Guide to Data Protection Act for Data Controllers
- Change log
- Introduction
- How to use this guidance
- Key definitions
- Who does the DPA apply to?
- What is processing of personal data?
- What is a data controller?
- What is a data processor?
- What information does the DPA apply to?
- Data Protection Principles
- First Data Protection Principle - Fair and lawful processing
- Second Data Protection Principle - Purpose limitation
- Third Data Protection Principle - Data minimization
- Fourth Data Protection Principle – Data accuracy
- Fifth Data Protection Principle - Storage limitation
- Sixth Data Protection Principle – Respect for the individual’s rights
- Seventh Data Protection Principle - Security – integrity and confidentiality
- Eighth Data Protection Principle - International transfers
- Legal basis for processing
- Sensitive personal data
- Individual rights
- Personal data breaches
- Exemptions
- National Security
- Crime, government fees and duties
- Health
- Education
- Social Work
- Monitoring, inspection or regulatory function
- Journalism, literature or art
- Research, history or statistics
- Information available to public by or under enactments
- Disclosures required by law or made in connection with legal proceedings
- Personal, family or household affairs
- Honours
- Corporate finance
- Negotiations
- Legal professional privilege and trusts
- Contracts between data controllers and data processors
- Questions or comments?
What information does the DPA apply to?
Personal data
The DPA applies to ‘personal data’ meaning any information relating to a living individual who can be directly or indirectly identified.
The DPA applies to personal data in any format, including in automated and manual (paper) filing systems.
Sensitive personal data
The DPA refers to ‘sensitive personal’ data, to which additional protections apply.
Sensitive personal data includes genetic and health data, as well as information on racial or ethnic origins, political opinions, religious or similar beliefs, sex life, the commission or alleged commission of an offence.
Personal data
At a glance
- Understanding whether you are processing personal data is critical to understanding whether the DPA applies to your activities.
- Personal data is information that relates to a living, identified or identifiable individual. If it is possible to identify an individual directly from the information you are processing, then that information will be personal data.
- A number of different factors may identify an individual, including a name or number, as well as online identifiers such as an IP address or cookie identifier, or other factors.
- If you cannot directly identify an individual from the information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
- When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it.
- Information which has had identifiers removed or replaced in order to pseudonymize the data may still be personal data for the purposes of DPA if the de-identification measures can be rolled back in any way.
- Information which is truly anonymous is not personal data and is not covered by the DPA.
- Inaccurate or factually incorrect information about a particular individual is still personal data, as it relates to that individual.
In brief
- What is personal data?
- What identifies a person under the DPA?
- What is the meaning of ‘relates to’?
- What is sensitive personal data?
What is personal data?
The DPA applies to the processing of personal data, regardless of its format or storage medium.
Personal data is any information relating to a living, natural person who can be identified.
In other words, data constitutes personal data where the following elements are met:
(a) the data relates to a living natural person; and
(c) the identity of the person to whom the data relates is known or identifiable.
Consequently, the following are not subject to the DPA, as they are not deemed to be personal data:
- truly anonymized data;
- information about a deceased person;
- information about companies or public authorities as such. However, information about sole traders, employees, partners, and company directors who are individually identifiable will still constitute personal data.
What identifies a person under the DPA?
Any type of data can be used to identify an individual. A name is perhaps the most common means of identifying someone. However, whether a data or a set of data actually identifies an individual will depend on the overall context of the processing, which must always be taken into consideration when evaluating whether personal data is being processed.
Personal data can either directly or indirectly identify an individual.
The DPA provides a non-exhaustive list of identifiers, including:
- location data;
- online identifiers (which include IP addresses and cookie identifiers);
- one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual;
- an expression of opinion about the living individual; and,
- any indication of the intentions of the data controller or another person in respect of the living individual.
If an individual can be identified directly from the information you are processing, it will constitute personal data. This could be a name or a passport number, or a combination of two or more pieces of information from the same data set.
If an individual can be identified indirectly from the information you have, i.e. by combining it with another source of information, the information you have may constitute personal data. That additional information may be information you already hold, or it may be information that you or a third party can reasonably obtain from another source.
