Privacy Terms Glossary

This handy guide will help you to know your DSRs from your DPIAs

Accountability is the 7th of the GDPR's Privacy Principles. Art.5.2 states that "Controllers [are] responsible for, and [must] be able to demonstrate compliance with, [the other six Privacy Principles]". This means that the leaders (directors, governors, heads, trustees etc.) are legally accountable - and, in some cases, criminally liable - for everything that happens to Personal Information in their organisation. (See also 'Controller' and 'Privacy Principles' below).

Countries to and from which Personal Information can be transferred without requiring additional safeguards, provided the underlying processing activities to be performed by the importer are lawful. The ICO maintains a list of 'adequate countries' and detailed guidance. See also: Transfer.

An event or situation in which Personal Information has been: (a) lost or stolen; (b) accessed by or disclosed to an unauthorised person or organisation; or (c) modified, damaged or destroyed accidentally, unlawfully or without authorisation. "Personal Data Breach" is the correct legal term. See also: Incident.

To process Special Categories of Data, a Controller must first establish a Legal Basis (GDPR, Art.6) then meet one of the Conditions set out in (GDPR, Art.9).

A Controller is any organisation that collects and uses Personal Information for its own purposes. All organisations, whether they are in the public, privacy or not-for-profit sector, are Controllers because they all collect and use people's Personal Information for their own purposes, whether it's their employees, customers or other stakeholders. See also: Processor.

See also Privacy. These terms have broadly the same meaning. "Data Protection" is the legal term used in the UK GDPR and Data Protection Act 2018 while “Privacy” is more widely used and generally better understood.

A statutory form of risk assessment that must be performed on any processing of Personal Information that involves a potentially high risk to the Individual. The ICO has published a list of activities for which a DPIA is mandatory, as well as guidance on how to perform a DPIA. APIMS determines automatically whether a DPIA is mandatory, recommended (by the ICO) or not required and provides an online template.

"Data Sharing" means sharing Personal Information of which you are a Controller with a third party to use for its own purposes, i.e. as an independent Controller. Sharing includes giving or receiving and may be done by any means (e.g. sending a copy of the information or granting access to it), either continuously, regularly or on a one-off basis. Typical examples include a school sharing information with the Local Authority for child protection purposes or a subsidiary sharing employee information with its parent company for management purposes. Data Sharing should not to be confused with engaging a third party to process Personal Information on your behalf, i.e. as a Processor. Data sharing is strictly "Controller to Controller". The ICO's Data Sharing Code of Practice should be followed to ensure that Data Sharing Agreements are put in place where required: https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/data-sharing-a-code-of-practice/data-sharing-covered-by-the-code/.

Same as: Individual. The person to whom Personal Information relates. Data Subject is the legal term used in the UK GDPR and Data Protection Act 2018, but the word “Individual” is increasingly used because “Data Subject” sounds legalistic and impersonal.

A request by or on behalf of an individual (Data Subject) to exercise one or more of their Data Subject Rights. Requests may be made verbally or in writing and must be responded to without delay and fulfilled within a month (subject to limited legal exceptions). The most common type is a Subject Access Request (SAR), or Data Subject Access Request (DSAR) and these terms are widely (if inaccurately) used to refer to all types of DSR.

Same as: Individual Rights, Privacy Rights etc. Rights of the Individual in relation to their Personal Information that are guaranteed by law (e.g. the UK and EU GDPR). Controllers must notify Individuals of their rights and how to exercise them. The most widely used rights are: (a) a right of access (i.e. to receive copies of their Personal Information) (b) a right to correction of inaccurate information (c) a right to object to certain types of processing, such as profiling or marketing (d) a right to have certain Personal Information transferred to another provider, e.g. to another bank or insurance company ('right of portability'). NB, this is just a brief summary; full details of all the rights can be found in Articles 11-23 of the GDPR at https://www.legislation.gov.uk/eur/2016/679/contents. (e) a right (in certain circumstances) to have their information erased. See also: Data Subject Request (DSR).

See Data Protection Impact Assessment.

An event or situation in which Personal Information/data may have been or is suspected to have been (a) lost or stolen; (b) accessed by or disclosed to an unauthorised person or organisation; or (c) modified, damaged or destroyed accidentally, unlawfully or without authorisation. See also Breach.

The processing of Personal Information is not permitted under UK or EU law unless a Legal Basis has been established. There are six Legal Bases, the most common of which are that: (a) processing is necessary for the Controller to comply with a specific legal obligation; (b) processing is necessary to enter or perform a contract with the Individual; (c) processing is necessary for the Controller to pursue its "legitimate interests" (i.e. to run its business); (d) processing is necessary to protect someone's vital interests (this generally needs to be a 'life and death' situation); (e) processing is necessary for performance of a public duty (e.g. HMRC has a public duty to collect tax so must process certain personal Information); or (f) the Individual has given specific, informed, freely-given and unambiguous consent and knows they can withdraw it easily at any time. If Special Categories of Data (Sensitive Personal Information) are involved, in addition to a Legal Basis, the Controller must also show that the processing meets one of the listed "Conditions". See "Conditions for Processing Special Categories of Data".

