Information Governance - Definitions and Glossary
Data are facts or numbers which have not been interpreted, they often don’t mean very much without context.
Information is what you get when you interpret data so that it has meaning.
(Data and information have distinct meanings, but they are often used interchangeably. Their definitions are recorded here, but they are used interchangeably in the guidance).
The process used to ensure that data can no longer identify any person.
In the context of GDPR, consent is one of the 6 lawful bases for processing personal data. Individuals must be able to chose to consent through a positive opt-in. Any requests for consent must be clear and precise. More information can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
In the context of GDPR, a contract is one of the 6 lawful bases for processing personal data. This means that you can rely on this basis if you need to process someone’s data in order to fulfil a contractual obligation to them or because they have asked you to do something before entering into a contract. More information can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/
A term to refer to computers or other digital information systems.
The methods employed to protect digital information systems.
(CYBER) SECURITY INCIDENT
Any unusual occurrence which differs from organisational processes or policies, e.g. someone leaving a filing cabinet unlocked when there is no one around.
An incident which results in personal or sensitive data being lost, altered or viewed by unauthorised individuals.
A person, public authority or agency or any other body who decides how data is going to be processed and the reason why it needs to be processed. This might be alone or jointly.
A person (unless they are an employee of the data controller), public authority or agency or any other body who processes data on behalf of a data controller.
DATA PROTECTION ACT (DPA) 1998
UK legislation which defines how information about living individuals can be used legally.
This was superseded by the Data Protection Act 2018.
This was superseded by the Data Protection Act 2018.
DATA PROTECTION ACT (DPA) 2018
This is a significant update to data protection legislation in the UK. It aligns us with GDPR and should be read alongside it.
DATA PROTECTION LEGISLATION
A generic term to cover all UK legislation which impacts on data protection. This includes the DPA, GDPR, FOIA, the common law duty of confidentiality and The Human Rights Act article 8.
DATA SECURITY AND PROTECTION TOOLKIT (DSPT)
The DSPT was designed by the Department of Health and Social Care and NHS Digital. It pulls together all guidance into a standard set of requirements which cover all applicable data protection matters for health and care. The DSPT will be available from April 2018 for submissions for the 2018/2019 financial year.
The living individual which the data is about.
The conditions which need to be met to legally process any kind of personal data.
FREEDOM OF INFORMATION ACT (FOIA) 2000
Legislation which entitles the general public to access information held by public authorities. The FOIA does not apply to all care providers and you should check to see if it is applicable to your organisation. It is only likely to apply if your organisation is owned by a public authority.
GENERAL DATA PROTECTION REGULATIONS (GDPR)
New legislation which was ratified in 2016 and enforced from 25th May 2018. GDPR is intended to provide a single set of data protection rules across the EU. This legislation will still apply to the UK after Brexit. There is more information here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
In the context of GDPR, there are 6 lawful bases for processing data. For processing to be considered lawful, it must be necessary. That is, if you could perform your task without having to use the data but you process the data anyway, that would not be lawful. There is more information here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
In the context of GDPR, a legal obligation is one of the 6 lawful bases for processing personal data. This basis should be relied on when you need to process any personal data because of a common law or statutory obligation. More information can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legal-obligation/
In the context of GDPR, “legitimate interest” is one of the 6 lawful bases for processing personal data. A legitimate interests assessment (LIA) should be used if this is the basis for processing information. Legitimate interests should only be something which people would reasonable expect you to be processing data for. More information can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/
Data or information is personal when it can be used to identify a living individual.
An umbrella term to refer to any way in which data can be collected, stored, used or organised.
A process used to ensure that data cannot identify any person without the use of additional data stored separately. For example, a person’s name might be replaced with a unique code identifier so that their data can be used for research. This isn’t fully anonymous because if the code is linked to their name (additional data) then they can be re-identified.
In the context of GDPR, a public task is one of the 6 lawful bases for processing personal data. As the majority of care providers are not public bodies, you cannot use this basis for processing data. If your organisation does count as a public body under FOIA then you can use this basis.
SPECIAL CATEGORY DATA
This is the term used in the GDPR to cover and extend that data which is described as sensitive personal data in the DPA. Special category data is: racial or ethnic origin data; political opinions; religious or philosophical belief(s); trade union membership; genetic data; biometric data (for uniquely identifying someone); health data (this includes data used in social care); data concerning someone’s sex life or sexual orientation.
In the context of data security, a threat is what we try to protect against.
In the context of GDPR, “vital interest” is one of the 6 lawful bases for processing personal data. You can rely on this basis if you have to process data in order to protect someone’s life.
In the context of data security, a vulnerability is a gap in our defences which a threat could exploit.