Anonymisation – manipulating data so it is unlikely that the data subject will be identifiable.
Consent – where a data subject actively agrees to have their data processed for explicit reasons. This must involve a positive ‘opt-in’ and not a pre-ticked box.
Data audit – a data audit should be the first step for schools looking to become compliant. A data audit identifies every point where a school processes personal data.
Data controller – the party who determines what data is collected, how it is used and the way in which it is processed.
Data processor – acting on behalf of the controller, the data processor is responsible for processing data.
Data protection by design – the consideration of data protection within all projects and developments within a school from the outset.
Data Protection Impact Assessment (DPIA) – this is a process that should be carried out when introducing new technologies and if data processing is likely to put individuals’ rights and freedoms at high risk. For a school, this could mean the large-scale processing of special category or criminal record data. More details can be found on ICO's DPIA document.
Data protection officer (DPO) – a DPO must be appointed as a school will likely be either or both a public authority or a large-scale processor of special category data.
Data subject – the individual on which an organisation holds personal data.
Derogations – see "exemptions".
Encrypted data – a means of encoding data using a key which renders it accessible only to users with that key.
Exemptions – these can be introduced by member states in some circumstances, but must still respect the individual’s freedoms and have significant grounds. More details can be found on ICO’s exemptions document.
ICO – the Information Commissioners Office. ICO is a UK body set who uphold information rights. ICO enforces GDPR in the UK.
Individual rights – enhanced under GDPR, the rights of the individual are listed as the right to be informed, to access, to rectification, to erasure, to restrict processing, to data portability, to objection and rights in relation to automated decision making and profiling. More details can be found on ICO’s individual rights documents.
Lawful basis – required for the processing of personal data, one of six lawful bases must be met before processing begins.
Personal data – is data that can be directly or indirectly linked to an individual, whether that be by name or an alternative identifier such as ID number or location information.
Personal data breach – refers to ‘a breach of security that leads to destruction loss, alteration, unauthorised disclosure of, or access to, personal data.’ (ICO)
Privacy Impact Assessment – see "Data Protection Impact Assessment".
Processing – any operation or set of operations performed on personal data, whether that operation is automated or not. That includes collecting it, organising it, structuring it, storing it and retrieving it.
Profiling – automated processing of personal data to make decisions or evaluations on the data subject.
Sensitive personal data – also known as special category data, this data is deemed to be more sensitive and therefore requires enhanced levels of protection.
Subject access request (SAR) – can be submitted to organisations by data subjects in accordance with the individual rights (above).