Student and Registry Services


Key Terms in Data Protection

On this page you will find a list of common data protection terms. This information is intended for use by SRS staff.

A-Z of data protection terms

The process by which all identifiers are removed from personal data, resulting in the data becoming anonymous.

A controller determines the purposes and means of processing of personal data. UCL is the controller for almost all the data you will be handling.

Criminal Conviction data
Criminal records data is extremely sensitive personal data that can be handled in specific and limited circumstances.

Data Breaches
A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. You must report a data breach to ISG as soon as you become aware it has happened.

Data Protection
The process of safeguarding important information from corruption, compromise or loss.

Data Protection Officer
The Data Protection Officer is an independent expert in data protection who is responsible for monitoring an organisation's compliance.

DPIA stands for Data Protection Impact Assessment. A DPIA should be carried out at the start of any new project that involves processing personal data. Completing a DPIA during the design phase of a project can help to identify potential risks which can then be mitigated and reviewed throughout the life of the project and even during updates or changes after the move to Business as Usual. The DPIA is a key tool to ensure we comply with our obligation to consider data protection by design and default.

The GDPR (General Data Protection Regulation) is the legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). In the UK it sits alongside the Data Protection Act 2018 to form the Data Protection Legislation.

The Information Commissioners Office (ISO) is the independent regulatory office in charge of upholding information rights in the interest of the public in the UK.

Individual rights
The GDPR outlines eight basic rights for data subjects. This includes the right to access (subject access requests) and the right to erasure. You can find out more about these rights and how they apply on the About the GDPR page.

UCL’s Information Security Group (ISG) exists to help both staff and students manage their responsibilities when it comes to looking after their own and UCL’s information. If you discover a data breach, you should report this to ISG.

Joint Controller
Two or more controllers jointly determine the purposes and means of processing.

Lawful/legal basis
A lawful/legal basis for processing personal data must be identified. For much of the processing that takes place in SRS, this will be 'public task'. When processing special category data, a further condition for processing this data must be identified. You can read more about this on the About the GDPR page.

Near Misses
'Near misses' are situations where a personal data breach has been contained without exposing any individuals to a risk of harm. Reporting near misses are important as they may expose a vulnerability within your team’s processes and may prevent a more serious incident from happening.

Personal data
Personal data is any data that can be attributed to a living individual (a data subject). It does not have to include the person’s name if there are other means by which to identify the person.

There are seven principles at the heart of the GDPR. Organisations must follow these principles to be compliant. You can find out more about the seven principles on the About the GDPR page.

Privacy by design and default
Also known as data protection by design and default. It is a legal requirement to consider data protection and privacy issues right from the start and throughout the lifecycle of any processing activities. Completing a DPIA during the design phrase of a project can help to identify potential risks.

When data is pseudonymised, it cannot directly identify an individual without the use of or access to additional information. For example, a student number alone would not identify an individual, but the student number combined with access to SITS could identify an individual. For this reason, pseudonymised data does fall under the scope of the GDPR. .

Processing Data
Processing is any action performed on personal data from the point of creation to destruction. Collecting, sharing, amending, storing and deleting data are all forms of processing.  

The UCL Records Retention Schedule provides guidelines for how long data items should retained before being securely discarded.

Special categories of data
Special category data is any data that relates to an individual’s race; ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where this is used for identification purposes); health data; sex life; or sexual orientation. This type of data could pose a risk to a person’s fundamental rights and freedoms, for example, by putting them at risk of unlawful discrimination. Special categories of personal data should be handled with great care and there should be extra security in place.

Subject access request
One of the individual rights defined by the GDPR is the ‘right of access’. This is a data subjects right to access the data that it held about them and is more commonly known as a subject access request.