12.7 Annex A - Glossary of Data Protection Act Terms
Last updated 18/05/2017
- Data controller – a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
- Data processor – any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
- Data Protection Act 1998 (DPA) – the main UK legislation which governs the handling and protection of information relating to living people.
- Data sharing – the disclosure of data from one or more organisations to a third party organisation or organisations, or the sharing of data between different parts of an organisation. Can take the form of systematic, routine data sharing where the same data sets are shared between the same organisations for an established purpose; and exceptional, one off decisions to share data for any of a range of purposes.
- Data sharing agreements/protocols – set out the common set of rules to be adopted by the various organisations involved in a data sharing operation.
- Personal data – data which relate to a living individual who can be identified (a) from those data or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
- Privacy impact assessment (PIA) – is a comprehensive process for determining the privacy, confidentiality and security risks associated with the collection, use and disclosure of personal data.
- Processing of data – in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data.
- Sensitive personal data – personal data consisting of information as to:
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
- Subject access request (SAR) – under the Data Protection Act, individuals can ask to see the information about themselves that is held on computer and in some paper records, by writing to the person or organisation they believe holds it. A subject access request must be made in writing (email is acceptable) and must be accompanied by the appropriate fee, usually up to a maximum of £10. Once the applicable fee has been paid, a reply must be received within 40 calendar days.
- Third sector – non-governmental, not for profit organisations such as charities, voluntary and community organisations and social enterprises.