Data protection policy - Annex A

Anonymisation

The process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information.

Criminal conviction data

Personal data relating to an individual’s criminal convictions, or the alleged prosecution of offences, is covered by additional safeguards and cannot be processed unless under official authority or where authorised by law.

Data controller

An organisation processing personal data, and which determines the purposes and means of processing that personal data.

Data processor

An organisation processing personal data on behalf of a data controller, acting on their instruction.

Data Protection Impact Assessment (DPIA)

Also known as privacy impact assessments. A form of risk assessment that can help identify privacy risk at an early stage in the change cycle to allow that risk to be controlled appropriately.

Data Protection Officer

The Data Protection Officer (DPO) is a role required for certain organisations under the GDPR. DPOs are responsible for overseeing data protection strategy and implementation to ensure compliance with data protection legislation.

Data subject

The ‘natural person’ to whom the personal data relates and who is identifiable from that data.

Data subjects’ rights

Data protection legislation sets out the following rights for data subjects:

• to be informed
• to access personal data
• to rectification of inaccurate personal data
• to erasure of personal data
• to restrict processing of personal data
• to data portability
• to object to processing of personal data
• to protection from automated decision making, including profiling.

Encryption

The process of encoding information or data so that only authorised parties can access it.

Lawful purpose - Data subjects’ rights

Data protection legislation sets out the following rights for data subjects:

• to be informed
• to access personal data
• to rectification of inaccurate personal data
• to erasure of personal data
• to restrict processing of personal data
• to data portability
• to object to processing of personal data
• to protection from automated decision making, including profiling.

Personal data

Information relating to an identifiable person who can be directly or indirectly identified. Includes names, staff number, location data, online identifier (eg IP address) and pseudonymised data.

Processing

The use of personal data in any way – this includes collecting, creating, analysing, copying, storing, transferring, sharing, disclosing, publishing and disposing of personal data.

Pseudonymisation

De-identifying data so that a coded reference or pseudonym in attached to a record to allow the data to be associated with a particular individual without that individual being identified directly. Legally, this data remains personal data.

Record of Processing

A record of the activities an organisation undertakes that involve the processing of personal data. This is a legal requirement and must contain certain information in relation to each processing activity.

Special category personal data

Types of personal data which require additional safeguards and conditions to be met for processing to be fair and lawful. Categories are:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic or biometric data
• sex life or sexual orientation.