Skip to content

Below you will find definitions of some of the key terms and phrases associated with data protection.


An individual’s consent to process their personal data must be ‘freely given, specific and informed’. Consent must be based on the individual’s clear understanding of what the data is being used for, who it will be shared with, how long it will be kept for (see ‘fair processing notice’). It is important to note that while an organisation must have a valid reason for processing personal data, this may not necessarily always involve the direct consent of the individual it relates to.

Data controller

The person who decides how, and for what purposes, the data is going to be processed. This could be either an individual or an organisation. St George’s, University of London is considered the data controller for information processed for the purposes of the university’s business.

Data processor

Someone (other than an employee of the data controller) who processes data on behalf of a data controller, eg an external company employed to distribute an organisation’s newsletter or marketing materials, or a company responsible for the disposal of ‘confidential’ waste.

Data protection principles

The Data Protection Act sets out eight data protection principles. These specify that personal data shall:

  1. be processed fairly and lawfully, and only if certain conditions are met
  2. be processed only for specified and lawful purpose(s)
  3. be adequate, relevant and not excessive for those purposes
  4. be accurate and kept up to date
  5. not be kept for longer than is necessary for that purpose
  6. be processed in accordance with data subject’s rights
  7. be kept secure, by means of technical/organisational measures
  8. not be transferred outside the European Economic Area (EEA) unless that country ensures the safety of that data and that the rights of the individual are respected.
Data subject

The living individual who is the subject of the personal data.

Fair processing or privacy notice

The fair processing notice is a formal statement that provides the individual whose data is to be processed with the following information: the identity of the data controller, the purpose(s) for which the data may be processed and any other information necessary to ensure the processing can be considered ‘fair’ under the Act, eg other persons the data may be shared with. The fair processing notice is now known as the 'privacy notice', although you will probably still find reference to both.


The Data Protection Act requires anyone who processes personal information to provide details of that processing for inclusion in a register maintained by the Information Commissioner’s Office. Failure to ‘notify’, or to keep your entry in the register up-to-date, is a criminal offence.

Personal data

Data relating to a living individual who can be identified from that information, or from other information the data controller has in their possession or is likely to have access to.


Any action or operation carried out on personal data, whether obtaining, recording, storing or disposing of that data.

Subject access request

The process by which a data subject can request information about themselves held by an organisation. The request must be made in writing, which can include email. The organisation must respond to the request within 40 days, providing copies of the relevant information in ‘permanent form’. All subject access requests should be passed to St George’s Data Protection Officer.


Find a profileSearch by A-Z