The Data Protection Act uses a number of official terms that you should be aware of.
Consent Any freely given specific and informed indication of his or her wishes by means of an active step taken by the data subject which signifies his or her agreement to personal data relating to him or her being processed. Consent can be withdrawn after it has been given.
Where data is 'sensitive', express consent must be given for processing the data.
Data Controller Person, company or organisation who determines the purpose and manner of the processing of personal data, in other words, the body responsible for the data (for example, the University of Bath).
Data processing Obtaining, recording or holding (storing) information and carrying out any operation or set of operations upon it, including:
Data subject Any living individual who is the subject of personal data.
Data Subject Access Request The right of an individual to inspect all personal data relating to him or her held by a data controller. The data controller must produce the requested information in an intelligible and, unless this is impracticable, permanent format.
Encryption Is a means of preventing anyone other than those who have a key from accessing data, be it in an email, on a PC or on a storage device. Contact Computing Services for information.
Mobile devices Where we refer to 'mobile devices', the definition is intended to be broad and includes memory sticks, mobile phones, tablets, PDAs, netbooks and laptops.
Personal data Information relating to a named or otherwise identified individual. This includes any expressions of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Processing (data) Covers almost anything, which is done with or to the data, including:
- obtaining data
- recording or entering data onto files
- holding data, or keeping it on file without doing anything to it or with it
- organising, altering or adapting data in any way
- retrieving, consulting or otherwise using data
- disclosing data either by giving it out, by sending it on email, or simply by making it available
- combining data with other information
- erasing or destroying data.
Recipient Under the Data Protection Act, a recipient is defined as any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for a Data Controller (for example, an employee of the data controller, a data processor or employee of the data processor).
Sensitive personal data Personal data containing information relating to the racial and ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or criminal history of a data subject.
Third party The Data Protection Act defines a 'third party', in relation to personal data, as any person other than:
- the data subject
- the data controller
- any data processor or other person authorised to process data for the data controller or processor
- 'Third party' does not include employees or agents of the data controller or data processor.