Records Management Section
The University of Edinburgh Records Management Section
 

What is Personal Data?

The Data Protection Act 1998 applies only to personal data about a living, identifiable individual.

The definition of personal data is highly complex and for day to day purposes it is best to assume that all information about a living, identifiable individual is personal data. However, sometimes you may need to know precisely what personal data is as this can affect which parts of the legislation apply. The following 11 questions should help you decide.

Step A: Who is the information about?

1.    Is the information about a living, identifiable individual?  For example a name accompanied by other information about the individual such as address, age, telephone number, information regarding his/her hobbies or financial status.  It can be an expression of an opinion about the individual or an indication of the intentions of any person towards that individual.  The data can be biographical even when a combination of different data sources is needed to identify the individual e.g. where individuals are identified only by numbers in a database but a list of to whom the numbers correspond is maintained elsewhere.

Yes:  Go to question 2

No:    The information is not personal data and therefore not subject to the Data Protection Act.

2.    Does the information "relate to" a living, identifiable individual? Just because a document or file title contains somebody’s name does not always mean that it is about him; an e-mail headed, ‘Meeting about Dr Smith’ which discusses other people’s availability for that meeting is not about Dr Smith. Likewise, minutes of a meeting attended by an individual will not be ‘personal data’ simply because the person attended the meeting and contributed to its discussions. However, if the meeting discussed an individual, then the minutes will be ‘personal data’ about that person.

If the individual is not the focus of the information but the information is directly linked to a significant event in the life of that individual, then it may be personal data.  The valuation of a house is not by itself personal data but it becomes personal data if it forms, for example, part of a file discussing a divorce settlement.

Yes:  Go to question 3

No:    The information is not personal data and therefore not subject to the Data Protection Act.

Step B: In what format is the information?

3.    Does the information form part of an accessible record?

Yes: The information is personal data. 

No:    Go to question 4.

4.    Is the information held or intended to be held electronically? (This is anything held on a computer, including e-mails, and other electronic formats such as CCTV)

Yes: This is personal data.  All 8 data protection principals apply.

No:  Go to question 5.

5.  Is the information held in a relevant filing system?

Yes: This is personal data but until 23 October 2007 only data protection principles 6-8 and part of principle 1 apply.

No:   Go to question 6.

6. Is the information an HR file?

Yes:  This is personal data but is exempt from all 8 data protection principles.

No:    Go to question 7.

7. Is the information semi-structured personal data?

Yes: This is personal data but only data protection principles 4 and 6 apply.

No: Go to question 8.

8.    Is the information held by this University?

Yes:  This is personal data but only data protection principles 4 and 6 apply.  If the person makes an information request you only have to look for information in this category if the applicant has asked for a specific item e.g. if the data subject requests to see 'all information' about him you would not need to search data in this category, however if he specifically asks to see the letter about him dated 2 June 1999 then you must locate this letter.

No:     This is not personal data.

If the information does not fulfil the definition of personal data then the University does not have to disclose it in response to a subject access request (although you may choose to do so at your discretion).

Sensitive Personal Data

Some personal data is classed as sensitive personal data. This type of data is subject to further regulations under the Data Protection Act and can only be processed under certain circumstances.  

Personal data becomes sensitive if it includes any of the following types of information about an identifiable, living individual:

  • racial or ethnic origin;
  • political opinions;
  • religious beliefs;
  • trade union membership;
  • physical of mental health;
  • sexual life;
  • commission of offences or alleged offences.

Further assistance

If you need help in determining whether or not information is personal data please contact the Records Management Section using the below email address.

Author: Jenny Middleton

If you have any comments or suggestions regarding these pages please e-mail them to us at recordsmanagement@ed.ac.uk
Terms and conditions, legal disclaimer and copyright information

The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336

Page last updated: Tuesday October 16 2007