top of page
  • Mariel Irvine


Personal data are (NB rather than is, a dry subject after all) information. Any business is likely to have personal data.

The legal definition is important because the Data Protection Act 1998 (DPA) and the GDPR, which replaces the DPA next May, only apply to personal data. They do not cover information that falls outside the legal definition.

Broadly speaking, personal data relates to a living individual whom the holder of the data can identify.

What does "personal" mean?

Information that relates to a company does not fall within the definition. Nor does information about a person who has died.

Data falls within the definition even if the holder of the data (or data controller) can only identify the individual from the data with the help of other information it holds. In other words, a simple record of weight, shoe size or hair colour may be sufficient to identify a person, and so fall within the definition of personal data, depending on the other information the data controller has.

Information which is anonymous falls outside the definition, so long as the data controller cannot identify a person from it, and is unlikely to acquire other information which will enable identification.

What does "data" mean?

There are five categories of data under the DPA. The first three are the most important:-

(1) All information processed electronically;

(2) Paper and other manual records intended to be processed electronically;

(3) Paper and other manual records contained in a "relevant filing system" or intended to form part of a "relevant filing system".

In other words, information held electronically falls within the definition. Paper and other manual records are caught to a limited extent.

The Information Commissioner's Office has provided guidance on what a "relevant filing system" is:

It contains a single category of information about an identified individual, such as a complaint file or a personnel file, or

It is indexed or subdivided to allow ready access to specific information about individuals.

An untidy pile of papers in the corner of a room may fall within the definition of a "relevant filing system" if the papers are waiting to be organised into a relevant filing system.


The GDPR introduces a new definition of filing system which seems designed to capture a much broader range of "filing systems" than under the DPA. The new definition encompasses any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised, or dispersed on a functional or geographical basis.

This is not my drafting.

3 views0 comments

Recent Posts

See All


This morning an unfamiliar envelope arrived. It is a letter from Equifax, confirming that some of my personal data has been hacked. The information “included” my name and date of birth, and my “landli

bottom of page