Data Protection and Cyber Security Glossary

The following definitions and explanations aim to help provide a better understanding of key terms used in data protection and cyber security documents. 

 

Access control: A means of implementing controls so that the people who have been given access to all or part of a data record have been approved to do so.  Different controls are in place for data access or sharing.

 

Aggregated data: Data about several individuals that has been combined to show general trends or values without identifying individuals within the data.

 

Anonymisation: The process of rendering data into a form which does not identify individuals either directly or indirectly and where identification is not likely to take place by any means reasonably likely (linkage and publicly available data). If re-identification of the data is possible without considerable effort or skill it must instead be treated as pseudonymised data.

 

Antivirus: Software that is designed to detect, stop and remove viruses and other kinds of malicious software.

 

Attacker: Malicious actor who seeks to exploit computer systems with the intent to change, destroy, steal or disable their information, and then exploit the information.

 

Audit trail: An audit trail (or log) records anyone who has viewed or changed a record, why and when they did so and what changes they made.

 

Botnet: A network of devices, connected to the Internet, used to commit coordinated cyber attacks without their owner’s knowledge.

 

Breach: Any un-authorised access to, loss or theft of information or data.

 

Brute force attack: A malicious and aggressive attack on computer systems.

 

Bring your own device (BYOD): An organisation’s strategy or policy that allows employees to use their own personal devices for work purposes. Known as Bring your own technology (BYOT) at The University of Manchester.

 

Certificate: A form of digital identity for a computer, user or organisation to allow the authentication and secure exchange of information.

 

Credentials: A user’s authentication information used to verify identity – typically one, or more, of password, token, certificate.

 

Cloud: Where shared compute and storage resources are accessed as a service (whether hosted locally or externally). Resources can include infrastructure, platform or software services.

 

Common Law: The law derived from decisions of the courts and case law, rather than Acts of Parliament or other legislation.  For example, the common law duty of confidentiality which applies to data about both living and dead people.

 

Confidential data or information: Any data or information obtained by a person on the understanding that they will not disclose it to others, or obtained in circumstances where it is expected that they will not disclose it.

 

Confidentiality: Ensuring that information is only made available or disclosed to authorised individuals, or organisations.

 

Consent: Under GDPR, consent is something that must be freely given, specific, informed and unambiguous, it must be given by a clear affirmative action by an individual.

 

Cyber attack: Malicious attempts to damage, disrupt or gain unauthorised access to computer systems, networks or devices, via digital means.

 

Cyber Essentials: Cyber Essentials is a UK Government-backed scheme to help organisations self-certify and protect themselves against a range of the most common cyber attacks.

 

Cyber Essentials Plus: Cyber Essentials Plus is a UK Government-backed scheme to help organisations independently certify themselves against a range of the most common cyber attacks.

 

Cyber security: The protection of devices, services and networks — and the information on them — from theft or damage.

 

Data (Research): The evidence that underpins the answer to the research question and can be used to validate findings regardless of its form (e.g. digital, print or physical). This might be quantitative information or qualitative statements collected by researchers in the course of their work by experimentation, observation, modelling, interview or other methods, or information derived from existing evidence. Research data may take the form of numbers, symbols, text, images or sounds, including computer code, annotated fieldwork observations, or a descriptive record of a physical sample.

 

Data Controller: The public authority, agency or other body, in our case The University of Manchester, which, alone or jointly with others, determines the purposes and means of the processing of personal data.

 

Data destruction: Using electronic or physical destruction methods to securely erase or remove data that is stored on tapes, hard disks and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorised purposes. Can also be referred to as data shredding.

 

Data Processor: A processor is anyone who is not an employee of the University but who processes personal data on the University’s behalf eg couriers, cleaning contractors, recruitment agencies, storage and hosting companies, waste disposal firms. The University must hold a contract with any third party who processes personal data on its behalf.

 

Data Subject: An identifiable living person who has certain rights under GDPR and the Data Protection Act (2018).

 

Data Protection Act (2018): Data protection legislation for the UK which governs the handling and protection of personal data relating to living people. It includes specific rights for individuals, such as rights to access and correct what data is held about them.

 

Data Protection Impact Assessment (DPIA): DPIA is a risk assessment process and a legal requirement for controllers of any high risk data processing. Its aim is to balance the proposed data processing and the rights of individuals in the Data Protection Act.

 

Data Protection Officer (DPO): An independent officer responsible for advising an organisation on how to ensure they comply with GDPR and the Data Protection Act 2018, and meeting the individual’s rights. The DPO is the key contact point between the organisation and the supervisory authority.

 

Data sharing: The disclosure of data from one or more organisations to another organisation or organisations, or the sending of data between different parts of a single organisation.

 

Data Sharing Contracts and Agreements: Documents that outline the common set of rules to be adopted by the various organisations involved in data sharing.  A data sharing contract establishes the rules that will apply to the processing of any data by partner organisations.  This includes collaboration contracts, MoUs, data processing agreements.

 

De-personalised data: This is information that does not identify an individual, because identifiers or identifiable data have been scrambled or removed from the non-identifiable information about the person it relates to. However, the information is still about an individual person and so needs to be protected. It might, in theory, be possible to re-identify the individual if the data was not adequately protected, for example if it was combined with different sources of information.

 

Digital footprint: A trail of digital information that a user’s online activity leaves behind.

 

Data footprint: the touchpoints of a dataset on different systems or storage devices.

