Data Protection Glossary

An individual’s consent to process their personal data must be freely given, clear and require a positive action to opt-in. Consent must be based on the individual’s clear understanding of what the data is being used for, who it will be shared with, how long it will be kept for (see ‘fair processing notice’). It is important to note that while an organisation must have a valid reason for processing personal data, this may not necessarily always involve the direct consent of the individual it relates to.

The person who decides how, and for what purposes, the data is going to be processed. This could be either an individual or an organisation. St George’s, University of London is considered the data controller for information processed for the purposes of the university’s business.

Someone (other than an employee of the data controller) who processes data on behalf of a data controller, eg an external company employed to distribute an organisation’s newsletter or marketing materials, or a company responsible for the disposal of ‘confidential’ waste.

The UK GDPR sets out 7 core principles. These specify that personal data shall:

1. be processed lawfully and in a transparent manner
2. be collected for specified, explicit and legitimate purposes
3. be adequate, relevant and limited to what is necessary
4. be accurate and, where necessary, kept up to date
5. be kept no longer than is necessary in relation to the original purpose
6. be processed securtely, to ensure their confidentialilty, integrity and availability
   In addition the data controller shall
7. be responsible for, and be able to demonstrate compliance with, the first principle (accountability)

The living individual who is the subject of the personal data.

The fair processing notice is a formal statement that provides the individual whose data is to be processed with the following information: the identity of the data controller, the purpose(s) for which the data may be processed and any other information necessary to ensure the processing can be considered ‘fair’ under the Act, eg other persons the data may be shared with. The fair processing notice is now known as the 'privacy notice', although you will probably still find reference to both.

Data relating to a living individual who can be identified from that information, or from other information the data controller has in their possession or is likely to have access to.

Any action or operation carried out on personal data, whether obtaining, recording, storing or disposing of that data.

Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioner's Office (ICO), unless they are exempt.

The process by which a data subject can request information about themselves held by an organisation. The request must be made in writing, which can include email. The organisation must respond to the request within 40 days, providing copies of the relevant information in ‘permanent form’. All subject access requests should be passed to St George’s Data Protection Officer.