Data Protection

Data Protection glossary

The Data Protection Act uses a number of official terms that you should be aware of.

Any freely given specific and informed indication of his or her wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed. Consent can be withdrawn after it has been given.
Where data is ‘sensitive’, express consent must be given for processing this data.
Data Controller
Person, company or organisation who determines the purpose and manner of the processing of personal data, in other words, the body responsible for the data (for example, the University of Bath).
Data processing
Obtaining, recording or holding (storing) information and carrying out any operation or set of operations upon it, including:

  • adaptation
  • alteration
  • retrieval
  • consultation
  • use
  • disclosure
  • transfer
  • erasure
  • destruction.
Data Subject
Any living individual who is the subject of personal data.
Data Subject Access Request
The right of an individual to inspect all personal data relating to him or her held by a data controller. The data controller must produce the requested information in an intelligible and, unless this is impracticable, permanent format.
Is a means of preventing anyone other than those who have a key from accessing data, be it in an email, on a PC or on a storage device. Contact Computing Services for information.
Mobile devices
Where we refer to ‘mobile devices’, the definition is intended to be broad and includes memory sticks, mobile phones, tablets, PDAs, netbooks and laptops.
Personal data
Information relating to a named or otherwise identifiable individual. This includes any expressions of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Processing (data)
Covers almost anything, which is done with or to the data, including:

  • obtaining data
  • recording or entering data onto the files
  • holding data, or keeping it on file without doing anything to it or with it
  • organising, altering or adapting data in any way
  • retrieving, consulting or otherwise using the data
  • disclosing data either by giving it out, by sending it on email, or simply by making it available
  • combining data with other information
  • erasing or destroying data.
Under the Data Protection Act, a recipient is defined as any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for the Data Controller (for example, an employee of the data controller, a data processor or employee of the data processor).
Sensitive personal data
Personal data containing information relating to the racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or criminal history of a data subject.
Third party
The Data Protection Act defines a ‘third party’, in relation to personal data, as any person other than:

  • the data subject
  • the data controller
  • any data processor or other person authorised to process data for the data controller or processor
  • ‘Third party’ does not include employees or agents of the data controller or data processor.