The ICO have put together an extremely useful glossary here, most of which I have repeated below and added a little to for extra clarity:
Personal Data
Personal data is information about who you are, where you live, what you do and more. It’s any and all information that identifies you as a Data Subject.
Data protection law is all about protecting personal data. Organisations are likely to be handling items containing personal data or otherwise processing personal data, such as:
- people’s names and addresses;
- photographs;
- customer reference numbers;
- medical information;
- school reports; and
- customer reviews.
If a document, file or image identifies a person, or could be used in combination with other information to identify them, then it’s personal data. This applies even if the information doesn’t include a person’s name.
However, information is only personal data if it relates to someone who’s alive. It is important to remember that data protection laws don’t apply after someone has died.
Data Subject
A Data Subject is someone who can be identified from personal data. The data could be their name, address, telephone number or something else – but if it’s about a person, then they’re the data subject. They’re the ‘subject’ of the data. However, the term only relates to people who are alive.
Often when you hear the term ‘Data Subjects’, this will mean customers, employees, volunteers and service users.
Processing
Processing means taking any action with someone’s personal data. This begins when a Data Controller starts making a record of information about someone, and continues until you they longer need the information and it’s been securely destroyed. If they hold information on someone, it counts as processing even if you don’t do anything else with it.
Other types of data processing include actions such as organising and restructuring the way they save the data, making changes to it e.g. updating someone’s address or record, and sharing it or passing it on to others.
Data Controller
A data Controller has the responsibility of deciding how personal data is processed and protecting it from harm.
Controllers aren’t usually individual people. They can be a limited company, an organisation, charity, association, club, volunteer group or business of any size – including sole traders and people who work for themselves.
Wherever personal data is used for purposes other than personal or household processing, the organisation behind it is a Controller. Personal or household processing means the personal data you would usually have in your home, such as family photo albums, friends’ addresses and notes on the fridge, none of which would be covered by data protection laws unless there was another connection to a professional or commercial activity.
Controllers can delegate the processing of personal data to data processors, but the responsibility for keeping it safe will still rest with the controller.
Data Processor
In a similar way to data controllers, Data Processors have to protect people’s personal data – but they only process it in the first place on behalf of the controller. They wouldn’t have any reason to have the data if the controller hadn’t asked them to do something with it.
For example, data processors could be IT support companies, payroll providers, a courier or another service where personal data is used.
Personal data breach
If any personal data that an organisation is responsible for has been lost, accidentally destroyed, altered without proper permission, damaged or disclosed to someone it shouldn’t have been, this could be a personal data breach.
The scope of the breach and how the organisation handles it could have serious consequences for the people who are identifiable in the data. In some cases, personal data breaches – once discovered – have to be reported to the ICO within 72 hours.
Lawful basis
Whenever an organisation collect or uses personal information, they must have a valid reason for doing so. This reason is known as a ‘lawful basis’.
There are six lawful bases:
- consent;
- contract;
- legal obligation;
- vital interests;
- public task; and
- legitimate interests.
None of the lawful bases are ‘better’ or more important than any of the others. An organisation must identify the most appropriate one for what they’re doing with people’s information. They may have a different lawful basis for each of your different reasons or purposes.
Whichever lawful basis they choose, the collection and use of people’s information needs to be proportionate and necessary to achieve their specified purpose. They must be able to justify what you’re doing, and why.
Consent
Consent is appropriate when an organisation can offer people real choice and control over how their information is used.
If they’re relying on consent, it must be:
- freely given (and usually not as a precondition of a service);
- specific and informed;
- indicated by a positive action to opt-in (which means they can’t use pre-ticked boxes or other types of default consent);
- separate from their other terms and conditions wherever possible;
- easy for the person to withdraw at any time; and
- kept under review and refreshed if anything changes.
Contract
This would be appropriate when an organisation needs to collect or use a person’s information to deliver a contractual service to them, or because they’ve asked an organisation to do something before entering into a contract. For example, if a prospective client asks for a quote for services, organisation will need to handle a certain amount of their information to provide this.
Legal Obligation
This would be the most appropriate lawful basis if an organisation was required to collect or use personal information in order to comply with the law. For example, there may be specific legislation in place that directs them to process personal information, like a requirement to report a serious accident at work under health and safety legislation.
