Data Protection Basics
A short primer on data protection terminology & concepts.
What is “personal data”?
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Article 4(1) GDPR.
What information comprises personal data is quite nuanced and has been further interpreted by UK domestic courts and the CJEU. This will be discussed in further posts as it is important to understand the types personal data individual's are entitled to access.
What does “processing” entail?
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Article 4(2) GDPR.
What is a “data controller”?
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data [F2(but see section 6 of the 2018 Act)]; Article 4(7) GDPR
Any entity acquiring the status of being a data controller becomes obligated to facilitate the rights of the individual of whom they process data and they must process that data in accordance with the GDPR.
What is a “citizen data controller”?
Even individuals can be or become a data controller and subject to the GDPR. They are often referred to as “citizen data controllers”. Although, the GDPR contains an exemption known as the “domestic or household exemption” it is quite strictly construed to purely personal or household activities within that individual's private sphere.
“This Regulation does not apply to the processing of personal data by an individual in the course of a purely personal or household activity;” Article 2(2)(a) GDPR.
There have been some well known data protection court cases in the UK concerning citizen data controllers. Rudd v. Bridle [2019] EWHC 893 (QB) in England and Woolley v. Akram [2017] SC Edin 7 in Scotland.
Examples of activities that can make a individual a data controller subject to the GDPR: home CCTV, going door-to-door collecting personal information for some cause, collecting and passing your data onto other recipients for purposes not falling into the domestic exemption.
In my upcoming posts on “creative data remedies” I'm going to discuss how GDPR can be utilised to shutdown what I term, “The Querulants” - vexatious and malicious individuals who repeatedly and unnecessarily interfere in your private life.
Legal obligations of a data controller.
A data controller must have a lawful basis to process your data under Article 6 GDPR.
A data controller has a binding and mandatory legal obligation to process data in accordance with all of the data protection principles of Article 5(1) GDPR.
The principles of Article 5(1) are:
The principles of Article 5(1) are the cornerstone of data protection law. A breach of any of these can render a data controller's processing of your data to be unlawful. Violations of the principles can trigger stronger rights that may be exercised by the data subject.
The principle of Article 5(2)
The accountability principle of Article 5(2) is extraordinarily important for data subjects - particularly with regard to enforcement of your rights of control over your data. In coming posts, I will discuss why much of the power of GDPR derives from this principle and how it shifts the burden onto the data controller to demonstrate compliance with the Regulation and justify their actions with respect to how they process your personal data.