CEntranet > How do I? > Data protection and security > Data protection guide

Data protection guide

  1. Data protection guide
  2. Principles and policy
  3. Sharing data
  4. Training and refresher guides

Overview

Everyone who is responsible for using data about people must follow strict rules called ‘data protection principles’. The Data Protection Act 2018 and General Data Protection Regulation apply to personal information in all formats, including electronic and paper based records. 

Personal data

Personal Data means any information that relates to an identified or identifiable living individual. What identifies an individual could be as simple as a name or a number or other identifiers such as an IP address or a cookie identifier. 

You have to be able to meet one of the following conditions before processing personal data:

  • Consent - do not use if individual doesn’t have a genuine choice
  • Fulfil contract - supply goods or services requested
  • Comply with legal obligation - statutory duty
  • Vital interests of data subject - life and death
  • Public task - official function of local authority
  • Legitimate interest - cannot be used by public authorities 

Special category personal data

Personal data giving details of the following about an individual are given additional protection by the law and should be carefully looked after by us with additional security.

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data and biometric data for the purpose of uniquely identifying a person
  • data concerning health
  • data concerning a person’s sex life or sexual orientation
  • data concerning criminal convictions or offences committed

You have to be able to meet one of the following conditions before processing special category data:

  • Explicit consent – do not use if individual doesn’t have a genuine choice
  • Employment, social security or social protection law
  • Vital interests of data subject or another – life and death
  • Not-for-profit bodies – political, religious, trade unions etc
  • Made public by data subject – deliberately put in public domain
  • Legal claims – establish or defend legal claims, court order
  • Substantial public interest – safeguarding, child protection
  • Medicine, health or social care – management of health or social care systems
  • Public health – protection against cross-border threats to health (e.g. foot and mouth)
  • Research and statistics – archiving, scientific or historical research

Further advice and guidance

Contact 

Categories

 

Last reviewed: 01 July 2025
Page contact: Julie Gibbs