UNIVERSITY of GLASGOW

DP and FOI office
Home > Services A-Z > DP and FOI office > A-Z topics > Personal Data

Personal Data

The Data Protection Act regulates the processing of Personal Data about a living individual. Personal data can now be considered as an image, document, or statement, or record in a filing system, from which a living individual may be identified from that data where;

  • the individual is the focus of a document,
  • the data was particularly relevant to the individual,
  • the data includes significant biographical facts, opinions and intentions,
  • the data affects the individual’s privacy in personal, family, business or professional life.


Examples of personal data include an individual's personnel file, or appraisal assessment, or home phone number. The mere mention of the Individual's name in a document, for example as a record of attendence at an open meeting, is not enough to make the information in that document personal data about that Individual. In the contect of the Freedom of Information legislation, it is advisable to take a cautious approach to the the definition of personal data - that is, assume that data might be considered as personal data and seek advice from the University's Data Protection Officer.


The personal data may be in any form or format or context. For example:

  • It can be any expression of opinion about that individual;
  • It can be any indication of the intentions in respect of the individual;
  • It can be on paper, card, CCTV screen or recording media, or stored in a filing cabinet, or in any IT system;
  • It can be in an e-mail, letter, minutes, reference, card index, database record, ...


There is also a sub-category of personal data called sensitive personal data, as defined elsewhere in this A to Z Guide, where additional processing conditions apply.


Schedule 2 of the Act states that personal data can only be processed if at least one of the following conditions is met:

  • The data subject has given consent;
  • The processing is necessary for the continuation of a contract with the data subject or to enter into a contract with the data subject;
  • The processing is necessary to fulfil legal obligations of the data controller;
  • The processing is necessary to safeguard the vital interests of the data subject;
  • The processing is necessary for the administration of justice, for the exercise of functions conferred by enactment, for the exercise of any functions of the Crown, Minister of the Crown etc., or for the exercise of any other function of a public nature in the public interest;
  • The Processing is necessary for the pursuing of the legitimate interests of the data controller.