What is personal data?

Personal data has no easy, clear-cut legal definition. The definition set out in the Data Protection Act 1998, enacted following European legislation in the form of Directive 95/46/EC, leaves businesses and their advisers dealing with a significant amount of uncertainty.

“Personal data” are defined in the 1998 Act as:

… data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

In short, any information which can be used to identify an individual constitutes personal data. For example, a list of customer names and addresses will count as personal data, as may a database of customer email addresses.

The broad-brush approach of the 1998 Act has proven troublesome to businesses, as they are subject to legal obligations in relation to wider range of personal data than a common sense view might suggest.

To use a simple example, “The most recent customer is called Patrick Smith, who has red hair and lives at 54 Evergreen Terrace” is personal data which clearly identifies Patrick. “The most recent customer does not have brown, blonde or dark hair and lives on Evergreen Terrace” should also be considered to be personal data as it is possible that, using this information, one could ascertain the identity of Patrick.

Incomplete data on individuals may still count as personal data. For instance, should a company have a list of reference numbers for individuals which correspond to a list of information cards relating to customers, then the reference numbers (although not on the face of it overtly personal) will be personal data.

A distinction can be drawn between personal data and sensitive personal data, a leak of the latter being much more serious. Sensitive personal data includes data relating to a person’s race, sexuality, health, criminal record or affiliations (such as political persuasion or trade union membership).

Often, we think of personal data as data belonging to customers. But the definition does not only apply to customers; it extends to all individuals including employees. Should a record be kept by an employer of their employees’ performance, this will amount to personal data, as will any record of what is intended for them. As a general rule, and unless advised otherwise by a lawyer or other data protection professional, businesses should assume that any information relating to individuals may be considered personal data by the law, and treat it accordingly.


My company called me back from sick leave via email detailing my name, address, where I worked and the circumstances of my illness in an email which they then sent to the wrong address to some unknown individual. I received the paper copy post the date for the hearing. What is the law on this with respect to my personal data?

Based on your brief description of the circumstances, this sounds like a breach of data protection law and possibly also a breach of the right to privacy and/or the law of confidence. A complaint to the ICO would be on option, although having limited resources the ICO will not pursue every data protection breach.

Would the definition of personal data include "visiting card" information like official mail id, official phone number, address etc?

See the definition in the DPA: "'personal data' means data which relate to a living individual who can be identified - (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual".

So, it depends.

Does the visiting card information allow the identification of the individual? 

Information can be personal data in one person's hands, but not another's.

Hi, are corporate email addresses considered to be personal data?  If so, what are the restrictions on sharing corporate email addresses of clients between companies in the same group?

In some circumstances a corporate email address (e.g. [email protected]) might be personal data, but not all corporate email addresses will be personal data. The restrictions on sharing will depend on a range of factors, including upon the disclosed purposes for which the email addresses were collected.

So, let's say an employee, Sally (who has never had an email address), was appointed and received a corporate email containing her name. Sally has been using this email for work as well as personal use (as I stated she had none prior). She was conspiring to take company accounts and information, and left the company to start a NEW company like ours. She is now a competitor. Now, don't get me wrong - everyone should be able to better themselves, that was the American dream of course - but stealing information, clients and employees by via our corporate email just plain sucks! What can I do if anything?

Assuming you are in the states, you should seek guidance or advice from a US lawyer - our expertise is in English law.

(If you were in the UK, you would probably be considering actions for breach of the employment contract, breach of confidence and/or some kind of IP right infringement.)

Does data already in the public domain still count as personal data.  For example a name and address on a corporate mailing list that is also available via the telephone directory or the electoral role?

The fact that personal data is in the public domain does not mean that it does not "count" as personal data.

Our Landlord is a large HA. We have requested by means of a SAR our personal data related to tests carried out on our water supply as we suspect negligence by them. They have stated that they will not give us this information as it is not personal data. I would have expected that our home address and flat number alone would suffice for the purposes of definition on data? Especially as this is a housing asociation where the employees know tenants by address alone. I am a former housing officer and know this to be true. Can you help/advise please?


If I send an email to my line manager about issues I'm having with my workload and my concerns that my issues are not being taken seriously, am I the 'subject' of the information or the 'data controller'? Can I CC other parties into this message if I wish without breaching data protection? Thanks.

In respect of your employer's obligations as data controller in relation to the email, you will be the "data subject". Depending upon the contents of the email, another person or persons (e.g. the line manager) could also be data subjects. Depending upon the circumstances, sending the email to others may breach your employer's data protection obligations. As you are not the data controller, however, you will not breach any of your own data protection obligations because you don't have any direct obligations.  (That is not to say there couldn't be other legal problems however - e.g. in the law of confidence or under your employment contract.)

Can a school issue class lists (lists of names of children) to all parents of children in that class, for information purposes only?

A family member gave my name and address to a prosleytising religious group who have now sent me some of their information. Did the family member breach data protection law by handing over my name and address to be used in this way, without my permission?

I recently vacated a business address on a small trading estate.

I notified all my main contacts not to send mail there. One customer however, made an error and sent 2 cheques to my old address.

When I contacted the business enterprise centre and spoke to the manager, I spoke to the person who had finalised the old lease with me, and it is the person who managed the row of business units. I asked for the new occupant's details so I could contact them, as it seemed more proper than just turning up there unannounced.

They gave me the new tenant's name, but refused tell me the email address, phone number or the name of the business, just the individual's name which would not be easy to find a number for.  They said it was 'because of data protection' - so  I asked if they would contact them direct about my mail and they said it wasn't their responsibility and just to go and ask them.

