Data Protection Glossary
Definitions that are given in bold text are taken directly from the Office of the Information Commissioner's glossary. Additional information and information specific to the University of Reading is given in non-bold text.
Collection texts
Consent forms
Consent forms are forms that are used to obtain the permission of the data subject for their personal information to be used for a particular purpose. A consent form can be used at the point of collection (as part of the collection text) or later, if the particular purpose was not explicitly mentioned when the information was collected. They are sometimes called permission forms.
Data controller
A person who determines the purposes for which, and the manner in which, personal information is to be processed. This may be an individual or an organisation and the processing may be carried out jointly or in common with other persons.
In the case of the University of Reading, the University is the data controller because it determines the purposes for which, and the manner in which, any personal information is processed or is going to be processed. This includes being responsible for destroying the information when it is no longer relevant. Individual members of staff or students, who process data on behalf of the University, are data users. Personal information should always be processed according to the Data Protection Principles.
Data processor
A person, who processes personal information on a data controller's behalf. Anyone responsible for the disposal of confidential waste is also included under this definition.
In the case of the University of Reading, a data processor is any person or organisation that processes data or disposes of confidential waste on behalf of the University.
Data Protection (DP) Principles
The Data Protection Act (1998) sets out eight Data Protection Principles. In summary these state that personal information shall:
- be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met;
- be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
- be adequate, relevant and not excessive for those purposes;
- be accurate and kept up to date;
- not be kept for longer than is necessary for that purpose;
- be processed in accordance with the data subject's rights;
- be kept safe from unauthorised access, accidental loss or destruction;
- not be transferred to a country outside the European Economic Area, unless that country has adequate levels of protection for personal data.
Also, further details are given by the Office of the Information Commissioner and the Ministry of Justice.
Data subject
This is the living individual who is the subject of the personal information (data).
Data Subject Access Request
European Economic Area (EEA)
The European Economic Area (EEA) consists of all the countries of the European Economic Union (EU) and Iceland, Liechtenstein and Norway. Further details about the EEA and the EU can be found at the Europa website.
Fair Processing Notice (FPN)
Fair processing notices are the "small print" that appear on forms, which are sometimes called privacy statements or collection texts. They are used to inform the person from whom personal data is being collected, the data subject, how their data will be processed.
Guidance from the Office of the Information Commissioner on writing fair processing notices is given in Privacy Notices Code of Practice.
Notification
Notification is the process by which a data controller's processing details are added to a register. Under the Data Protection Act every data controller who is processing personal information needs to notify unless they are exempt. Failure to notify is a criminal offence. Even if a data controller is exempt from notification, they must still comply with the data protection principles. The Office of the Information Commissioner maintains a public register of data controllers. A register entry only shows what a data controller has told the Commissioner about the type of data being processed. It does not name the people about whom information is held.
Annually, the University will notify the Office of the Information Commissioner that personal data is being processed and give the classes of personal data that are processed by the University, the types of people whose personal data can be processed and the purposes for which the data is processed. Details of the University's notification may be viewed on the Office of the Information Commissioner's Data Protection Register.
Permission forms
See Consent forms.
Personal data
Personal data means information about a living individual who can be identified from that information and other information which is in, or likely to come into, the data controller's possession.
Within the University, personal data, sometimes also called personal information, is any information about a living individual that can be used, either on its own or in conjunction with other information held by the University or other information likely to come into the possession of the University, to identify that person. It includes any expression of opinion about an individual and any indication of the intentions of the University in respect of the individual. It includes information stored in any medium: paper and electronic, text, image, audio and visual.
Privacy statements
Processing
Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on data.
Processing of personal information includes collecting, using, storing, destroying and disclosing information.
Recipient
Recipient, in relation to personal data, means any person to whom data is disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of the data processor) to whom it is disclosed in the course of processing the data for the data controller. It does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.
Section 29 or s.29 DPA
Section 29 or s.29 is an exemption in the Data Protection Act (DPA) that allows an organisation to give out personal information where the disclosure is for one of the "crime and taxation purposes", as follows:
- The prevention or detection of crime
- The apprehension or prosecution of offenders or
- The assessment or collection of any tax or duty or of any
imposition of a similar nature
and complying with the normal provisions of the DPA would be likely to prejudice one of these purposes.
Its full text in the DPA can be found in Section 29 of the DP Act1998.
Sensitive Personal Data
Sensitive personal data includes:
- the racial or ethnic origin of the data subject
- their political opinions
- their religious beliefs (or beliefs of a similar nature)
- whether they are a member of a Trade Union
- their physical or mental health or condition
- their sexual life
- the commission or alleged commission of any offence
- any proceedings for any offence committed or alleged to have been committed
Subject access request
Under the Data Protection Act, individuals can ask to see the information about themselves that is held on computer and in some paper records. If an individual wants to exercise this subject access right, they should write to the person or organisation that they believe is processing the data.
A subject access request must be made in writing and must be accompanied by the appropriate fee. In most cases, the maximum fee will be £10, but this can vary, particularly if the information requested is for health or educational records. If a subject access request is made to a credit reference agency, then the fee is £2, and the information must be provided within seven working days. A request must include enough information to enable the person or organisation to whom the subject is writing to satisfy itself as to their identity and to find the information.
A reply must be received within 40 days as long as the necessary fee has been paid. A data controller should act promptly in requesting the fee or any further information necessary to fulfil the request. If a data controller is not processing personal information of which this individual is the data subject, the data controller must reply saying so.
In the case of the University, a data subject access request (DSAR) should be made to the Data Protection Officer, via the IMPS office. A DSAR must be made in writing using the appropriate form; you can download the Data Subject Access Request form as either a Word document (65KB) or a PDF (71KB). Alternatively you can get hard copies from the IMPS office. When submitting the form it should be accompanied by the appropriate fee of £10.
Third party
Third party, in relation to personal data, means any person other than:
- the data subject
- the University (the data controller)
- any data processor or other person authorised to process data for the University or processor
The expression third party does not include employees or agents of the data controller or data processor, who are treated as being part of the data controller or processor. Note that "third party" is different from "recipient", which effectively separates employees/agents of the data controller/processor from the data controller/processor itself.