Data Protection Glossary
Many of the definitions in this glossary are based on the key definitions from the Office of the Information Commissioner and are shown in bold. The full definitions together with further information and useful examples can be found on the key definitions webpage of the Office of the Information Commissioner's website. Additional information and information specific to the University of Reading is given as non-bold text.
The University is a Public Body as defined within data protection laws. The University have core ‘public tasks’ to deliver teaching and research. These are tasks that we are necessarily required to undertake and that should not be reliant on the ‘consent’ of individuals that are involved in those activities (we need to do them regardless). For this reason, ‘with consent’ should not be the basis for most of our University activities and, in many cases, will be inappropriate.
The University also processes data for the performance of contracts (including staff and student contracts), which is another legal basis for data processing within data protection law. The majority of employee and teaching administration uses this basis - it is not based on consent.
For consent to be valid it needs to be ‘freely given’. In simple terms, there must be no undue detriment or disadvantage to an individual if they do not consent.
The ‘balance of power’ between the University and its staff and students means that consent is unlikely to be an appropriate basis to rely on in most cases. If the activity involving personal data is one the University must necessarily do in the course of employment and teaching, a basis other than consent is very likely to apply, and we should not be alluding to ‘consent’.
Consent also needs to be able to be withdrawn, without detriment, and easily. If deletion of personal data would be detrimental to the core tasks and functions of the University, consent is not likely to be the appropriate basis for the activity.
There are some limited activities where consent may be appropriate, for example, where a student provides us with permission to speak about their matters with a nominated parent or contact, or where an individual is providing their email to subscribe to an entirely voluntary newsletter or marketing list.
If you are unsure if consent is appropriate, please contact IMPS.
More information on the considerations for consent in a research context can be found in our guidance for researchers.
Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
In the case of the University of Reading, the University is the data controller because it determines the purposes for which, and the manner in which, any personal data are processed or are going to be processed. This includes being responsible for destroying the data when no longer relevant. Individual members of staff or students, who process data on behalf of the University, are data users. Personal data should always be processed according to the Data Protection Principles.
Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
In the case of the University of Reading, a data processor is any person or organisation that processes data or disposes of confidential waste on behalf of the University.
This very often extends to suppliers of software and services that the University (the Data Controller) use.
We are required by law to have certain mandatory terms within our contracts or agreements with these suppliers to govern the responsibilities for data security.
We are also required to perform necessary due diligence on these suppliers to ensure they can protect the data they are processing for us.
The General Data Protection Regulation (GDPR) 2016, sets out the Data Protection Principles. In summary these state that personal data should be:
- processed lawfully, fairly and in a transparent manner,
- collected for specified, explicit and legitimate purposes,
- adequate, relevant and limited to what is necessary,
- accurate and where necessary kept up to date,
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed, and
- processed in a manner that ensures appropriate security of the personal data.
- Accountability is central to GDPR. Data controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the regulator.
Further details are given on the website of the Office of the Information Commissioner.
Data subject means an individual who is the subject of personal data.
In other words, the data subject is the individual whom particular personal data is about. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
Data Subject Access Request
Fair processing notices are the "small print" that appear on forms, which are sometimes called privacy statements or collection texts. They are used to inform the person from whom personal data are being collected, the data subject, how their data will be processed.
Guidance from the Office of the Information Commissioner on writing fair processing notices is given here.
See Consent forms.
Personal data means any information relating to an identifiable person ('data subject') who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifiers. Personal data can include any of the below:
Data of Birth
Postal Address(es) (to include postcodes)
Unique Identifiers (to include: Student ID numbers, Staff ID numbers, Passport numbers, NHS numbers, National Insurance numbers, ORCID’s, unique research participant ID numbers, Unique applicant ID numbers, vehicle registration, driving licence numbers)
Images of individuals, including CCTV, photos
Location Data (to include any GPS tracking data)
Online Identifiers (to include IP address data)
Economic/financial data (relating to an identifiable individual)
Educational records including but not limited to records held by the University and other education providers
Pastoral records, including Extenuating Circumstances Forms
Employment records to include CV’s, references
Mental Health (status, medical records conditions, to include disability)
Physical Health (status, medical records conditions, to include disability)
Sexual Orientation/Sexual life
Genetic Data (to include DNA data)
Biometric data (such as facial image or fingerprint data)
Trade Union membership
Religious or philosophical beliefs
Criminal Convictions and offences (to include alleged offences and convictions)
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can also fall within the scope of the definition of personal data.
'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Recipient, in relation to personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.
Crime Prevention Exemptions
These are exemptions in the Data Protection Act (2018) that allows an organisation to give out personal data where the disclosure is for one of the "crime and taxation purposes", as follows:
- The prevention or detection of crime
- The apprehension or prosecution of offenders or
- The assessment or collection of any tax or duty or of any
imposition of a similar nature
and complying with the normal provisions of Data Protection Law would be likely to prejudice one of these purposes.
Sensitive personal data (or 'Special Category' data under the GDPR) means personal data consisting of information as to the Data Subject's -
(a) racial or ethnic origin,
(b) political opinions,
(c ) religious beliefs or philosophical beliefs,
(d) a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) genetic data,
(f) biometric data,
(g) data concerning health,
(h) sex life or sexual orientation,
Sensitive Personal data can include any of the below:
*Mental Health (status, medical records conditions, to include disability)
*Physical Health (status, medical records conditions, to include disability)
*Sexual Orientation/Sexual life
*Genetic Data (to include DNA data)
*Biometric data (such as facial image or fingerprint data)
*Trade Union membership
*Religious or philosophical beliefs
"Subject access" is the right of an individual to access personal data relating to him or her which are held by the University.
Your request will be processed by a very limited number of staff within the IMPS team, under the supervision of the University IMPS (Data Protection) Officer, who will be required to view all the data you request, including personnel, financial and occupational health records. By submitting a Subject Access Request you are accepting that the IMPS team will need to request and view the data about you in order to assess what can be disclosed. Information of third parties, including staff in some circumstances may be withheld. All data will be handled securely and in the strictest confidence.
The IMPS Office has a duty to establish the identity of the requester. The identification required is usually one document that includes photo identification and a signature, such as a photo driving licence or a passport, plus a current utility bill or bank statement showing your name and address. Requests from internal members of staff may not require this and you will be advised on making your request if this is the case.
The IMPS Office will then coordinate the gathering together of the appropriate information. The University will comply with SARs as quickly as possible but will ensure that a response is provided within 1 calendar month from receipt of identification unless there is good reason for delay. Data protection laws allow for an extension of up to 2 months for responding to very complex requests. If you are able to describe the data you seek clearly this is less likely. We may also refuse requests that are deemed manifestly unfounded or excessive and reserve the right to charge a fee. In such cases the reason for refusal, delay, or any fees payable will be explained in writing.
In the case of the University, a subject access request (SAR) should be made to the Data Protection Officer, via the IMPS office. A SAR must be made in writing using the appropriate form; you can download the Subject Access Request form as a Word document (1MB) or alternatively you can get hard copies from the IMPS office.
If you require information about examination results please contact the Examinations Office. Examination scripts are exempt from Subject Access rights.
Third party, in relation to personal data, means any person other than -
(a) the data subject,
(b) the data controller, or
(c) any data processor or other person authorised to process data for the data controller or processor.
The expression third party does not include employees or agents of the data controller or data processor, who are treated as being part of the data controller or processor. Note that "third party" is different from "recipient", which effectively separates employees/agents of the data controller/processor from the data controller/processor itself.
- Telephone: +44 (0) 118 378 8981
Find out if you need to do a DPIA here: