Personal Data in UK Law
Durant v Financial Services Authority
The question is the meaning of the words "relate to" in the opening words of the definition, in particular to what extent, if any, the information should have the data subject as its focus, or main focus. Miss Houghton, on behalf of Mr. Durant, pitched Mr. Durant's entitlement to information under section 7 in very broad terms, relying on what she described as the extremely wide and inclusive definition of "personal data" in section 1(1).
As a matter of practicality and given the focus of the Act on ready accessibility of the information —whether from a computerised or comparably sophisticated non-computerised system —it is likely in most cases that only information that names or directly refers to him will qualify.
It follows from what I have said that not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data.
Alireza Ittihadieh v 511 Cheyne Gardens Rtm Company Ltd and Others
In some cases, it has been said that the supply of information does not tell the data subject anything he or she did not already know. To take a simple example: everyone knows their own name and date of birth. Moreover where the focus of a SAR is (as is often the case) a request for copies of documents rather than personal data, the fact that the data subject was either the author or recipient of the document in question would also be highly relevant to the exercise of discretion.
Even so, it is not an obligation to supply documents: Dunn v Durham CC  EWCA Civ 1654,  2 All ER 213 at . It is of critical importance to distinguish between the two. Although it may be more convenient and cheaper in some cases for a data controller to supply copy documents, there is no legal obligation to do so. This is, I think, borne out by article 12 of the Directive which requires the data controller to inform the data subject of the " categories of data concerned".
Common Services Agency v Scottish Information Commissioner (Scotland)
But in my opinion the fact that the Agency has access to this information does not disable it from processing it in such a way, consistently with recital 26 of the Directive, that it becomes data from which a living individual can no longer be identified.
R (on the application of Catt) v Metropolitan Police Commissioner; R (on the application of T) v Metropolitan Police Commissioner
For this purpose, the rules need not be statutory, provided that they operate within a framework of law and that there are effective means of enforcing them. Their application, including the manner in which any discretion will be exercised, should be reasonably predictable, if necessary with the assistance of expert advice. It is enough that it lays down principles which are capable of being predictably applied to any situation.
Data Protection Act 2018
...... 1 . Preliminary PART 1 . Preliminary . S-1 . Overview 1 Overview . . (1) This Act makes provision about the processing of personal data. . (2) Most processing of personal data is subject to the GDPR. . (3) Part 2 supplements the GDPR (see Chapter 2) and applies a broadly ......
- The Framework for the Free Flow of Non-Personal Data (Revocation) (EU Exit) Regulations 2021
- The Data Protection (Processing of Sensitive Personal Data) Order 2012
Data Protection Act 1998
......(either alone or jointly or in common with other persons) determines. the purposes for which and the manner in which any personal data are,. or are to be, processed. . ‘data processor’, in relation to personal data, means any person. (other than an employee of the data ......
Personal Data: The Act Begins to Bite
Managers responsible for personal data held on computer need to be aware of and comply with the terms of the Data Protection Act 1984. Registration and compliance with the eight data protection pri...
When the mobile app is free, the product is your personal data
Purpose: Mobile devices (smartphones, tables etc.) have become the de facto means of accessing the internet. While traditional Web browsing is still quite popular, significant interaction takes pla...
Control over Personal Data in a Digital Age: Google Spain v AEPD and Mario Costeja Gonzalez
In the Google Spain judgment, the Grand Chamber of the EU Court of Justice determined the circumstances in which a search engine is obliged to remove links to data pertaining to an individual from ...
DATA PROTECTION AND THE USE OF PERSONAL DATA BY FINANCIAL INSTITUTIONS
In the light of the First Principle contained within the 1984 Data Protection Act, the Data Protection Registrar is concerned about some of the current practices being carried out within the financ...
Privacy Matters, Featuring a Personal Data Checklist
This issue of Privacy Matters examines the what, the where and the who regarding personal data. The infographic maps the flow of data to help determine what personal data a company might hold, wher...
Personal data security for pension scheme trustees
Cybersecurity and protection of personal data are increasingly to the forefront of concerns for pension trustees. The European General Data Protection Regulation (GDPR), applicable in the UK from 2...
COVID-19 Coronavirus: Protecting Employee Personal Data
Employers’ primary concern at this time will be the health and safety of their employees in the wake of what has been declared a global pandemic by the World Health Organization. However, employers...
- Deleting Personal Data