Key Terminology

Personal data is information relating to natural (i.e. living) persons who:

• can be identified or who are identifiable, directly from the information in question; or
• can be indirectly identified from that information in combination with other information.

Most departments across the Colleges process personal data regularly. Under the current data protection legislation, you need to have a lawful basis for collecting, using, storing, sharing and otherwise processing personal data.

Special category data is sensitive personal data that needs more protection than other types of personal data. These are:

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• Data relating to Health;
• Sex life; and
• Sexual orientation.

Where a department needs to process special category data, it must specify the conditions for processing such data, in addition to the lawful basis.

The person whose personal data you process is called the data subject. Data protection law only applies to living people, so any data belonging to someone who is dead is not considered personal data under current legislation.

Any activity involving personal data throughout its lifecycle is called "processing", from its creation or collection until disposal or permanent retention (i.e. sent to College archive as historical record).

A data controller is any entity such as an organisation, charity, club, organisation, business, etc. that exercises overall control over the purpose and means of processing personal data. A data controller is also responsible for the security and protection of its personal data.

Within organisations, such as Cambridge Colleges, employees process personal data under instruction from, and on behalf of, the employer. A person would only be considered a data controller if they are a sole trader or self-employed.

With a few exemption, all data controllers in the UK must register with the Information Commissioner's Office (ICO). Every Cambridge College is registered with the ICO and can be found on the official register. registration details can be found

A data controller can instruct third parties to process the data on its behalf. However, it remains responsible for the security and appropriate protection of the data.

A data processor acts on behalf of, and only on the instructions of, a data controller. They are responsible for the security of the personal data they process, but cannot use it for their own purposes.

Before the College can undertake an activity involving personal data, it must first determine the grounds for the processing. This is known as lawful basis. There are six lawful bases: 

a) Consent;

b) Contract;

c) Legal obligation;

d) Vital interests;

e) Public task; and

f) Legitimate interests.

The College must document its lawful basis for a processing activity before it can be carried out.

Due to their sensitivity, special category personal data requires more security considerations than other personal data. This includes stating conditions for the processing in addition to lawful basis. There are 10 conditions for processing:

a) Explicit consent;

b) Employment, social security and social protection*;
c) Vital interests;
d) Not-for-profit bodies;
e) Made public by the data subject;
f) Legal claims or judicial acts;
g) Reasons of substantial public interest#;
h) Health or social care*;
i) Public health*; and
j) Archiving, research and statistics*.

* Applying any of these conditions, require additional safeguards as are set out in Part 1 of Schedule 1 of the Data Protection Act (DPA) 2018.

# If you are relying on this condition, you must meet one of 23 specific substantial public interest conditions set out in paragraphs 6 to 28 of Part 2 of Schedule 1 of the Data Protection Act (DPA) 2018.