TopicFullPage Secretariat:
home>Skip Navigation LinksSecretariat > Privacy Notices > Data Protection Definitions


Definitions of terms under the Data Protection Act

Data Controller

The person or organisation responsible for the manner in which any personal data is processed. In the majority of cases, Lancaster University is the data controller. A Data Controller either alone or jointly with others determines the purposes for which data is to be used. If you wish to use data for a new purpose you should seek guidance from the Data Protection Officer.


Data Processor

Any person or organisation (other than an employee of the data controller) who processes personal data on behalf of the data controller. An example of this might be an external contractor.


Personal Data

Data relating to a living individual who can be identified from the information, or any other data likely to come into the possession of the data controller. This includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.


Data Subject

The living individual to whom the data relates who is therefore the subject of personal data.


Data Processing

Obtaining, recording or holding the data or carrying out any operation on the data, including organising, adapting or alteration of the data; retrieval, consultation or use of the data; disclosure of the data, and alignment, combination, blocking, erasure or destruction of the data.


Relevant Filing System

Any set of information relating to individuals which is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. Note that this definition extends the Act to include manual files which contain information about an individual, such as student records and HR files.


Sensitive Data

Under the Data Protection Act the following categories are listed as sensitive personal data:

  • the racial or ethnic origin of the data subject,
  • their political opinions,
  • their religious beliefs or other beliefs of a similar nature,
  • whether they are a member of a trade union,
  • their physical or mental health or condition,
  • their sexual life,
  • the commission or alleged commission by them of any offence, or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

Where such data is being processed not only must the controller meet the requirements of the 8 Principles and Schedule 2, but one of the following conditions must also be met:

Either the explicit consent of the individual must be obtained, or processing must be necessary based on the legal or legitimate interests of the University, or the vital interests of the data subject, such as a medical emergency.


Third Party

Any person other than the data subject, the data controller, any data processor or other person authorised to process data for the data controller or data processor.

This page was last edited on: 4/29/2010 5:35 PM