Information Governance Office

The Controller is the public authority, agency or other body, in our case The University of Manchester, which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A processor is anyone who is not an employee of the University but who processes personal data on the University’s behalf.

Examples include: couriers, cleaning contractors, recruitment agencies, storage and hosting companies, waste disposal firms.

Responsibility for the security of data and the rights of data subjects remains with the University as Controller even when it is being processed on the University’s behalf by a Processor.

The University must hold a contract with any third party who processes personal data on its behalf, with which it shares personal data or to whom it transfers personal data. This contract should state the data protection responsibilities of each party.

Processing is any action taken with personal data and is very widely defined. It covers almost any action involving personal data.

Examples include the collection, use, disclosure, recording, destruction and holding of data.

The General Data Protection Regulation applies to personal data about an identified or identifiable natural person. Personal data is information where an individual is the main focus and it is of biographical significance. This includes opinions about them and other peoples' intentions towards them.

All computerised personal data falls within the data protection law such as: computer files, data bases, email, CCTV, pictures, web pages, photographs.

All manual personal data is included too, such as: paper files, card index, microfiche.

It is best to assume that all information about a living individual is personal data. This may include:

• factual information about an individual such as date of birth, national insurance number, bank account, name and address;
• sensitive information such as health, sexuality, criminal record, ethnicity, religion;
• opinions expressed, for example in staff development reviews or email comments, personal images, audio recordings and text.

Other examples of personal and confidential data are listed in the Information Security Categories document.

A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not (such as an employee of the data controller, a data processor or an employee or agent of the data processor).

Some personal data is classed as special category personal data. This type of data is subject to further regulations and can only be processed under certain circumstances. Personal data becomes special category if it includes any of the following types of information about an identified or identifiable natural person:

• racial or ethnic origin
• political opinions
• religious or similar philosophical beliefs
• trade union membership
• genetic data
• biometric data
• health data
• sexual life
• sexual orientation

The General Data Protection Regulation (GDPR) gives individuals a right to access their personal information (formerly known as Subject Access under the Data Protection Act 1998).

This means that individuals can exercise the right of access to see what information the University holds on them, thereby allowing individuals to be aware of what data is being processed and to verify the lawfulness of this processing.

They do this by making a data subject access request which might be received by any member of staff.

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. Examples include external examiners, local authorities, taxation and immigration bodies, marketing companies and the police.

If there are any other terms used on this site that you are unclear about, please contact the Information Governance Office.