The Data Protection Act is about 2 things, the protection of personal data and the protection of data subject. These two terms are defined in the interpretation section of the Act to help implementation and enforcement. Under the Act,
Data subject is defined to mean an identified or identifiable natural person who is the subject of personal data. An Identifiable natural person is defined to mean a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
For businesses data subjects include, among others: business customers, employees, suppliers and any other natural persons whose information is held by the business. The above definition also includes persons who visit company websites, if the website uses cookies to collect metadata about visitors.
Personal data is defined to mean any information relating to an identified or identifiable natural person. Whilst ‘information’ is not defined, ‘data’ is defined to mean information which:
- is processed by means of equipment operating automatically in response to instructions given for that purpose;
- is recorded with intention that it should be processed by means of such equipment;
- is recorded as part of a relevant filing system;
- where it does not fall under any of the paragraphs above, forms part of an accessible record; or
- is recorded information which is held by a public entity and does not fall within any of the paragraphs above.
The definition of data is broad including company employees, suppliers, consultants, contractors, customers and even their next of kin or family members and other connections if companies receive their information. The ACt requires businesses to design systems and processes to protect all information relating to natural persons collected, retained, used and disposed as part of business process.