Records Management Section
The University of Edinburgh Records Management Section
 

Data Protection Definitions

On this page:

In this section:

Purpose

This page provides definitions of the terms used in the Data Protection Act 1998.  It will assist University staff in their understanding of the Act and help ensure that Personal Data is processed in accordance with the eight data protection principles.

Definitions

The following terms are used in the Data Protection Act 1998

What is personal data?

The Act applies to information about individuals ("personal data").  Personal data is information relating to a living individual who can be identified from those data or from those data and other information which is or might become available to anyone in the University, or anyone we do business with. Take the 'What is Personal Data?' test to establish whether information is personal data.

Top of page

What is a data subject?

A data subject is an individual who is the subject of personal data. 

For example, personal data that the University holds about students makes each student a data subject under the terms of the Act.

Top of page

What is a data controller?

A data controller is an organisation that has full authority to decide how and why personal data is to be “processed” (this includes using, storing and deleting the data). When the University of Edinburgh decides that it wishes to pass the personal data it holds to another organisation, the University is acting as a data controller as the University has the authority to take this decision.

Whether or not the receiving organisation is also a data controller will depend on whether or not the receiving organisation will have the authority to decide how and why the data will be stored, used and deleted. If the receiving organisation has considerable discretion in this area, it is probably a data controller.

For example, passing information such as the destinations of leavers passed by the University to HESA for analysis is done so as a data controller to data controller transfer. This is because HESA is a separate organisation and will be using the data for their own purposes, purposes that the University will not be involved in or have control over.

Top of page

What is a data processor?

A data processor is an organisation that “processes” personal data on behalf of another organisation. Processing includes reading, amending, storing and deleting.

If the University passes personal data to an organisation, but retains the right to specify what should be done with that data, then the receiving organisation is a data processor. The University is legally responsible for any breaches of the Data Protection Act committed by any data processor acting on its behalf.

For example, if information held in the University library database is passed to an IT company to carry out maintenance tests this is done so as a data controller to data processor transfer.  This is because the University will retain control over the data and the purposes for which it is processed.

Top of page

What is data processing?

Data processing is any action taken with personal data including the collection, use, disclosure, destruction and holding of data.

Author: Jenny Middleton and Kiara King
Date: 24 November 2006

Top of page

If you have any comments or suggestions regarding these pages please e-mail them to us at recordsmanagement@ed.ac.uk
Terms and conditions, legal disclaimer and copyright information

The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336

Page last updated: Friday February 09 2007