Short of hanging round the unit waiting for them to arrive, I am still unable to do much.

My question is: Is a business address protected by data protection and why would they want to withhold contact details for a small unit on a business estate from the previous tenant, when all I wanted to do was ask them if they had any mail for me.  Surely if I went there and looked at the sign outside, I would be able to look them up anyway.....  I am just curious as to why they were being so awkward and unhelpful towards me as we didn't leave on bad terms, my bond has been returned, and with no outstanding debts, damage, etc. so no issues over the tenancy, I'm at a loss to know why she was so unhelpful.

By the way, the units are all intended for small business enterprises and start-ups, and should not be occupied by private individuals.

The contact data may be personal data (as is the individual name!) but that doesn't mean the business centre have a legal obligation to withhold that information in these circumstances. Sch 2, para 6(1) of the DPA 1998 would in my view provide cover for the disclosure:

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."

However, they likely don't have any legal obligation to disclose either.


Are emails sent by an individual considered to form part of the personal data of that individual?  Ie, if a contact were made to a former employer, is it reasonable to consdier that all emails sent by that individual form part of that individuals personal data and hence would have to be supplied in response to a SAR?


Usually, the individual would be identifiable from the emails; and so, usually, they would constitute personal data.

Of course, the individual would usually have copies of his or her emails, and so wouldn't need to access them through a SAR!

Also, there are limits on SARs:


Thank you.  

If a vendor walks in to Company X wanting to provide services, say cleaning services to a building and asks who can I talk to about doing business with Company X, and the person, say a receptionist, gives a company-issued email address of the person who handles facilities, is that a breach in confidentiality or personal information breach?

Is this question coming from the perspective of the vendor or the person who handles facilities, or someone else?

A group of staff circulated a confidential bullying statement about me. The statement contained outrageous allegations including one in which I was said to have great admiration for the Nazis. My employer says there has been no breach of the Data Protection Act because it's not sensitive personal data. Would this be considered sensitive personal data?

It is possible to breach the DPA in respect of ordinary personal data, not just sensitive personal data, and it seems unlikely that the the substantial legal issues here turn upon the whether the data in question counts as sensitive for the purposes of the DPA.

Indeed, I would have thought that this is more likely to be a defamation issue than a data protection issue.

What remedy are you looking for here?


I work for a charitable organisation in the UK.  One of the services we provide is delivered in partnership with another third sector organisation.  To deliver our services to our clients effectively we need to signpost to other relevant support organisations.  With this in mind can I:

1) establish and maintain a stakeholder list including names and business phone numbers/email addresses

2) share this list with our partner organisation

Any advice you can provide would be much appreciated.

Kind regards


Hi Jon. To give some guidance here, I'd need to know: (i) how the list information is collected; (ii) what if any express consents are given; (iii) the purposes for which the list be shared with partner organisations; and (iv) the legal terms under which the list is provided to the partner organisations. TBH it's the sort of question that probably merits seeking proper advice.

Hi Alasdair

Thanks for the reply.  I appreciate that this might be more complex and may require specific legal advice. I guess what we'd like to do is have a pool of information which all our team can contribute to and share amongst themselves.  To answer your questions though:

i) information would be gathered through general professional networking (contact details being shared at meetings etc to enable mutual support of our client group.

ii) due to the information being gathered by networking, it would generally be offered by the person without any specific consent being obtained or requseted.

iii) the purpose of gathering the data and sharing with our partner would be to enable better support of our client group by pulling together a database of people working in related services

iv) as to the legal terms; I guess this is the bit that I'm struggling with.  An option I am considering is formalising the process so that we could ask people at networking events to volunteer their information and give consent for us to use it for the purposes noted above. I understand that this would satisfy the data protection legislation but it would make the process cumbersome (though I appreciate that this is perhaps necessary).

Any other thoughts/observations would be much appreciated.

Kind regards


From a legal perspective I think the key issue here is how Schedule 2 to the DPA applies.  At least one of the Schedule 2 criteria need to be satisfied for processing to be lawful. The most obviously relevant Schedule 2 criteria are:

1 - The data subject has given his consent to the processing.

6(1) - The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.



Although 6(1) looks like it might be the answer, it is to be narrowly construed, and most organisations are wary of relying upon this.

An written/explicit/informed consent procedure may however seem heavy-handed.

In part because of the vagueness of the data protection principles, there is rarely a clear line to be drawn between lawful and unlawful processing, and assessing risk at the margins is difficult. As previously flagged, I think this is a question on which you should seek proper advice.

NB The rules will likely change with the new data protection laws currently in process.

HI Alasdair

Thanks again for the feedback; the advice you've provided certainly helps clarify things for me.  I will take proper advice if we decide to develop the idea any further. 

Kind regards


My mother's care agency has sent me the rota for my mum and on it have included the rota for another client.

It is possible that they have sent the same rota to that client, on which he will have my mother's full name and the days and times of all visits (4 times every day, 2 carers).

As her surname is slightly unusual, and also gives its name to a local business, it could be very obvious who it is.  And also be obvious that her care needs are quite extensive.

Is this a breach?

This could amount to a breach of the Data Protection Act 1998, for example a breach of the 7th data protection principle, which provides that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

For more information about this principle, see:


Such a disclosure could also amount to a breach of confidence. See:


If you are concerned about this, the first step would be to ask the care agency to investigate whether there has been an unauthorised disclosure of your mother's information.

If a global address book is used within a work place to send marketing material, is this a breach?  All addresses were blind copied (BCC) so no one who received the email could see who it was sent to.