The Scottish Information Commissioner - It's Public Knowledge
Text Size Icon

- Text Size Up | Down

Definition of key terms and concepts

Data Controller

A data controller is a person or group of people who determine the purposes for which personal data are, or will be, processed. Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data. A data controller must comply with the Data Protection Principles.

Data Protection Principles

There are eight principles in the DPA with which data controllers are required to comply. When considering the Data Protection Principles it is worth remembering the wide scope of the definition of ‘processing’ which includes everything from obtaining and disclosing, to filing and destroying the information. The DPA is regulated by the Office of the Information Commissioner (OIC) and according to the OIC), the first Data Protection Principle will be the key issue when considering an application for third party data although all principles should be considered.

The Data Protection Principles state that personal data must:

  • be processed fairly and lawfully;
  • be obtained only for specific and lawful purposes;
  • be adequate, relevant and not excessive;
  • be accurate and, where necessary, kept up to date;
  • be kept for no longer than necessary;
  • be processed in accordance with the rights of the data subject under DPA;
  • be protected against unauthorised or unlawful processing and accidental loss, destruction or damage and
  • not be transferred to a country or territory outside the European Economic Area unless the country has in place an adequate level of protection.
First Data Protection Principle

The first principle requires that personal data is processed fairly and lawfully. Unlawful disclosure would be where there was a breach of confidence or where there is a law forbidding disclosure. 11 Fairness is harder to define but may take into account the following:

  • The expectation of the data subject.
  • Whether any distress or damage would be caused to the data subject as a result of the disclosure.
  • Any express refusal by the data subject.
  • Whether the information relates to the data subject’s public or private life. A person’s private life is likely to deserve more protection.
Does the information relate to a third party’s private life?

The OIC has issued guidance on when he believes information relates to a person’s private life. The view is that information which is about the home or family life of an individual, personal finances or personal references is likely to deserve protection. By contrast where an individual is acting in an official or work capacity, information relating to this part of a person’s life should normally be provided.

Does the OIC need to be advised if I release information under FOI?

The OIC has confirmed that complying with a FOI request is fair and lawful processing and that there would be no need to notify the Information Commissioner if this type of information is disclosed under FOI(S) Act 2002. ‘Notification’, in relation to the DPA, has very specific meaning. The OIC maintains a public register of data controllers. The register includes a notification of the processing of personal data carried out by the data controller. By releasing the information following a request you are merely complying with the legislation which overrides the DPA in cases where disclosure would not breach the Data Protection principles and do not need to amend the processing details in the register.

Personal Data

This term is defined in the DPA as information which relates to a living individual from which that individual can be identified. Such information can include opinion about the individual and any indication of the intentions of any person in respect of the individual. Potentially this is a very wide definition but is likely to be a question of fact in each individual case.

In the recent ‘Durant’ case, 12 the Court of Appeal considered the right of access to personal data. The decision clarified what makes data ‘personal’ within the meaning of ‘personal data’. The Court did not consider the issue of identifying the individual but concentrated on the meaning of ‘relate to’. The Court held that data will only relate to an individual if it:

‘is information that affects (a person’s) privacy, whether in his personal or family life, business or professional capacity.’

The Court identified two notions that may assist in determining whether information is “information that affects privacy” and, therefore, “relates” to an individual. The first is whether the information is biographical in significant sense. The second concerns focus – “The information should have the [individual] as the its focus rather than some other person with whom he might have been involved…”.

For something to be considered personal data the information must be more than simply the mention of a person’s name in a document. If there is other, related data such as an address or home telephone number, the information is more likely to come under the definition of personal data. If an individual’s name is included in a document where the focus is on something other than that individual, the information is unlikely to be considered personal data. This is because the information does not ‘relate to’ the individual – the focus is on something other than the individual. An example of this could be a report on the performance of a department of a public authority. Although individuals may be mentioned by name the focus of the information is not the individuals themselves.

Information which is likely to be considered personal data may include:

Information about an individual’s political preference;
Information about an individual’s bank details;
An individual’s personal email address; and
An individual’s employment record.

Section 10 Notice 13

If an individual believes that a data controller is processing personal data in a way that causes, or is likely to cause, substantial unwarranted damage or distress to them or to another person, section 10 of the DPA gives the individual the right to send a notice to the data controller requiring him to stop the processing within a reasonable time.

Third Party

This term is defined in the DPA as any person other than the subject of the information, the data controller or any person who is authorised to process the information.

Freedom of Information (Scotland) Act 2002 (Consequential Modifications) Order 2004

This Order, which came into effect on 1 January 2005, amended the DPA so that the definition of personal data is extended to include recorded information held by a Scottish public authority which did not fall into the previous definition of ‘personal data’. The previous definition included electronically held information, structured manual data and information which people have a right to under separate legislation. The extension is designed to ensure all personal data held by public authorities is accessible under DPA and now provides access to ‘unstructured personal data held by public authorities’. The rules for dealing with this new type of personal data are detailed below.

 

Footnotes

11 For example, the Official Secrets Act 1989. 
12 Michael John Durant v Financial Services Authority 2003 EWCA Civ 1746.  
13 Data Protection Act 1998 s10.


What does the Act say?  |  Type of exemption >

< Back to Section 38 Contents

 

Back to Top