Cabinet Office Homepage
Last updated: 18 November 2008
Issue
Under section 1(1) of the DPA “data” are defined as information processed or recorded in specified ways. “Personal data” are defined as:
“… data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession, of the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; …”
2. In order for something to constitute “personal data” it must consist of information relating to an identifiable living individual. The need for both information and an identifer is confirmed by the reference in section 7(1)(c) of the DPA to “information constituting any personal data”. “Information” is not defined in the DPA and should therefore bear its everyday meaning.
3. Departments have found the meaning of “personal data” as defined in the DPA to be a particularly grey area where it is often debatable whether data is or is not personal.
Standards
4. In cases of doubt, no data should be disclosed to the data subject until a legal view has been obtained as to whether it constitutes personal data.
Recommended best practice
5. At present when a subject assess request is received, some departments search relevant areas for all references to the data subject in the period covered by the request. These references are then assessed centrally to determine which constitute personal data relating to the data subject and are reviewed by departmental legal advisers, the aim being to disclose only that data which is required by the DPA. This is very resource intensive but as casework experience is built up it may be that this approach can be relaxed.
6. It is considered that a reference to an individual’s name alone is unlikely to be personal data. However, it is unlikely that a person’s name will be held independently of any supporting information. Supporting information could come from the context in which the name is held. An example would be that a list of copy recipients on a submission says something about each name on the list; ie that they received a copy of the submission. If a name with no supporting information is held it raises the issue of why it is being held. If it is “personal data”, as some would argue, to hold it for no purpose could well be in breach of the data protection principles.
7. This section should be read in conjunction with the guidance in section 8 on “References to other individuals/Third Parties”.
Data Protection Handbook [PDF, 710KB]
[Top]