Home > yourrights > privacy/Data Protection > Data Protection > Definition of Personal Data

Definition of personal data and sensitive personal data

Personal data is anything which identifies you as an individual, either on its own or by reference to other information. It can include expressions of opinion about you.

Personal data is defined in the DPA (at section 1(1)), as “data which relate to a living individual who can be identified from those data; or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”.

Whether or not data relate to a particular individual will be a question of fact in each particular case. Information will amount to personal data if it is capable of being processed so as to distinguish you from any other individual. For example, if a data controller can capture an image of you from a CCTV camera and then match that image to a photograph or a physical description of you, the CCTV footage will be personal data. On the other hand, CCTV footage of a public area where you are just a ‘face in the crowd’ and the data controller has no means of identifying who you are is unlikely to be considered your personal data.

All personal data held by public authorities is covered by the DPA. However, if the data controller is a private company or organisation, then personal data held by them will only be covered if it either is held on a computer or is held on a ‘relevant filing system’. A relevant filing system is one which is structured by reference to individuals, or by reference to criteria relating to those individuals, in a way which allows information relating to specific individuals to be readily accessible. So if your employer has a filling system that lists employees disciplinary records according to their name, or their payroll number, and which allowed the employer to access the disciplinary record of an individual employee quickly and accurately, then that would be considered a ‘relevant filing system’ and so would the information on the disciplinary records would be covered by the DPA.

Definition of Sensitive Personal Data

The DPA recognises that some types of personal information are more sensitive than others and imposes additional requirements for processing sensitive personal data. This increased level of protection is in line with the case law on Article 8 of the European Convention on Human Rights (the right to privacy), in which some forms of information - such as medical records – are more protected than others.

The DPA defines sensitive personal data as personal data consisting of information as to:-

(a) a person’s racial or ethnic origin;
(b) his political opinions;
(c) his religious beliefs or other beliefs of a similar nature;
(d) whether he is a member of a trade union;
(e) his physical or mental health or condition;
(f) his sexual life;
(g) the commission or alleged commission by him of any criminal offence; or
(h) any criminal proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Data from which an implication of criminal conduct could be drawn could count as sensitive data.

kitsiteLottery Funded