Explaining the language around data protection
| Term | Description | Example |
|---|---|---|
| Data subject | The person that the data relates to. | John Smith the pupil. Jane Smith the teacher. |
| Data item | A single piece of information about a data subject. | “Ethnicity = white British” “Attendance = 97%” |
| Data item group | A group of data items that are typically captured about the same activity or business process in school. These are also sometimes called data elements or data scope within the data community/sharing agreements schools have with suppliers. | Behaviour management, or catering. |
| System | A piece of software, computer package or manually managed asset that supports the administration of one or more areas of school life. | Capita SIMS, ParentPay, MyMaths. |
| System group | An umbrella term to describe the areas of school administration where systems that contain personal level data typically reside. | Core MIS, payments, curriculum tools. |
| Personal data | Information relating to a natural identifiable person, whether directly or indirectly | John Smith was born on 01/01/1990. The head teacher’s salary is £60,000 |
| Special category data | These are highly sensitive pieces of information about people. They are important because under GDPR they are afforded extra protection in terms of the reasons you need to have to access and process that information. | Tightly defined as data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, health, trade-union membership, and health or sex life. Data relating to criminal offences is also afforded similar special protection. In education, it would also be best practice to treat things like FSM, SEN, and CIN/CLA status as special category data. |
| (Data) Controller | The organisation who (either alone or in common with other people) determine the purpose for which, and the manner in which data are processed. | A school is often the data controller, sometimes a joint controller with the LA or DfE. |
| (Data) Processor | A person or organisation who process data on behalf of and on the orders of a controller. | A catering supplier the school uses. |
| Data audit/data asset register | The assessment of data and its quality, for a specific purpose. Other terms you might hear are data map or information asset log. In this context, we simply want the list of personal data assets that we hold, from which we can go on to place further important information alongside. | |
| Lawful basis and conditions for processing | These are the specific reasons, set out in law, for which you can process personal data. There is one list for personal data (lawful basis article 6) and another list for processing special category data (article 9). | “The processing is necessary for administering justice, or for exercising statutory or governmental functions.” Read the full list. |
| Data retention | How long you will hold information for to do the processing job you need it for. At the end of a data retention period, processes should be in place to ensure it is properly disposed of. | “We keep parent’s phone numbers until 1 month after they leave the school in case of any issues that need resolving (for example, payment or repayment of lunch money) and then it is deleted.” |
| Privacy notice | This is a document that explains to the people you have data about (“data subjects”) the data items you hold, what they are used for, who it is passed onto and why, and what rights they have. | DfE publish model privacy notices |
Subject Access Request (SAR) | This is where a person (data subject), requests access to the information you hold about them. Timescales for responding, as well as reasons why you must comply or may refuse, as set out in law. A Subject Access Request is often used to describe “tell me all my data you hold”. | “I want to know the attendance data you hold about my son” |
| Data Protection Impact Assessment (DPIA) | This is a process to consider the implications of some change you are introducing on the privacy of individuals. Assessing privacy at the outset helps you plan consultation/awareness/consent type options from the outset. “Privacy by design” is a term that is used in this space. | You would undertake one of these if introducing a new system to use fingerprinting within catering provision. |
| Data breach | A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. | Sending a list of pupil names, attainment marks and dates of births to the wrong school. |
| Automated decision making/profiling | This is when machines/software apply rules to data and determine something about someone based on purely applying those rules. Typically it is the significance of the decision which drives the caution and concern here. | “Anyone recorded as attendance >99% will get a voucher for X” |