Identifying ‘personal data’

Although it will be very unusual for identifiable data to be directly transferred to you, as normally such data will have to be accessed through a Safe Haven, there may be some exceptional circumstances in which this will happen. In addition, it is possible that your research results could become identifiable, if, for example, you have linked datasets. It is therefore important that you are aware of what constitutes ‘personal data’ under the law, and the legal implications of this.

Under the Data Protection Act 1998 (DPA) ‘personal data’ is defined as meaning any data relating to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.  It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. This definition is significant as the provisions of the DPA only apply to personal data.

Importantly, the DPA differentiates between two types of data, ‘personal data’ and ‘sensitive personal data,’ where more stringent conditions for processing apply. Data about the health of an individual is sensitive personal information under the DPA, and therefore if you are using identifiable data it is important that you consider the conditions for processing sensitive personal information.

For more guidance please see the information pages on data protection which can be accessed here.

Return to top of page

Return to route-map