Please view our data privacy glossary below.
Applicable data protection legislation
The UK Data Protection Act 1998, the EU General Data Protection Regulation ((EU) 2016/679) and any applicable equivalent or replacement legislation.
Agreement which is freely given, specific, informed and unambiguous.
A personal data breach means the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
The person or organisation that determines when, why and how to Process Personal Data.
Data Privacy Impact Assessment
Also: DPIA. A standard assessment used to identify and reduce risks of a data processing activity.
Any person, company or organisation (other than an employee of the data controller) who processes Personal Data on behalf of a Data Controller.
Data Protection Officer (DPO)
An internal, statutory role, required to monitor and promote compliance with data protection legislation.
Any living, identified or identifiable individual about whom we hold Personal Data.
Data Subject Rights
The rights granted to Data Subjects by the applicable data protection legislation, including the right of access to their Personal Data, the right to correct it, and the right to deletion (see below, section 12).
Any information identifying a Data Subject or from which we could identify a Data Subject. Personal Data includes “Special Categories” of sensitive personal data and Pseudonymised Data but not anonymised data (data where any identifying elements have been removed).
Special Categories of Personal Data
A special subset of Personal Data, being any information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
Processing or Process
Any activity that involves the use of Personal Data, whether manual or electronic, including obtaining, recording or holding the data, organising, amending, transferring, retrieving, using, disclosing, erasing or destroying it.
Separate notices setting out information that may be provided to Data Subjects when the University collects information about them. These notices may apply to a specific group of individuals (for example, employees) or they may cover a specific purpose (such as filming on campus).
Data which has been modified to replace information that directly or indirectly identifies an individual with artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is kept separately and secure.
Anyone other than the Data Subject and the Data Controller.