This glossary is a quick reference for key terms and abbreviations used in this guidance. It includes links to further reading and other resources that may give you useful context and more detail.
Please note, this glossary is not a substitute for reading this guidance, the ICO’s other guidance and associated legislation.
Anonymised
The UK GDPR refers to ‘anonymous information’; information that is not about anyone, and is therefore is no longer ‘personal data’ and is not subject to the obligations of the UK GDPR.
In order to determine whether data is anonymised, you should consider all the means that a third party may reasonably use to directly or indirectly identify someone. Please check the ICO website for the most recent guidance.
DPA 2018
Data Protection Act 2018. This sits alongside the UK GDPR and sets out the framework for data protection in the UK. See our guidance about the DPA 2018 for more information.
Just-in-time notices
Relevant and focused privacy information delivered at the time you collect individual pieces of information about people.
Layering
A layered approach - short notices containing key privacy information that have additional layers of more detailed information.
Personal information (or personal data)
Defined in UK GDPR Article 4(1) as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
For more information, see our guidance on what is personal information?
PET
Privacy-enhancing Technologies – A broad range of technologies that are designed for supporting privacy and data protection.
For more information, see our guidance on privacy-enhancing technologies.
PPIE
Patient and public involvement and engagement
Pseudonymised
Data which has undergone pseudonymisation is defined in the UK GDPR as data that can no longer be attributed to a data subject without the use of additional information. You must ensure that the additional information is kept separately, and that appropriate technical and organisational controls are in place to ensure that re-identification of an individual is not possible. Please check the ICO website for the most up to date guidance.
SDE
Secure Data Environment – A secure data and research analysis platform. Part of the NHS Research SDE Network. It gives approved researchers with approved projects secure access to NHS healthcare data.
Special category data
Defined in UK GDPR as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”.
For more information, see our guidance on special category data.
UK GDPR
The United Kingdom General Data Protection Regulation. This sets out the framework for data protection in the UK along with the DPA 2018.
Using (Processing)
Processing is defined in UK GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.