CHAPTER 2: UNDERSTANDING THE DEFINITIONS
The DPA uses several specific terms and it helps to understand these. The DPA covers personal data. This means information which is held on a computer or in a relevant filing system and which relates to a living individual who can be identified from that information, or that and other information in the possession of the data controller (see below). It does not matter that the other information is held by a different department. Where public authorities are concerned, an even wider range of information is covered when it comes to dealing with rights of access to the information. If information is not held on a computer or a relevant filing system, or is not intended to be held on a computer or in a relevant filing system, then it will be outside the DPA unless it is an accessible record. Accessible records are certain health, education or other public sector records formerly covered by other rights of access.
A relevant filing system is a set of manual files which are organised by reference to individuals or criteria relating to individuals (for example National Insurance numbers) and in which specific information about those individuals (for example their salary details or annual leave details) is ‘readily accessible’. This usually means highly structured files in which the organisation can immediately find the information it seeks about a particular individual.
The term personal data was considered by the Court of Appeal in a case called Durant v Financial Services Authority8 in 2003. This confirmed that a relevant filing system has to be tightly structured. The Court of Appeal also considered what sort of information can be said to ‘relate to’ a living individual. It decided that not all information in which someone’s name is mentioned can be said to relate to somebody. The information has to be about them in some more significant sense, for example by being biographically significant.
There are very few organisations which do not process personal data about living individuals, whether that relates to employees, customers or suppliers. These individuals are called data subjects.
The organisation which determines the purposes for which such information is going to be used or processed and how this is going to be carried out is called a data controller. A data controller is the legal entity which is responsible for making those decisions. Employees are not data controllers even if they are data protection officers. If the information is held in the public sector, the public body will usually be the data controller, for example a local authority. Where information is held in the private sector, the data controller will usually be the company or other organisation, for example a limited company or a partnership. Every kind of use of personal data is covered by the DPA. The DPA defines any utilisation of personal data as processing and this covers everything from obtaining information in the first place through to storing it or destroying it at the end of its useful life.
Some types of information are regarded as more sensitive than others and these are called the sensitive personal data categories. The DPA sets out a list of categories of sensitive personal data which covers the racial or ethnic origins of individuals, their political beliefs, their religious beliefs, trade union membership, physical or mental health or condition, sexual life, or the commission of offences or criminal proceedings. Particular care has to be taken with such data, for example to make sure that it is held securely. Other important terms that are used in the DPA are:
• Direct marketing, which is widely defined as meaning the communication by whatever means of any advertising or marketing material which is directed to particular individuals.
• Data processor, which is any person apart from an employee of the data controller who processes data on behalf of a data controller.
• Special purposes, which mean the purposes of journalism and artistic and literary purposes.