Data Protection glossary

Anonymised information: where information which could be used to identify a single person is removed to protect individual privacy. This should include the removal of direct and indirect identifiers.

Back-up: reserve copies of data made and kept in case the original is lost.

Cloud computing: online or internet-based computing: where services and information are provided over the internet, without the need for certain hardware or software at the physical point of access.

Cookie: a text file created on a computer when its user first visits certain websites. It stores information the website uses during visits to it, e.g. to provide behavioural advertising.

Data: any record information (which may be structured or unstructured).

Data Controller: a person who, either alone or jointly in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed. York University is the registered Data Controller, however, members of staff may also act as Data Controllers (individually or jointly with other staff).

Data Processor: any person (other than an employee of the data controller) who processes the Personal Data on behalf of the Data Controller (i.e. any third party who processes data on behalf of the University). Examples include organisations hosting, storing, analysing or disposing of personal data under our control.

Data Protection Act 1998 (DPA): the main UK legislation which governs the handling and protection of information relating to living people. The Act is designed to safeguard personal data and the rights of individuals to gain access to information held about them and challenge the accuracy of it. It establishes a framework of rights and duties that balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details.

Data Protection Principles: eight principles specified in the Data Protection Act 1998 with which the data controller and all others who process or use personal information must comply.

Data Subject: the living individual to whom the data relates.

Direct Marketing: the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. Marketing includes not only the offer for sale of goods and services but also the promotion of an organisation's aims (e.g. a charity appeal for funds or political appeal for support). The Act gives individuals the right to prevent processing for the purpose of direct marketing, and to obtain a court order to this effect if the data controller fails to comply.  A data controller must inform data subjects if it intends to use their information for marketing purposes. An opt-out from their information being used for this purpose should be provided and honoured. The Privacy and Electronic Communication Regulations 2003 regulate in closer detail the use of electronic communications (e.g. email, SMS text) as a form of marketing.

Encryption: conversion of data into a code so it cannot be read without a key.

European Economic Area (EEA): includes the twenty five member states of the European Union (Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,  Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom) and three of the four states of the European Free Trade Association (Iceland, Norway, Liechtenstein).

Fair Processing Notice: see Privacy Notice.

Information Commissioner: is appointed by HM The Queen and has independent status, reporting directly to Parliament, with a range of responsibilities under the Freedom of Information Act 2000, the Data Protection Act 1998 and related laws. The functions of the Information Commissioner’s Office (ICO) include promoting good practice, ruling on complaints and taking regulatory action.

Information Commissioner’s Office (ICO): is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Notification: is the process by which an organisation gives the Information Commissioner’s Office (ICO) details about their processing of personal information. Failure to notify is a criminal offence.

Personal Data: information which relates to a living individual, who can be identified from that information or from that information and other information which is in, or likely to come into, the data controller’s possession. It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Privacy Impact Assessment (PIA): a process which enables organisations to anticipate and address the likely privacy implications of new initiatives to ensure data protection compliance. Systems can be designed to avoid unnecessary privacy intrusion, and features can be built in from the outset to reduce privacy intrusion. The PIA is an important risk management technique.

Privacy Notice: an oral or written statement that individuals are given when information about them is collected is called a “privacy notice”. It may also be referred to as a “fair processing notice” or use phrases such as “How we use your information”. Privacy notices state the purposes for which an organisation intends to process information and any other relevant information an individual should know about their data and the uses to which it will be put (disclosures etc.).

Processing:  in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –

  • organising, storing, adapting or altering,
  • retrieving, consulting or using,
  • disclosing by transmission, dissemination or otherwise making available,
  • aligning, combining, blocking, erasing or destroying information or data.

There is little an organisation can do with data that will not be processing.

Processor: See Data Processor

Registration: all Data Controllers must register with the Information Commissioner’s Office (ICO). Their details are added to a public register along with information supplied by Notification showing the type of data being processed. See also: Notification.

Relevant Filing System: relates to manual systems and means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

Sensitive Personal Data: personal data consisting of information as to a Data Subject’s:

racial or ethnic origin political opinions religious beliefs membership of a Trade Union physical or mental health sexual life commission, or alleged commission, of any offence any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Subject Access Request: Under the Data Protection Act, individuals can ask to see information about themselves that is held on computer and in some paper records by contacting the organisation that is processing the data. The request must be in writing and accompanied by the appropriate fee, the maximum is usually £10. Once the applicable fee has been paid, a reply must be received within 40 days.

Third Party: in relation to personal data, means any person other than –

  • the data subject,
  • the data controller, or
  • any data processor or other person authorised to process data for the data controller or processor.