Key concepts

Sections 1 and section 2 of the DPA provide definitions for the key concepts in the Act. Having a good understanding of these terms is essential in order for you to be able to recognise the circumstances in which the Act applies.

Data

'Data' is defined as information which falls within one of five different categories:

  1. Information which is being processed by means of equipment operating automatically in response to instructions given for that purpose,
  2. Information which is recorded with the intention that it should be processed by means of such equipment,
  3. Information which is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
  4. Information which does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by s68.
  5. Information which is recorded information held by a pubic authority and does not fall within any of paragraphs (a) to (d).

This definition makes clear that ‘data’ comprises all automatically processed data and some, but not all, manual data filing. Only manual data which falls within the definition of a relevant filing system are considered to be data to which the DPA applies. In addition, for information to be data it must be recorded in some way, such that it is capable of being processed. This means that an oral comment which is not capable of being processed will fall outside the definition.

(d) above refers to information which forms part of an ‘accessible record,’ as defined in s68. Importantly for you the definition in s68 includes health records. This means that research involving the secondary use of electronic patient records will always have to comply with the terms of the DPA if the data used in the research is identifiable.

Return to top of page

Relevant filing system

A ‘relevant filing system’ is defined as ‘any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, whether by reference to individuals or by reference to criteria relating to individual, in such a way that specific information relating to a particular individual is readily accessible’.

This definition can be broken down into four different components, all of which must be satisfied in order for the information to be ‘data’ under the DPA:

  1. A set of information­- this requirement can be fulfilled by a filing system which contains more than one piece of information.
  2. More than one individual- the word ‘individuals’ in the DPA suggests that the filing system must contain information about more than one individual. This requirement operates to exclude a single piece of information and also several pieces of information about the same individual.
  3. Structure- the filing system must be structured by reference to individuals or particular criterion relating to individuals.
  4. Readily accessible data- the information about an individual must be specific enough to enable it to be readily accessible.

Manual filing systems containing patients medical records will usually fall under this definition. This means that even if your research project uses manual records, it is more than likely that the provisions of the DPA will apply.

Return to top of page

Personal data

The provisions of the DPA only apply to ‘personal data.’ This is defined as meaning any data relating to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of or is likely to come into the possession of, the data controller.  It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Three further points can be made about this definition:

(1) A living individual

The data must concern a living individual in order to be ‘personal data.’ This means that any information about the yet-to-be-born, deceased persons or limited companies is not personal data. However you should remember that while information about a deceased person may not be personal data in relation to the deceased individual, it may be personal data in relation to another, living, person.

(2) Identifiable information

The data must be sufficient to identify the individual. This means that data which has been anonymised will not be ‘personal data’ and therefore the DPA will not apply. It should be noted that a name is not always necessary in order for the data to be identifiable, for example, a person could be identified by his data of birth and address. It is likely that more than one piece of information will be needed in order for data to be identifiable.

While data may not be identifiable in the hands of one individual, it is important to remember that it might become identifiable in the hands of another. For example, if data is pseudonymised, it will still be identifiable to the individual who holds, or is likely to hold at some future time, the code to identify the data. Or if two anonymised datasets are to be linked it is possible that the resulting dataset will no longer be anonymous. You should be aware of these possible concerns when considering what data you are seeking to access.

You should also remember that statistical data may be identifiable data, for example, where the data sets are very small.  It is a matter of fact to be decided in each case whether an individual can be identified from the statistics in question and any other available information.

(3) ‘Relates to’

Data will only be personal data if it ‘relates to’ an identifiable individual. Although there has been some recent legal uncertainty about the meaning of the term 'relates to,' it is extremely unlikely that you as an individual involved in the secondary use of patient data will need to worry about this, as all patient records, whether electronic or manual, clearly 'relate to' to the individual whose medical records they are.

Return to top of page

Sensitive personal data

The DPA differentiates between two types of data, ‘personal data’ (above) and ‘sensitive personal data,’ where more stringent conditions for processing apply. The rationale for giving increased protection to sensitive personal data is that the data subject is more likely to suffer discrimination and prejudice on the grounds of these data.

Sensitive personal data are defined as data consisting of information as to:

  1. the racial or ethnic origin of the data subject,
  2. his political opinions,
  3. his religion beliefs or other beliefs of a similar nature,
  4. whether he is a member of a trade union
  5. his physical or mental health or condition,
  6. his sexual life,
  7. the commission or alleged commission by him of any offence, or
  8. any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Subsection (e) above indicates that  data about the health of an individual is sensitive personal data. This means that you as a researcher or data custodian must be aware of the more stringent conditions the DPA places on the processing of such data.

Return to top of page

Processing

The DPA only applies when personal data are ‘processed.’ Under the DPA 'processing' means: ‘obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including (a) organisation, adaption or alternation of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure if the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data. As you can see, the term ‘processing’ is very broad and encompasses just about anything that one could do with data.

Importantly, although the DPA does not apply to anonymous data, the definition of processing includes the process of anonymisation. For you as a researcher this means that any anonymisation process being carried out on data must be done in such a way that complies with the DPA.

Return to top of page

Data subject

The ‘data subject’ is the individual who is the subject of personal data. Therefore in order to determine who the data subject is you must refer to the definition of ‘personal data.’

Return to top of page

Data controller

The data controller is the one who determines the purposes for which and the manner in which data are to be processed.  A data controller can be either an individual or an organisation, and they can operate either alone or jointly with others. S4 of the Act provides that it is the responsibility of the data controller to ensure that the data protection principles in schedule 1 are complied with.

Under the SHIP framework, the SHIP Safe Haven takes on the legal responsibilities of ‘data controller’ jointly with the data custodian for the duration of the research project. However, you as a researcher could become a data controller over your research data if data is directly transferred to you. Therefore you must ensure that you are aware of the obligations the DPA places on data controllers.

Return to top of page

Data processor

Data processors process data on behalf of the data controller. The existence of a data processor is dependent on decisions taken by the data controller as to how the data should be processed and by whom. This definition includes the data controller’s staff as well as situations where the data controller has contracted with a third party to have the data processed by them on behalf of the data controller.

You as a researcher may either be acting as a data controller or a data processor, depending on the circumstances that the data is being processed in. For example, while you may be a data processor for the purposes of the source data, you may become a data controller for the purposes of the research output data. It is therefore important to assess your obligations under the DPA throughout the course of your research project and to understand if and when your responsibilities have changed.

Some questions to consider to help you assess whether you are acting as a data controller or processor include:

  • Do you have the capacity to determine the purposes for which the data is being processed?
  • Do you have the capacity to determine the manner in which the data is to be processed?
  • What is the role of other possible actors? (Remember that there can more than one data controller.)
  • Are you acting autonomously or on the instructions of another?

Return to top of page