Glossary of terms and phrases used in Data Protection Legislation
A person who determines the purposes for which, and the manner in which, personal information is to be processed. This may be an individual or an organisation and the processing may be carried out jointly or in common with other persons. The University is a data controller.
A person who processes personal information on a data controller's behalf, for example outsourcing the disposal of confidential waste to an external company. That company is a data processor.
A living individual who can be identified from personal data.
Disclosing / Disclosure
Disclosing can take the form of paper documents, viewing of a screen, telling someone the content of records, playing audiotapes - anything that passes personal data to another person.
The Information Commissioner has the power to serve an enforcement notice if he is satisfied that a data controller has contravened or is contravening the data protection principles. The notice must set out the steps that the data controller must take to comply with the relevant requirements of the Act. The notice may be appealed to the Information Tribunal which may confirm, amend or overturn it. However, in the absence of an appeal, if the data controller fails to comply with a notice, a criminal offence is committed.
An information notice is a written notice from the Information Commissioner to a data controller seeking information that the Commissioner needs to carry out his functions. Failure to comply with an information notice is an offence.
Except (i) decisions and/or (ii) processing of your information from the requirements of the Act, taken by the data controller in the course taken::
- with your consent;
- where it is necessary to carry out a contract;
- where it is necessary to prepare, with your agreement, to enter a contract
- where it is necessary to carry out any legal obligation that applies to the University except those relating to contracts;
- where it is necessary to protect your vital interests.
Notification / Registration
Notification is the process by which a data controller's processing details are added to a register. Under the Act every data controller who is processing personal information needs to notify unless they are exempt. Failure to notify is a criminal offence. Even if a data controller is exempt from notification, they must still comply with the data protection principles. The Information Commissioner maintains a public register of data controllers available at www.ico.gov.uk. A register entry only shows what a data controller has told the Information Commissioner about the type of data being processed. It does not name the people about whom information is held.
Personal data means information about a living individual who can be identified from that information and other information which is in, or likely to come into, the data controller's possession.
- Dead persons are not regarded as data subjects [nor are companies or organisations];
- Individuals can be identified not only by name but by any sort of identification, such as National Insurance number, employee number or patient number;
- Data relating to a data subject by reference to his/her title would be regarded as personal data because it is possible to identify a particular individual from that designation;
Examples of personal data are:
- Name and address of an individual;
- CCTV footage of an individual who may be identifiable from that footage;
- An anonymous combination of data that give enough detail to potentially identify an individual e.g. information relating to a rare disability coupled with a post code; and
- If a data subject is referred to by means of a code, but the data user has other information that identifies the individual by means of that code.
Processing / Processed
Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on data. This includes collecting, recording, amending, augmenting, destroying, rearranging and extracting information by any means.
Sensitive data means data containing any of the following information:
- Racial or ethnic origin;
- Political opinions;
- Religious or other similar beliefs;
- Trade Union membership;
- Physical or mental health condition;
- Sexual life;
- The commission or alleged commission of an offence (and any related legal proceedings).
Financial information is not classified as sensitive data under the Act but should be afforded a similar level of security given the damage that could be caused to an individual if it were to be leaked.