As an example, the postal code of an individual will, generally, by itself, not be personal data, as it will not permit a specific individual to be identified. However, taken together with other information, such as an uncommon last name and/or the date of birth and/or gender, the individual may become identifiable.
A mere slight hypothetical possibility that someone could use the data in such a way that identifies the individual will not necessarily be enough to make the individual identifiable in terms of DPA.
When considering whether individuals can be identified, you will have to assess the means that could be used by an interested and sufficiently determined person.
You have a continuing obligation to consider whether the likelihood of identification has changed over time (for example as a result of technological developments).
Pseudonymizing data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data. Pseudonymisation is the de-identification of personal data such that it cannot be attributed to a specific individual without the use of additional information, and where this additional information is kept separate and is subject to technical and organisational measures to prevent any undesired re-identification of the individual. A basic example is the replacing of a direct identifier, such as a name, with a pseudonym, and keeping the list matching the pseudonym with the individual secure and separate.
Inaccurate information may still be personal data if it relates to an identifiable individual.
What is the meaning of ‘relates to’?
To be personal data, information must ‘relate to’, i.e. be about, the identifiable individual. This requirement in effect introduces a further contextual assessment of the data besides the question of identifiability.
To decide whether data relates to an individual, three elements will need to be considered, either of which can independently trigger data as relating to an individual:
- the content of the data, i.e. where the data itself is directly about the individual or their activities;
- the purpose of the data being processed, i.e. where the data is intended to be used with regards to an individual, such as to evaluate or influence them; and
- the results on the individual of the data being processed, i.e. because the processing outcome will impact their rights and interests.
As such, it is important to consider carefully the overall context of the processing activity in order to decide whether the data relates to an individual.
This is particularly the case where, for the purposes of one controller, the identity of the individuals is irrelevant and the data therefore does not relate to them. However, when used for a different purpose, or in conjunction with additional information available to another controller, the data does relate to the identifiable individual.
An example is where an investigation into a third party’s activities was triggered by an individual. The individual submits a subject access request (SAR). The investigation file will not be covered by the SAR; however, the complaint itself and any log of how many investigations have been triggered by the individual will be covered by the SAR.
At times it may be difficult to determine whether data is personal data. If this is the case, as a matter of good practice, you should treat the information with care, ensure that you have a clear reason for processing the data and, in particular, ensure you hold and dispose of it securely.
What is sensitive personal data?
The processing of some types of personal data presents a higher risk to that person’s rights and interests. The DPA explicitly recognizes certain types of data as being “sensitive personal data”; however, the processing of types of personal data not defined as sensitive under the DPA may, depending on the overall context, also pose a higher risk to a person’s rights and interests and warrant an extra level of care.
As a defined term under the DPA, sensitive personal data means personal data consisting of:
- the racial or ethnic origin of the data subject;
- the political opinions of the data subject;
- the data subject’s religious beliefs or other beliefs of a similar nature;
- whether the data subject is a member of a trade union;
- genetic data of the data subject;
- the data subject’s physical or mental health or condition;
- medical data;
- the data subject’s sex life;
- the data subject’s commission, or alleged commission, of an offence; or any proceedings for any offence committed, or alleged, to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.
Processing sensitive personal data requires that at least one condition in each of schedules 2 and 3 applies. Click here for more on sensitive personal data.
Overall, the same considerations apply to sensitive personal data as to personal data in general, in terms of:
- directly or indirectly identifying a living individual; and
- the meaning of “relating to” an individual.
Whether a particular piece of information is sensitive data will depend on a reasonableness test. For example, the unfounded rumor that a head of state is holding someone hostage in their basement will not be held to be sensitive personal data about the alleged commission of an offence.
Relevant provisions
Data Protection Act (2021 Revision)
Section 2: Definitions
Section 3: Definition of sensitive personal data
Schedule 2: Legal bases (conditions) for processing personal data
Schedule 3: Legal bases (conditions) for processing sensitive personal data
Further guidance
Information Commissioner’s Office (UK)(ICO): What is personal data?
Previous Next