Glossary of terms
Get to grips with the jargon
Get to grips with the jargon
Information from which no individual person can be identified, by removing name and first line of address, usually presented only containing postal sector or electoral ward.
Is a service commissioned by Arts Council England and provided by The Audience Agency to organisations to collect, share and compare audience insight. Most services are free and some designed specifically to enable venues to share insight with touring companies with minimum effort. More information here.
A formal role for the organisation under GDPR. ''Data controllers'' decide how and why personal data is processed.
Any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller. GDPR places new, specific legal obligations on Data Processors to maintain records of personal data processing activities. Processors also have greater legal liability under GDPR, for data breaches for which they are responsible.
Formerly, the main UK legislation, derived from an EU Directive, which governs the handling and protection of information relating to living people. The Data Protection Act is replaced by the General Data Protection Regulation (GDPR) from May 2018
Also known as Privacy Impact Assessments (PIA), these form an integral part of taking a privacy by design, best practice approach, and there are certain circumstances under which organisations must conduct PIAs. They are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy, and protect against the risk of harm through use or misuse of personal information. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. The ICO has published a code of practice to help organisations understand what DPIAs are and how to use them here.
In certain circumstances the GDPR requires organisations to appoint a Data Protection Officer, who is responsible for advising an organisation and its employees about their data protection obligations, to monitor the compliance of the organisation’s practices and systems with the regulations, and to be a first point of contact for data protection related matters and inquiries. Any organisation may appoint a Data Protection Officer, and it is good practice for an organisation to appoint a reasonable person to determine the manner in which any personal data is processed, and to manage and document legal compliance, data integrity and security.
The disclosure of data from one or more organisations to a third party organisation or organisations, or the sharing of data between different parts of an organisation. Can take the form of systematic, routine data sharing where the same data sets are shared between the same organisations for an established purpose; and exceptional, one off decisions to share data for a range of purposes.
Person to whom personal data pertains, whose rights are protected by legislation
Applying from May 25th 2018, The main EU regulation governing the handling and protection of information relating to natural persons. In the UK it replaces the Data Protection Act, and its aim is to give data subjects an enhanced level of control over who has the ability to use their personal information and for what purposes.
that their data could be collected, by whom and for what purposes.
The consent of members of the public to the collection of their data for the stated uses.
Under GDPR and data which relates to a natural person who can be identified, a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller, and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.
The definition of personal data under GDPR is expanded and includes names, identification numbers, address/location data, online identifiers (such as cookies, IP addresses or MAC addresses), and physical, physiological, genetic, mental, economic, cultural or social factors specific to the identity of a natural person.
Govern the collection and use of personal information in electronic communications, e.g. email. Due to be replaced when the EU ePrivacy Regulation comes into force in 2018/2019.
Means obtaining, recording, or holding information or data. It includes the following operations on the information or data:
Ensuring that customers who have made previous transactions are recognised before the sales process starts a new transaction, certainly without repeating notification statements and permission sequences, and ensures duplicate records are not made.
Formerly known as “sensitive personal data”, now known under GDPR as “special categories” of personal data. The processing of these special categories are restricted by further safeguards to give extra protection to the privacy of data subjects. The “special categories” consisting of information related to an individual’s:
Personal data relating to criminal convictions and offences are not included as ‘special categories’ under GDPR, but similar extra safeguards apply to its processing.