Definitions

These definitions are lay-man's interpretations of the definitions found in the Data Protection Act 1998 (HMSO, 1998). Thanks also to definitions set out at Edge Hill's web site.

Data
Relevant filing system
Manual data
Personal data
Processing
Data subject
Data controller
Data processor
Recipient
Third party
Information Commissioner


Data

Items of information which either:


Relevant filing system
or manual data

In addition to automatically processed information, the 1998 Act is concerned with "manual data" falling within the definition of "relevant filing system" in paragraph (c). Such data may be subject to transitional relief until 2001 or 2007, for details of which see Transitional Provisions in the Act. Organisations now have to consider which of its paper-based and other manual information come within the Act.

What manual data are covered by the Act?

Under secton 1(1)(c) of the Act, data includes manual data that is recorded as part of a relevant filing system. The term relevant filing system means:

"any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible." (HMSO, 1998)

Exceptions applying to both automatically and manually processed data

Unstructured data is not covered by the Act. So word-processed text files, email messages, and plain paper text are less likely to come under the scope of the Act than databases, formatted text files, Rollerdex cards, pre-printed forms and papers filed in an organised way.

It is quite likely that one organisation's manual data on customers may fall within the definition of "relevant filing system", whereas another's manual data will not. Only the Information Commissioner and the courts can decide whether a specific system comes under the scope of the Act.


Personal data

Data which relate to a living individual who can be identified:

This includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. (The latter is a new provision under the 1998 Act.)


Processing

Processing, in relation to information or data, means obtaining, recording or holding the data. This includes carrying out any operation on the data, including:

This definition is far wider than the 1984 Act definition and incorporates, inter alia, the concepts of "obtaining", "holding" and "disclosing" which were dealt with separately in the 1984 Act.


Data subject

A data subject is a person whose personal data is stored and processed.


Data controller

A person who (either alone or jointly) determines the purposes for which personal data are processed, and the manner in which they are processed. (This is broadly equivalent to "data user" in the 1984 Act.)


Data processor

Data processor in relation to personal data, means any person other than an employee of the data controller who processes the data on behalf of the data controller. (The data processor is equivalent to a computer bureau in the 1984 Act.)

There is a higher duty of care upon data controllers when the processing of personal data is carried out on their behalf by data processors.


Recipient

A recipient means any person to whom the data are disclosed. This may include an employee or agent of the data controller, a data processor or an employee or agent of the data processor.

The term does not include any person to whom disclosure is or may be made as a result of a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.


Third party

Any person other than:

  1. the data subject;
  2. the data controller; or
  3. any data processor or other person authorised to process data for the data controller or processor.

The expression third party does not include employees or agents of the data controller or data processor. These people are - for the purpose of this expression - to be interpreted as being part of the data controller or processor. As such, this expression is distinguishable from "recipient", which effectively separates employees and agents from the data controller/processor itself.


Information Commissioner

An official role created to enforce the Data Protection Acts. Responsible for

  1. creating and maintaining a register of data controllers and the data they process;
  2. establishing policy and best practice in data protection;
  3. entering into dialogue with those who bread the Acts; and
  4. issuing enforcement and restriction notices to those who refuse to comply with the Acts.

This role used to be called the Data Protection Registrar, then the Data Protection Commissioner; you can visit the web site.


Important notice

What you read here is only a summary to introduce the concepts. You should not rely on it to build a legal case or safeguard your legal position. The University of Glamorgan and its employees cannot be held responsible for any legal or other redress due to errors in the notes. Seek professional legal advice before acting on what you read here.


UpOther topics Comments please to: dwfarthi@glam.ac.uk © 1999, 2001, 2005, University of Glamorgan