Information Governance - Definitions and Glossary
Data are facts or numbers which have not been interpreted, they often don’t mean very much without context.
Information is what you get when you interpret data so that it has meaning.
(Data and information have distinct meanings, but they are often used interchangeably. Their definitions are recorded here, but they are used interchangeably in the guidance).
The process used to ensure that data can no longer identify any person.
In the context of GDPR, "consent" is one of the 6 lawful bases for processing personal data. Individuals must be able to chose to consent through a positive opt-in. Any requests for consent must be clear and precise.
In the context of GDPR, "contract" is one of the 6 lawful bases for processing personal data. This means that you can rely on this basis if you need to process someone’s data in order to fulfil a contractual obligation to them or because they have asked you to do something before entering into a contract.
A term to refer to computers or other digital information systems.
The methods employed to protect digital information systems.
(CYBER) SECURITY INCIDENT
Something which might cause confidential (digital) information to be misused or compromised, e.g. someone leaving a filing cabinet with care records unlocked when not in use.
An incident which results in personal or sensitive data being lost, altered or viewed by unauthorised individuals.
A person or organisation who decides how data is going to be used and the reason why it needs to be. Care providers are data controllers.
A person or organisation who processes data on behalf of a data controller. They do not decide how or why to process data themselves.
DATA PROTECTION ACT (DPA18) 2018
This is a significant update to data protection legislation in the UK. It aligns us with GDPR and should be read alongside it.
DATA PROTECTION LEGISLATION
A term for all UK legislation which impacts on data protection. This includes the DPA18, GDPR, FOIA, the common law duty of confidentiality and The Human Rights Act (article 8).
DATA SECURITY AND PROTECTION TOOLKIT (DSPT)
The DSPT was designed by the Department of Health and Social Care and NHS Digital. It is an online, self-assessment tool for demonstrating compliance with national data protection legislation and guidance.
The living individual which the data is about.
The conditions which need to be met to legally process any kind of personal data.
FREEDOM OF INFORMATION ACT (FOIA) 2000
Legislation which entitles the general public to access information held by public authorities. The FOIA does not apply to all care providers and you should check to see if it is applicable to your organisation. It is only likely to apply if your organisation is owned by a public authority.
GENERAL DATA PROTECTION REGULATIONS (GDPR)
New legislation which was enforced from 25th May 2018. GDPR is intended to provide a single set of data protection rules across the EU. This legislation is likely to still apply to the UK after Brexit.
In the context of GDPR, there are 6 lawful bases for processing data. For processing to be considered lawful, it must be necessary. If you could do your job without using the data but you process the data anyway, that would be illegal.
In the context of GDPR, “legal obligation” is one of the 6 lawful bases for processing personal data. This should be relied on when you need to process any personal data because of a common law or statutory obligation.
In the context of GDPR, “legitimate interest” is one of the 6 lawful bases for processing personal data. A legitimate interest assessment (LIA) should be used if this is the basis for processing information. Legitimate interests should only be something which people would reasonably expect you to be processing data for.
Data or information is personal when it can be used to identify a living individual.
An umbrella term to refer to any way in which data can be created, collected, stored, used, shared or organised.
A process to ensure that data cannot identify any person on its own. For example, a person’s name might be replaced with a unique code identifier so that their data can be used for research. This isn’t fully anonymous because if the code is linked to their name (additional data) then they can be re-identified.
In the context of GDPR, “public task” is one of the 6 lawful bases for processing personal data. You can only use this basis if your organisation counts as a public body under FOIA.
SPECIAL CATEGORY DATA
- racial or ethnic origin data;
- political opinions;
- religious or philosophical belief(s);
- trade union membership;
- genetic data;
- biometric data (for uniquely identifying someone);
- health data (this includes data used in social care); and
- data concerning someone’s sex life or sexual orientation.
In the context of data security, a threat is what we try to protect against.
In the context of GDPR, “vital interests” is one of the 6 lawful bases for processing personal data. You can rely on this basis if you have to process data in order to protect someone’s life.
In the context of data security, a vulnerability is a gap in our defences which a threat could exploit.