A glossary of data protection terms as referenced for policies and procedures including, but not limited to:
– Data Protection Policy
– Information Security Policy
– Email Procedures regarding Data Protection
– Information Classification Table
– Bring Your Own Device (BYOD) Policy
– Data Breach Reporting Procedure
– Procedure for Responding to a DSAR
Newman University Data Protection Glossary
Anonymisation – The process of rendering data into a form which does not identify individuals and where identification is not likely to take place.
Consent – Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Data Breach – A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data. Breaches may be the result of accidental or deliberate causes. A data breach is not limited to personal data.
Data Controller – The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor – A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Protection Act 2018 (DPA 2018) – A UK law which complements the UK GDPR. The DPA 2018 mostly refers you back to the UK-GDPR but includes UK specific details for a few things including how to process criminal conviction data, how the intelligence services are allowed to process people’s personal data and how young someone can consent to an ‘information society service’ (most often a social media site) processing their personal data.
Data Protection Impact Assessment (DPIA) – A method of identifying and addressing privacy risks in compliance with data protection laws.
Data Protection Officer (DPO) – A role within the University responsible for enabling compliance with data protection legislation and playing a key role in fostering a data protection culture within the University and helps implement essential elements of data protection legislation, such as:
- The principles of data processing
- Data subjects rights
- Data protection by design and by default
- Records of processing activities
- Security of processing
- Notification and communication of data breaches.
Data Sharing Agreement – A legal contract outlining the information that parties agree to share and the terms under which the sharing will take place.
Data Subject – any living individual who is the subject of personal data held by an organisation.
Employee – A full-time or part-time, permanent or temporary, paid officer of the University, whether directly or indirectly engaged.
Establishment – the main establishment of the controller in the EU will be the place in which the controller makes the main decisions as to the purpose and means of its data processing activities. The main establishment of a processor in the EU will be its administrative centre. If a controller is based outside the EU, it will have to appoint a representative in the jurisdiction in which the controller operates to act on behalf of the controller and deal with supervisory authorities.
Filing system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
General Data Protection Regulation (GDPR) – The Regulation (EU) 2016/679 (General Data Protection Regulation), enforceable as of 25 May 2018 across the whole of the EU. As defined in Article 2 of the GDPR the material scope encompasses the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system. As defined by Article 3 of the GDPR, the territorial scope encompasses all controllers that are established in the EU (European Union) who process the personal data of data subjects, in the context of that establishment. It also applies to controllers outside of the EU that process personal data in order to offer goods and services, or monitor the behaviour of data subjects who are resident in the EU. The GDPR provides the rules for most data protection situations and tell EU member states to make their own choices about some specific things. Since the UK has left the EU, the UK has its own version of the GDPR. This is called the UK-GDPR. In most respects it is the same as the GDPR but it is complemented by the Data Protection Act 2018 (DPA 2018) which provides UK specific details. See DPA 2018 in this Glossary.
Highly Restricted – A classification of information which if disclosed to unauthorised recipients would be likely to result in serious damage to the rights and interests of individuals or of the interests of the University.
Information Owner – A member of staff that has responsibility for a set of information.
Newman University – The legal entity that is Newman University
Personal data – Any information relating to an identified or identifiable natural person. A natural person is a human being who is alive. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The data protection term for the person who the information is about is a ‘data subject’.
Privacy and Electronic Communications Regulations – They give people specific privacy rights in relation to electronic communications.
There are specific rules on:
- marketing calls, emails, texts and faxes;
- cookies (and similar technologies);
- keeping communications services secure; and
customer privacy as regards traffic and location data, itemised billing, and directory listings
Processing – Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – Any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
Pseudonymisation – The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Publication Scheme – A scheme relating to the publication of information in accordance with the Freedom of Information Act 2000, and a commitment to making certain classes of information routinely available, such as policies, minutes of meetings and annual reports.
Request for Information – A request for information made to a public authority, in accordance with section 1(1) of the FOI Act 2000 and/or Regulation 5 of the Environmental Information Regulations 2004.
Restricted – A classification of information which if disclosed to unauthorised recipients could have a negative impact on the rights and interests of individuals or the interests of the University.
Special categories of personal data – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and genetic data, biometric data processed for the purpose of uniquely identifying a natural person, or data concerning health, a natural person’s sex life or sexual orientation. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to their processing.
Third party – A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
UK-GDPR – UK General Data Protection Regulation. Since the UK has left the EU, the UK has its own version of the GDPR. This is called the UK-GDPR. In most respects it is the same as the GDPR but it is complemented by the Data Protection Act 2018 (DPA 2018) which provides UK specific details. Just like the GDPR, the UK-GDPR encompasses the processing of personal data wholly or partly by automated means (i.e. by computer) and to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.