Glossary of Data Protection terms

Data controller

An organisation holding personal data who determines the purposes for which, and the manner in which, it is to be processed. In some circumstances it could be a person, and the processing may be carried out jointly or in common with other data controllers. The University is a data controller for the personal data it holds.

Data processor

An organisation (or in some circumstances it could be a person) who processes personal information on a data controller's behalf. For example, outsourcing the disposal of confidential waste to an external company - that company is a data processor.

Data subject

A living individual who can be identified from personal data.


Disclosing can take the form of paper documents, viewing of a screen, telling someone the content of records, playing audiotapes - anything that passes personal data to another person.


Notification is the process by which a data controller's processing details are added to a the register of data controllers held by the Information Commissioner's Office. Under the Act, every data controller processing personal information needs to notify unless they are exempt. Failure to notify is a criminal offence. Even if a data controller is exempt from notification, they must still comply with the data protection principles. 

Personal data

Personal data means information about a living individual who can be identified from that information and other information which is in, or likely to come into, the data controller's possession.

  • Deceased persons are not regarded as data subjects [nor are companies or organisations];
  • Individuals can be identified not only by name but by any sort of identification, such as National Insurance number, employee number or patient number;
  • Data relating to a data subject by reference to his/her title would be regarded as personal data because it is possible to identify a particular individual from that designation;
  • Examples of personal data are:
    • Name and address of an individual;
    • CCTV footage of an individual who may be identifiable from that footage;
    • A combination of data that give enough detail to potentially identify an individual eg information relating to a rare disability coupled with a specific post code; and
    • If a data subject is referred to by means of a code, but the data user has other information that identifies the individual by means of that code;
    • Emails identifying a particular individual.


Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on data. This includes collecting, recording, amending, destroying, disclosing, rearranging and extracting information by any means.

Special category data

Sensitive data means data containing any of the following information:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or other similar beliefs;
  • Trade Union membership;
  • Physical or mental health condition;
  • Sexual life or orientation;
  • Biometrics (used for ID purposes);
  • Genetic data;
  • The commission or alleged commission of an offence (and any related legal proceedings).

While financial information is not classified as sensitive data under the Act, it should be afforded a similar level of security given the damage that could be caused to an individual if it were to be accessed without authorisation.

Personal data breach

A breach of security leading to an accidental or unlawful destruction, loss, alteration, unathorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. It could include an email containing personal data being sent to the wrong recipient, or high level serious systems failures or compromise.