joint Data Controllers
Data Controllers which are processing the same personal data for the same purpose(s), and share legal liability for the processing, including the obligation to keep Data Subjects informed of the processing purposes (and obtaining any necessary Data Subject consents).
Data Controllers in Common
Data Controllers which are processing the same personal data for different purposes: they are separately responsible for the processing, and for informing the Data Subjects of their own processing purposes (and obtaining any necessary Data Subject consents).
An institution or individual which acts under instructions from a Data Controller in processing personal data, but has no direct legal responsibilities to the Data Subjects (as this stays with the Data Controller). A Data Processor may however have considerable delegated powers (such as responding to a subject access request directly as per the Data Controller’s procedures). Alternatively, a Data Processor could have one relatively straightforward function, such as sending out mailings or destroying confidential waste involving personal data. A provider of externally-hosted computing facilities will usually be a Data Processor. The Data Controller must control the work of the Data Processor by written contract terms; direct supervision is often desirable.
Fair Processing/Data Collection/Privacy Notices
The formal statement delivered by the Data Controller, by which the Controller discharges their responsibility to inform Data Subjects of the identity of the Data Controller, and other necessary information to ensure fair processing, in particular relating to the purposes for which the data is being processed and Data Subjects' rights. QMUL's privacy notice for its website is linked in the footer of all its website pages.
Data Subject Access Request
Data Subjects have a right of access to information about and a copy of, data which the Data Controller is processing about them. Such a request must be made in writing. Not to be confused with requests made under the Freedom of Information Act.
Acknowledgments: thanks to Goldsmiths, University of London for kind permission to base this on its material