Skip to main content

Data protection glossary

Glossary of terminology used in the Data Protection Act


The Data Protection Act uses a number of official terms that you should be aware of.


Any freely given specific and informed indication of his or her wishes by means of an active step taken by the data subject which signifies his or her agreement to personal data relating to him or her being processed. Consent can be withdrawn after it has been given.

Where data is 'sensitive', express consent must be given for processing the data.

Data Controller

Person, company or organisation who determines the purpose and manner of the processing of personal data, in other words, the body responsible for the data (for example, the University of Bath).

Data processing

Obtaining, recording or holding (storing) information and carrying out any operation or set of operations upon it, including:

  • adaptation
  • alteration
  • retrieval
  • consultation
  • use
  • disclosure
  • transfer
  • erasure
  • destruction

Data subject

Any living individual who is the subject of personal data.

Data Subject Access Request

The right of an individual to inspect all personal data relating to him or her held by a data controller. The data controller must produce the requested information in an intelligible and, unless this is impracticable, permanent format.


A means of preventing anyone other than those who have a key from accessing data, be it in an email, on a PC or on a storage device. Contact Digital, Data and Technology for information.

Mobile devices

Where we refer to 'mobile devices', the definition is intended to be broad and includes memory sticks, mobile phones, tablets, PDAs, netbooks and laptops.

Personal data

Information relating to a named or otherwise identified individual. This includes any expressions of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Processing (data)

Covers almost anything, which is done with or to the data, including:

  • obtaining data
  • recording or entering data onto files
  • holding data, or keeping it on file without doing anything to it or with it
  • organising, altering or adapting data in any way
  • retrieving, consulting or otherwise using data
  • disclosing data either by giving it out, by sending it on email, or simply by making it available
  • combining data with other information
  • erasing or destroying data.


Under the Data Protection Act, a recipient is defined as any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for a Data Controller (for example, an employee of the data controller, a data processor or employee of the data processor).

Sensitive personal data

Personal data containing information relating to the racial and ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or criminal history of a data subject.

Third party

The Data Protection Act defines a 'third party', in relation to personal data, as any person other than:

  • the data subject
  • the data controller
  • any data processor or other person authorised to process data for the data controller or processor
  • 'Third party' does not include employees or agents of the data controller or data processor.


If you have any questions, please contact us.

On this page