 

Duty of Confidentiality: A duty of confidentiality (or confidence) arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence. It is a legal obligation that is derived from common law or within professional codes of conduct.

 

Encryption: A mathematical function used to encode information that protects information by making it unreadable by everyone except those with the key to decode it.

 

Encryption key: A random string of bits generated specifically to scramble and unscramble data. Encryption keys are created with algorithms designed to ensure that each key is unique and unpredictable.

 

Firewall: Hardware or software which uses a defined rule set to constrain network traffic to prevent unauthorised access to or from a network.

 

Freedom of Information Act (2000): this places a legal responsibility on public bodies to publish information about their activities and also to provide information (but not personal data) in response to a written request from a member of the public. 

 

General Data Protection Regulation (GDPR): The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas and all personal data processed by organisations established in the EU.

 

Identifier: An item of data, which by itself or in combination with other data, enables an individual to be identified eg a code or fictitious name.

 

Incident: An attempt to gain unauthorised access to a system and/or data; unauthorised use of systems for the processing or storing of data; changes to a system without the system owners consent; malicious disruption. It could also include accidental disclosure of information.

 

Independent audit: An audit conducted by an external and therefore independent auditor to provide greater public assurance.

 

Information governance: how an organisation manages the way that any data is handled. It covers the policy and legal requirements that organisations need to meet to ensure that data is handled legally, securely, efficiently, effectively and in a manner which maintains public trust.

 

Information governance officer: A staff member specifically appointed to provide advice, guidance and governance in relation to data protection, information security, records management and freedom of information.

 

Information Commissioner’s Office (ICO): The Information Commissioner’s Office in the UK, is a non-departmental public body that reports directly to Parliament and is sponsored by the Department for Digital, Culture, Media and Sport. It upholds information rights, regulates Data Protection, Freedom of Information and has a number of additional regulatory and legislative duties. Information security: Protecting data and information systems from unauthorised access, use, disclosure, disruption, modification or destruction.

 

Insider risks: The potential for damage to be done maliciously or inadvertently by a legitimate user with privileged access to systems, networks or data.

 

Internet of things (IoT): Refers to the ability of everyday objects (rather than computers and devices) to connect to the Internet. Examples include kettles, fridges and televisions.

 

Legal/authorised signatory: A person who has been authorised to sign documents by an organisation, and as such is given the power to sign the organisation to an agreement that is binding.

 

Linkage: The merging of information or data from two or more sources, with the object of combining facts concerning an individual or an event, which are not available in any separate record.

 

Malware: Malicious software – a term that includes viruses, trojans, worms or any code or content that could have an adverse impact on organisations or individuals.

 

Mitigation: Steps that organisations and individuals can take to minimise and address risks.

 

Metadata: Data that provides information about other data. Metadata makes data more findable, understandable, and reusable. Types of metadata include:

  • descriptive metadata for finding and understanding a resource;
  • administrative metadata:
    • technical metadata for decoding and rendering files;
    • preservation metadata for long term management of a resource;
    • rights metadata for intellectual property rights attached to a resource;
  • structural metadata which describes the relationships of parts of resources to one another.

 

Patching: Applying updates to firmware or software to improve security and/or enhance functionality.

 

Pen test: Short for penetration test. An authorised test of a computer network or system designed to look for security weaknesses so that they can be fixed.

 

Personal data: The General Data Protection Regulation applies to personal data about an identified or identifiable natural person. Personal data is information where an individual is the main focus and it is of biographical significance. This includes opinions about them and other peoples’ intentions towards them. All computerised personal data falls within the data protection law such as: computer files, databases, email, CCTV, pictures, web pages, photographs. All manual personal data is included too, such as: paper files, card index. It is worth assuming that all information about a living individual is personal data.

 

Phishing: Untargeted, mass emails sent to many people asking for sensitive information (such as bank details) or encouraging them to visit a fake website.

 

Platform: The basic hardware (device) and software (operating system) on which applications can be run.

 

Processing: Processing is any action taken with personal data and is very widely defined eg the collection, use, disclosure, recording, destruction and holding of data.

 

Pseudonymisation: The process of distinguishing individuals in a data set by using a unique identifier, which does not reveal their ‘real world’ identity.

 

Pseudonymisation key:  a unique identifier (sometimes created by scrambling an actual identifier), which does not itself reveal an individual’s ‘real world’ identity but distinguishes between different individuals in a data set.

 

Ransomware: Malicious software that makes data or systems unusable until the victim makes a payment.

 

Re-identification: The process of analysing data or combining it with other data which results in individuals becoming identifiable.

 

Software as a service (SaaS): Describes a business model where consumers access centrally-hosted software applications over the Internet.

 

Social engineering: Manipulating people into carrying out specific actions, or divulging information, that’s of use to an attacker.

 

Special category personal data: Some personal data is classed as special category personal data. This type of data is subject to further regulations and can only be processed under certain circumstances. Personal data becomes special category if it includes any of the following types of information about an identified or identifiable natural person: racial or ethnic origin; political opinions; religious or similar philosophical beliefs; trade union membership; genetic data; biometric data; health data; sexual life; sexual orientation; criminal offences and convictions.

 

Supervisory authority: An organisation that regulates data protection in all countries that have implemented the GDPR. The supervisory authority makes sure that any organisation processing personal data upholds data subject rights and complies with the GDPR. In the UK this authority is the Information Commissioner.