Definitions

Data controller the person (or organisation) who determines the purposes for which and the manner in which any personal data are, or are to be, processed (e.g. the University).

Data subject any living individual who is the subject of personal data (e.g. student, applicant, member of staff, supervisor, referee etc).

Duty of confidentiality in the case of some subject access requests, the Data Protection Officer may have to take a decision on whether a document containing third party data was written in confidence and whether the breach of that confidence in releasing the document outweighs the requirement to comply with a subject access request.

Fair and lawful processing means one of the following conditions must be met:

  • The data subject has given his or her consent to the processing.
  • The processing is necessary:
    (1)  for the performance of a contract to which the data subject is a party; or
    (2)  for the taking of steps at the request of the data subject with a view to entering into a contract.
  • The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
  • The processing is necessary in order to protect the vital interests of the data subject.
  • The processing is necessary for the administration of justice; for the exercise of any functions conferred by or under enactment; for the exercise of any functions of the Crown, a Minister of the Crown or a government department; for the exercise of any other functions of a public nature exercised in the public interest.
  • The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject.

In the case of processing sensitive data, at least one of the following conditions must be satisfied (in addition to at least one of the conditions outlined above):

  • The data subject has given explicit consent.
  • The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred by law on the data controller in connection with employment.

Information Commissioner's Office the UK's independent authority set up to promote access to official information and to protect personal information.

Personal data data which relate to a living individual who can be identified from that information, or from that and other information which is in the possession of or is likely to come into the possession of, the data controller. It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual (subject to very limited exceptions).

Processing obtaining, recording, holding or using the information or data (which includes, in relation to personal data, obtaining or recording the information to be contained in the data) or carrying out any operation or set of operation on the information or data. Under the new Act, processing is very widely defined, to the extent that guidelines produced by the Information Commissioner suggest that it is difficult to envisage any action involving data which does not amount to processing within this definition.

Sensitive data information relating to race or ethnic origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life or criminal activities. Special conditions apply to the processing of this type of information, including an obligation to obtain the explicit consent of the individual (except in limited circumstances).

Third Party Information information relating to another individual (other than the data subject) who can be indentified by that information.