Definition of data protection terms


Data means information:

  • Stored in a form capable of being processed by computer (such as word-processed documents, spreadsheets and databases).
  • Recorded in any form for later processing (such as registration forms, CCTV pictures).
  • Stored as part of a 'relevant filing system.' Note that this definition is very broad and covers such things as card indexes and microfiche files as well as traditional paper-based files. It would be as well to assume that any paper-based data falls under the Act.  

Personal data

Personal data are defined as data which relate to a living individual who can be identified:

  • From those data; or
  • From those data and other information in the possession of (or likely to come into the possession of) the data controller; and
  • Includes any expression of opinion about the individual and any indications of the intentions of the data controller or any other person in respect of that individual.

The Information Commissioner (previously the Data Protection Commissioner) accepts that this definition is 'not without difficulty.' It would always be safest to assume that data is personal rather than not.

Sensitive personal data

The 1998 Act distinguishes between "ordinary personal data" such as name, address and telephone number and "sensitive personal data" which includes information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life and criminal convictions. Under the Act the processing of such data is subject to much stricter conditions.

Data subject

A data subject is any living person who is the subject of personal data.

Data subject access

This is the right of an individual to see personal data relating to him or her which is held by a data controller.

Data controller

A 'data controller' is any person who makes decisions with regard to particular personal data, including decisions about the purposes for which the data is to be processed and the way in which that processing takes place. The University is the data controller, but any member of staff may also be a data controller if he or she makes decisions about personal data and its processing.


Processing covers almost anything you can do with data, and includes acquiring, recording, consulting, retrieving, and making available the data to others.