The Data Protection Act regulates the processing of personal data about a living individual. Personal data includes images, documents, statements, or records in a filing system, from which a living individual may be identified, and where:
- the individual is the focus of a document,
- the data was particularly relevant to the individual,
- the data includes significant biographical facts, opinions and intentions,
- the data affects the individual’s privacy in personal, family, business or professional life.
Examples of personal data include an individual's personnel file, appraisal assessment, or home phone number. The mere mention of the individual's name in a document, for example as a record of attendance at an open meeting, is not enough to make the information in that document personal data about that individual. In the context of FOI legislation, it is advisable to take a cautious approach to the definition of personal data - assume that data might be considered as personal data, and seek advice from the University's Data Protection Officer.
Personal data may be in any format or context. For example:
- It can be any expression of opinion about that individual;
- It can be any indication of any intentions in respect of the individual;
- It can be on paper, card, CCTV screen or recording media, or stored in a filing cabinet or in any IT system;
- It can be in an e-mail, letter, minutes, reference, card index, database record, etc.
Schedule 2 of the Act states that personal data can only be processed if at least one of the following conditions is met:
- The data subject has given consent;
- The processing is necessary for the continuation of a contract with the data subject or to enter into a contract with the data subject;
- The processing is necessary to fulfill legal obligations of the data controller;
- The processing is necessary to safeguard the vital interests of the data subject;
- The processing is necessary for the administration of justice, for the exercise of functions conferred by enactment, for the exercise of any functions of the Crown, Minister of the Crown etc., or for the exercise of any other function of a public nature in the public interest;
- The processing is necessary for the pursuing of the legitimate interests of the data controller.
There is a sub-category of personal data called sensitive personal data, where additional processing conditions apply. Please see the sensitive personal data A-Z entry for further guidance.