Internal, open access

Data Protection Glossary

Many of the definitions in this glossary are based on the key definitions from the Office of the Information Commissioner and are shown in bold. The full definitions together with further information and useful examples can be found on the Key Definitions webpage of the Office of the Information Commissioner's website. Additional information and information specific to the University of Reading is given as non-bold text.

Collection texts

See Fair Processing Notice.

Consent forms

Consent forms are forms that are used to obtain the permission of the data subject for their personal data to be used for a particular purpose. A consent form can be used at the point of collection (as part of the collection text) or later, if the particular purpose was not explicitly mentioned when the data was collected. They are sometimes called permission forms.

Data controller

Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

In the case of the University of Reading, the University is the data controller because it determines the purposes for which, and the manner in which, any personal data are processed or are going to be processed. This includes being responsible for destroying the data when no longer relevant. Individual members of staff or students, who process data on behalf of the University, are data users. Personal data should always be processed according to the Data Protection Principles.

Data processor

Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

In the case of the University of Reading, a data processor is any person or organisation that processes data or disposes of confidential waste on behalf of the University.

Data Protection (DP) Principles

The Data Protection Act (1998) sets out eight Data Protection Principles. In summary these state that personal data shall:

  • be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met;
  • be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
  • be adequate, relevant and not excessive for those purposes;
  • be accurate and kept up to date;
  • not be kept for longer than is necessary for that purpose;
  • be processed in accordance with the data subject's rights;
  • be kept safe from unauthorised access, accidental loss or destruction;
  • not be transferred to a country outside the European Economic Area, unless that country has adequate levels of protection for personal data.

Further details are given on the website of the Office of the Information Commissioner.

Data subject

Data subject means an individual who is the subject of personal data.

In other words, the data subject is the individual whom particular personal data is about. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.

Data Subject Access Request

See Subject Access Request.

European Economic Area (EEA)

The European Economic Area (EEA) consists of all the countries of the European Economic Union (EU) and Iceland, Liechtenstein and Norway. Further details about the EEA and the EU can be found at the Europa website.

Fair Processing Notice (FPN)

Fair processing notices are the "small print" that appear on forms, which are sometimes called privacy statements or collection texts. They are used to inform the person from whom personal data are being collected, the data subject, how their data will be processed.

Guidance from the Office of the Information Commissioner on writing fair processing notices is given in Privacy Notices Code of Practice.

Notification

Notification is the process by which a data controller's processing details are added to a register. Under the Data Protection Act every data controller who is processing personal data needs to notify unless they are exempt. Failure to notify is a criminal offence. Even if a data controller is exempt from notification, they must still comply with the data protection principles. The Office of the Information Commissioner maintains a public register of data controllers. A register entry only shows what a data controller has told the Commissioner about the type of data being processed. It does not name the people about whom information is held.

Annually, the University will notify the Office of the Information Commissioner that personal data are being processed and give the classes of personal data that are processed by the University, the types of people whose personal data can be processed and the purposes for which the data are processed. Details of the University's notification may be viewed on the Office of the Information Commissioner's Data Protection Register. (Note: if this link does not take you directly to the University's registration you can use the search form for the Register instead. You just need to enter the University's Registration Number, which is Z5668803.)

Permission forms

See Consent forms.

Personal data

Personal data means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Within the University, personal data, sometimes also called personal information, is any information about a living individual that can be used, either on its own or in conjunction with other information held by the University or other information likely to come into the possession of the University, to identify that person. It includes any expression of opinion about an individual and any indication of the intentions of the University in respect of the individual. It includes information stored in any medium: paper and electronic, text, image, audio and visual.

Privacy statements

See Fair Processing Notice.

Processing

Processing, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including -

(a) organisation, adaptation or alteration of the information or data,

(b) retrieval, consultation or use of the information or data,

(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or

(d) alignment, combination, blocking, erasure or destruction of the information or data.

Processing of personal information includes collecting, using, storing, destroying and disclosing information.

The definition of processing is very wide and it is difficult to think of anything an organisation might do with data that will not be processing.

Recipient

Recipient, in relation to personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.

Section 29 or s.29 DPA

Section 29 or s.29 is an exemption in the Data Protection Act (DPA) that allows an organisation to give out personal data where the disclosure is for one of the "crime and taxation purposes", as follows:

  • The prevention or detection of crime
  • The apprehension or prosecution of offenders or
  • The assessment or collection of any tax or duty or of any
    imposition of a similar nature

and complying with the normal provisions of the DPA would be likely to prejudice one of these purposes.

Its full text in the DPA can be found in Section 29 of the DP Act1998.

Sensitive Personal Data

Sensitive personal data means personal data consisting of information as to -

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c ) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

Subject access request

Under the Data Protection Act, individuals can ask to see the information about themselves that is held on computer and in some paper records. If an individual wants to exercise this subject access right, they should write to the person or organisation that they believe is processing the data.

A subject access request must be made in writing and must be accompanied by the appropriate fee. In most cases, the maximum fee will be £10, but this can vary, particularly if the information requested is for health or educational records. If a subject access request is made to a credit reference agency, then the fee is £2, and the information must be provided within seven working days. A request must include enough information to enable the person or organisation to whom the subject is writing to satisfy itself as to their identity and to find the information.

A reply must be received within 40 days as long as the necessary fee has been paid. A data controller should act promptly in requesting the fee or any further information necessary to fulfil the request. If a data controller is not processing personal information of which this individual is the data subject, the data controller must reply saying so.

In the case of the University, a subject access request (SAR) should be made to the Data Protection Officer, via the IMPS office. A SAR must be made in writing using the appropriate form; you can download the Subject Access Request form as either a Word document (66KB) or a PDF (85KB). Alternatively you can get hard copies from the IMPS office. When submitting the form it should be accompanied by the appropriate fee of £10.

Payment can be made:

- by cheque. Please make cheques payable to 'University of Reading'.

- online by using the Information Compliance Fees System. (As part of this online process you have to register with us; you will need to create a password and enter certain details, such as your address.)

Third party

Third party, in relation to personal data, means any person other than -

(a) the data subject,

(b) the data controller, or

(c) any data processor or other person authorised to process data for the data controller or processor.

The expression third party does not include employees or agents of the data controller or data processor, who are treated as being part of the data controller or processor. Note that "third party" is different from "recipient", which effectively separates employees/agents of the data controller/processor from the data controller/processor itself.

Page navigation

 

Search Form

A-Z lists