Any information that relates to an identified or identifiable living person. A person may be identifiable, directly or indirectly, for example by a) an identifier such as a name, identification number, location data, or online identifier; (b) photos, videos or biometrics (finger-prints etc.); or (c) bits of information that, when taken together, enable an individual to be identified (“jigsaw identification”). "Personal Data" is the legal term used in the GDPR and Data Protection Act but "Personal Information" is more widely used and understood.

Same as: Data Protection. These are terms generally used to describe: (a) The laws that govern the processing of Personal Information or Personal Data, (b) The governance of Personal Information processing by organisations, and (c) The activities regulated by the Information Commissioner’s Office. "Data Protection" is the legal term used in the UK GDPR and Data Protection Act 2018. “Privacy” is more widely used and understood.

The following principles form the foundation of the GDPR: Article 5.1 (a) Lawfulness, fairness and transparency (b) Purpose limitation (c) Data minimisation (d) Accuracy (e) Storage limitation (f) Integrity and confidentiality (i.e. security). 5.2 Accountability. (See also 'Accountability Principle' above).

A general term used to describe: (a) Risks to Individuals relating to their Personal Information or Individual Rights that may expose an Individual to physical, psychological, social, economic or professional harm, and (b) Risks to organisations arising from their processing of Personal Information, including risk of Personal Data Breach and risk of non-compliance, that may expose a Controller or Processor to reputational, professional, commercial or financial harm.

Any activity relating to Personal Information, including (but not limited to): Collecting, creating, recording, storing, archiving, retrieving, accessing, consulting, using, aggregating, anonymising, pseudonymising, modifying, manipulating, printing, collating, copying, viewing, disclosing, sharing, distributing, publishing, broadcasting, posting, transmitting, transferring, moving, losing, stealing, damaging, shredding, overwriting, deleting and destroying. In short, anything that can be done to or with Personal Information constitutes “processing”.

Any activity relating to Personal Information, including (but not limited to): Collecting, creating, recording, storing, archiving, retrieving, accessing, consulting, using, aggregating, anonymising, pseudonymising, modifying, manipulating, printing, collating, copying, viewing, disclosing, sharing, distributing, publishing, broadcasting, posting, transmitting, transferring, moving, losing, stealing, damaging, shredding, overwriting, deleting and destroying. In short, anything that can be done to or with Personal Information constitutes “processing”.

A Processor is any organisation (or, less commonly, a person) that processes Personal Information on behalf of a Controller. The most common examples are suppliers of IT services, including hosting, software, maintenance and support, but providers of services such as confidential waste disposal and decommissioning of computer equipment (ITAD) also 'process' Personal Information so they are Processors too. See also: Controller.

A well constructed, Record of Processing Activities or 'ROPA', that is accurate and kept up-to-date, enables a Controller or Processor to see what Personal Information is flowing through its organisation; how it is collected and used; how and where it is stored and processed; how, why and with whom it is disclosed or shared; how long it is kept; and how it is disposed of. Only when it has all this information can a Controller or Processor identify the applicable legal obligations and associated risks. A ROPA is therefore essential for any organisation that processes Personal Information, however large or small - even if technically it may be exempt from the legal requirement in the GDPR, Art.30.

See also: Sensitive Personal Information, Special Categories of Data. 'Sensitive Personal Data' (term used in the Data Protection Act 2018) means all Special Categories of Data' plus information relating to criminal offences and convictions.

See also: Sensitive Personal Data, Special Categories of Data. Sensitive Personal Information is a term increasingly defined and used internally by organisations that includes all "Sensitive Personal Data" plus any other types of Personal Information that present a high risk to the Individual and/or to the Controller or Processor, and therefore need higher levels of protection. These may include payment card details and any other information that could, if disclosed or used inappropriately, expose an Individual to the risk of significant physical, psychological, social, economic or professional harm.

Same as: Special Category Data. See also: Sensitive Personal Information, Sensitive Personal Data. 'Special Categories of Data' (term used in the GDPR) means any Personal Information relating to or revealing a person’s: (a) racial or ethnic origin, (b) physical or mental health or condition, (c) sexual orientation, (d) religious or philosophical beliefs, (e) membership of a trade union or (f) political opinions, (g) genetic data or (h) biometric data used for identification.

A Transfer occurs where Personal Information is transmitted/transported to, or accessed from, a country outside the United Kingdom. With the exception of the EU/EEA and other "Adequate Countries", Transfers are unlawful unless strict legal requirements are met. These include performing a Transfer Risk Assessment and ensuring "adequate safeguards". While other options exist in law, in practice, the only realistic option for smaller organisations is to sign an International Data Transfer Agreement (IDTA- use the ICO template).

Same as: TRA, Transfer Impact Assessment, TIA. An assessment of the risks associated with a Transfer of Personal Information to a country outside the United Kingdom. TIAs are mandatory for all Transfers except those to countries in the EU/EEA or countries that provide adequate legal protection for Personal Information and individuals' fundamental rights and freedoms (so-called "Adequate Countries").