Site guide

My attempt at simplifying the Data Protection Act.

My blog updates

  • Grand Central: Great trains, terrible terms
    Feb 26, 2010
    Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. ...
  • Filling cabinet breaches
    Feb 1, 2010
    I like to analyse the ICO's undertakings and enforcement notices to see whether there are lessons you can learn from other people's unfortunate mistakes. ...
  • Data Sharing and the Blue Badge Parking Scheme
    Jan 13, 2010
    Back in 2008 the government announced that they were going to reform some of the ways the disabled parking / blue-badge scheme worked to reduce the amount of fraudulent use. ...
  • The future of privacy talk at ORG
    Dec 6, 2009
    Bruce Schneier spoke on the subject of The Future of Privacy at the Open Rights Group on Friday. ...
  • Abuse of radio buttons and check boxes
    Dec 5, 2009
    I’m particularly sensitive to interface design and I saw a real horror this week. ...
CISSP Logo

Basic terms

I realise that starting out with a list of definitions is enough to make your eyes go vacant but the Act, and people who talk about Data Protection, use these terms – so let’s get them out of the way.


Processing

Doing anything with data. Collecting it, entering it, storing it, copying it, making reports from it, sending it somewhere, sharing it, deleting it, analysing it, adding bits of it up, searching against it. Everything you can do with personal data is processing.

Personal Data

Data that is about a living person. There are lots of interesting legal debates people can have about what exactly this means, and some solicitors and judges would disagree. Basically if the information is about someone then it is personal data.

Also it doesn’t matter if the information is publically available somewhere else like the telephone directory or the electoral roll. It is still personal information and when you process it, you have to follow the eight principles. There’s a technical guide and flowchart (PDF) on the Information Commissioner’s site that helps you to define what is personal data.

There’s an interesting case that says to be personal data it has to be of ’significant biographical nature’ but generally if you want to get into the grey edges about what’s personal data and what is not, it is outside the scope of general guidance and you should consult a data protection consultant or your solicitor.

Data Controller

An organisation which is in charge of some personal data (i.e. you)

Data Processor

An organisation who you sub-contract or outsource a business process to, and as part of that you business relationship you pass them some personal data which you are the Data Controller of.

The key distinction is that a Data Processor only does what they are told to do with the data by you. They don’t have, or plan to have, their own independent relationship with the person whose personal data you passed to them.

Data Processors don’t need to be registered with the Information Commissioner and it is the responsibility of the Data Controller to make sure that the Data Processor complies with those eight principles. This is an important distinction and is best remembered by:

“you can outsource the process, but you can’t outsource the responsibility”

Data Subject

A living person whose personal data you store.

The Information Commissioner

The person (Christopher Graham) who is responsible for enforcing the Act. He doesn’t do this alone; he has an office full of people (surprisingly) called the Information Commissioner’s Office or the ICO.

Disclaimer: This is general information only and I’ve tried to simplify the major parts of the Act to make it easy (I hope) to understand. This isn’t specific advice for you. If you’re looking for help with DPA and Information Security compliance then please contact me.