Vital Interests
An organisation can rely on vital interests if they need to use or share personal information to protect someone’s life. For example, giving relevant information to the ambulance crew who are helping someone who’s unconscious.
Public Task
This lawful basis is used by public authorities or organisations carrying out specific tasks in the public interest. This lawful basis may be appropriate if the organisation works on behalf of a public authority.
Legitimate Interests
This is where using personal information is in the legitimate interests of themselves, an individual or a third party, and can include commercial interests or wider benefits for society. An organisation must be able to justify this.
To rely on this lawful basis they must:
- identify a legitimate interest;
- show the collection and use of personal information is necessary to achieve this; and
- balance their own or someone else’s interests against the person’s interests, rights and freedoms.
This lawful basis is likely to be most appropriate when an organisation uses personal information in ways that people would reasonably expect, and the privacy impact is minimal. For example, they hold contact details for an employee’s next of kin because it’s in your employee’s legitimate interest for them to let someone know if they are taken ill whilst at work.
There may also be times when an organisation has a compelling justification for the use of someone’s information even though there’s a higher impact on that person. They can rely on legitimate interests here, but they must make sure they can demonstrate that any impact is justified.
There’s no single lawful basis that’s better or more lawful than any of the others. It’s up to the company, organisation or sole trader responsible (known as a “controller”) to choose which is most appropriate for what they’re doing with data.
Individual rights
In data protection law, people have rights over their data. These generally allow them to ask an organisation to do something, or stop doing something, with their personal data.
There are eight individual rights. If an organisation is handling people’s personal data, they’ll have to comply with these rights whenever they’re used, unless it’s an exceptional situation.
The three main rights an organisation is likely to come across are the right of access, the right to object and the right to be informed:
- The right of access is when someone asks for a copy of the data an organisation has on them. This is also known as a subject access request – or SAR – and the organisation has one month to deal with a SAR.
- The right to object means people can object to specific processing of their personal data, so an organisation would have to stop using their data for certain purposes unless they have a good reason to continue. For example, if a customer objects to them using their details to send them postal marketing, they could suppress or flag their details so they know not to post them marketing material again.
- The right to be informed usually means that the organisation has to tell people that they have their data and what they’re doing with it.
You also need to know about the other five rights:
- The right to rectification means people can ask an organisation to correct their data if it isn’t accurate.
- The right to erasure is when someone asks an organisation to delete their data. It is also known as the ‘right to be forgotten’ and means that in certain specific situations, an organisation may have to delete their individual’s data upon request. For example, if they collected someone’s personal data and it’s now no longer valid for the reason they collected it, they could ask the organisation to delete it.
- The right to restrict processing means that an organisation has to temporarily stop processing someone’s data if they ask them to. An organisation can store their data, but not use it. This isn’t an absolute right and only applies in certain circumstances.
- The right to data portability gives people more control over their data where it’s held electronically if it’s personal data they’ve supplied themselves. It’s intended to make it easy for them to provide it to another data controller if they need to. The data an organisation holds about them electronically has to be made easily accessible and transferable. Also, if requested, the organisation may have to provide it to them or to another organisation on their behalf. However, this right only applies when the controller is relying on ‘consent’ or ‘performance of a contract’, and when they’re processing the data by automated means.
For example, Peter wants to switch electricity suppliers. At his request, his current energy company should provide his new energy supplier with the details he gave them when he joined them and any details about his energy usage gathered from his smart meter, if this is what Peter wants to do.
- Rights in relation to automated decision making and profiling. If personal data is processed entirely by automatic means and this might have a legal or similarly significant effect on the person, they can request some human involvement in the processing.
GDPR
This stands for General Data Protection Regulation (GDPR), the EU’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018).
The transition period for leaving the EU ended on 31 December 2020. The GDPR has been retained in UK law as the UK GDPR, and will continue to be read alongside the DPA 2018, with technical amendments to ensure it can function in UK law.
Registration
If an organisation has or uses information about people, also known as processing, they may have to register with the ICO and pay a fee.
Data protection fees are a legal obligation and the amount payable varies depending on the size of the organisation and what personal data they’re processing. For most small businesses, it’s £40 or £60 a year.
