UK law and rules
| Term | Definition |
|---|---|
| Data Controller | A data controller is a person or organisation who decides how personal data, which is information about identifiable individuals, is used or handled. Examples of data controllers include NHS organisations like Trusts and GP surgeries, or devolved government bodies. In the UK, most organisations handling personal data must register with the ICO (Information Commissioner's Office), and their details are public. Data controllers are legally responsible for how data is managed. They must prevent misuse, report breaches, and can be fined for failing to meet these duties. See also: Data Processor; Information Commissioner's Office (ICO). See also: Data Controller š. See also: Data Controller š. See also: Data Controller š. |
| Data Processor | An entity that processes personal data on behalf of a data controller, following the controller's instructions. They do not have control over how the data is used and are only allowed to perform tasks as directed by the controller. For example, a company hired to manage an email service for another organization acts as a data processor. The processor cannot use the data for any other purposes, such as marketing, without the controller's consent. See also: Data Controller; Information Commissioner's Office (ICO). |
| Data Protection Act (DPA) | UK law that regulates how personal dataāinformation that can identify living individualsāis collected, used, and stored. It provides rules for organizations on data handling, ensuring privacy and security, while giving individuals rights to access, correct, and control their own data. It implemented UK-specific aspects of the GDPR and superseded previous UK legislation. |
| Data Protection Impact Assessment | A process used to identify and minimize risks to personal data before it is collected or processed. It evaluates how data use might impact individuals' privacy and outlines steps to protect their information. A DPIA helps ensure that data handling practices are safe and secure, functioning like a risk assessment for personal data. |
| Data Protection Officer (DPO) | A professional responsible for ensuring that organizations comply with data protection laws when handling personal data. They advise on data privacy practices, monitor compliance, and act as a point of contact for data protection authorities. Organizations processing large amounts of personal data or those in the public sector are required to appoint a DPO, and they are listed on the public register held by the Information Commissioner's Office (ICO). |
| Data Subject | See: Data Subject š. |
| Data Transfer Agreement | An agreement or contract between a data controller and another organisation (such as a data processor), governing the transfer of data. See also: Data Controller; Data Processor. See also: Data Transfer š. |
| European Union (EU) General Data Protection Regulation (GDPR) | The 2016 GDPR set out the EU framework for the handling of data relating to identifiable living people. Among many other things, it sets out a variety of legal bases for using personal data, such as āthe data subject has given consentā, āa task... in the public interestā, or for āscientific... researchā. The UK Data Protection Act (DPA) was framed in its terms and set out UK-specific aspects. When the UK left the EU in 2020, the GDPR remained in UK law as the āfrozen GDPRā or āUK GDPRā. See also: UK General Data Protection Regulation (UK GDPR); Data Protection Act (DPA). |
| Information Commissioner's Office (ICO) | The UKās independent authority for upholding information rights in the interest of the public. The ICO oversees the application of theĀ Data Protection Act and the UK GDPR, and has the power to issue monetary pentalties for infringement of dat protection legislation. |
| Information Governance (IG) | How an organisation takes care of its information or data. It involves strategies and processes for defining, collecting, storing, securing, using, protecting and disposing of data safely, while also respecting privacy. IG ensures that data is managed well throughout its life cycle, following guidelines and laws. It helps organisations handle data responsibly, protect it from risks, and use it in a way that follows rules and keeps people's information safe. IG also identifies the processes to be followed in the event of a failure to protect personal data, and any reporting, or escalation to regulatory bodies that might be required. |
| Lawful Basis | Under UK data protection law and the UK GDPR, organisations must have a defined lawful basis to hold and use "personal data". The Health Research Authority (HRA) and Information Commissionerās Office (ICO) advise that for almost all research conducted in the UK organisations should rely on either: (1) āTask in public interestā ā for all public bodies (NHS / HSC, Universities, UKRI etc), or (2) āLegitimate interestā ā for non-public bodies (charities etc.) See also: Lawful Basis š. |
| UK General Data Protection Regulation (UK GDPR) | The UK version of the European Union (EU) General Data Protection Regulation (GDPR) as recorded in the UK Data Protection Act (DPA). In most cases, references in the UK to "GDPR" are likely to mean the UK GDPR, although the two versions are largely the same. See also: Data Protection Act (DPA); European Union (EU) General Data Protection Regulation (GDPR). |