Appendix 1: Glossary

Accountability is one of the data protection principles: it makes the controller responsible for complying with the UK GDPR and able to demonstrate compliance.

This is the way one software application talks to another through what can be thought of as easy to read templates.

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data.

A senior person in an organisation responsible for protecting the confidentiality of patient information and enabling appropriate information sharing by providing advice to professionals and staff.

A senior person in an organisation responsible for protecting the confidentiality of patient information and enabling appropriate information sharing by providing advice to professionals and staff.

Appointed to oversee the clinical risk assessment of a health IT product. They should be a clinician with a current professional registration.

Commissioning is essentially buying care in line with available resources to ensure that services meet the needs of the population. The process of commissioning includes assessing the needs of the population, selecting service providers and ensuring that these services are safe, effective, people-centred and of high quality. Commissioners are responsible for commissioning services.

Laws that are based on court or tribunal decisions which govern future decisions on similar cases.

This arises when one person discloses information to another, for example, patient to clinician, in circumstances where it is reasonable to expect that the information will be held in confidence. It:

1. 1. is a legal obligation that is derived from common law;
2. is a requirement established either within professional codes of conduct and/or that must be included within relevant employment contracts. It is also linked to disciplinary procedures through both these requirements.

It would also apply where confidential information is received or obtained from another organisation as the data subject would have a reasonable expectation that any recipient would hold it in confidence.

Defined in Section 251 (10) of the National Health Service Act 2006, patient information means:

(a) information, however recorded, which relates to the physical or mental health or condition of an individual, to the diagnosis of his condition or to his care or treatment, and

(b) information, however recorded, which is to any extent derived, directly or indirectly, from such information, whether or not the identity of the individual in question is ascertainable from the information.

Section 251 (11) states:

For the purposes of this section, patient information is “CPI” where:

(a) the identity of the individual in question is ascertainable:

(i) from that information, or

(ii) from that information and other information which is in the possession of, or is likely to come into the possession of, the person processing that information, and

(b) that information was obtained or generated by a person who, in the circumstances, owed an obligation of confidence to that individual.

Consent can be used for a number of different purposes, offering individuals real choice and control. When using consent, organisations need to be clear on why they are getting consent (for example to satisfy confidentiality, medico-legal reasons, or for processing data). Explicit consent requires a positive opt-in and must be evidential. The UK GDPR sets a high standard for consent. Often consent is not the appropriate UK GDPR legal basis for processing health and care data, and another lawful basis can be found. However, consent may still be required to meet the CLDC.

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The possibility of a malicious attempt to damage or disrupt a computer network or system.

A duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. The supervisory authority in the UK is the Information Commissioner's Office.

The DPA 2018 is the UK’s implementation of the General Data Protection Regulation (UK GDPR). It transposes the Law enforcement directive into UK law.

A DPIA is a process to help identify and minimise the data protection risks of a project. Under UK GDPR, a DPIA is required for processing that is likely to result in a high risk to individuals.

An independent expert in data protection who helps monitor internal compliance, informs and advises on data obligations including Data Protection Impact Assessments and acts as a point of contact for data subjects and the Information Commissioner's Office.

Protecting data and information systems from unauthorised access, use, disclosure, disruption, modification or destruction.

A DSA sets out a common set of rules to be adopted by the various organisations involved in a data sharing operation. These could well form part of a contract between organisations. It is good practice to have a DSA in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis.

An identified or identifiable natural person.

The UK GDPR principle of accountability requires that organisations must be able to demonstrate compliance. Part of this involves transparency and the provision of information to subjects – previously referred to as fair processing.

A specific requirement of the UK GDPR is that organisations must include their lawful basis for processing information provided to patients, service users and staff.

Explicit consent requires a very clear and specific statement of consent. It is unmistakable. It can be given in writing or verbally, or conveyed through another form of communication such as signing. Whilst explicit consent is not required for direct care purposes, it may still be required to comply with other statutory requirements (such as the Gender Recognition Act 2004).

Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

The Human Rights Act 1998 sets out the fundamental rights and freedoms that everyone in the UK is entitled to. It incorporates the rights set out in the European Convention on Human Rights (ECHR) into domestic British law.

Only applies in the context of care provided to individuals (or actions that lead to the provision of care). Implied consent refers to instances where the consent of the individual patient can be implied, without them having to make any positive indication of their wishes, such as giving their verbal agreement for a specific aspect of sharing information to proceed.

An example of implied consent would be doctors and nurses sharing CPI during handovers without asking for the patient’s consent. Alternatively, a physiotherapist may access the record of a patient who has already accepted a referral before a face-to-face consultation.

To use implied consent, organisations must inform patients or service users of how their information may be used when providing services. Typically, this could be included in patient or service user information leaflets about a service, or as transparency information on their website about how the organisation uses personal and health and care data.

Has the same meaning as Direct Care. Both definitions below are taken from “Information: To Share or not to Share? The IG Review 2013”.

1. A clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals’ ability to function and improve their participation in life and society. It includes the assurance of safe and high quality care and treatment through local audit, the management of untoward or adverse incidents, person satisfaction including measurement of outcomes undertaken by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship for their care.  
2. Direct care is provided by health and social care staff working in care teams, which may include doctors, nurses and a wide range of staff on regulated professional registers, including social workers. Relevant information should be shared with them when they have a legitimate relationship with the patient or service user.

A register of what information you hold. It is a way of helping understand any risks so that an organisation can protect the information.

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The term used to describe how organisations and individuals manage and handle data within the health and social care system in England. In practical terms, IG is about managing and sharing information appropriately. There is a body of legislation that protects personal information and any information shared inappropriately could mean a fine for the organisation or even prison for an individual.

ICBs have replaced Clinical Commissioning Groups (CCGs) and have taken on many of the responsibilities that CCGs used to have. ICBs also carry out several functions that were previously carried out nationally by NHS England. They facilitate closer and more integrated care delivery between local NHS organisations in their area.

Joint controllers are not required to have a contract but must have a transparent arrangement that sets out your agreed roles and responsibilities for complying with the UK GDPR.

Where two or more controllers jointly determine the purposes and means of processing. Joint controllers are not required to have a contract but must have a transparent arrangement that sets out agreed roles and responsibilities for complying with the UK GDPR.

The principle of accountability requires you to be able to demonstrate that you are complying with the UK GDPR, and have appropriate policies and processes. This means that you need to be able to show that you have properly considered which lawful basis applies to each processing purpose and can justify your decision.

A lawful or legally standing association corporation, partnership, proprietorship, trust or individual which has legal capacity to (1) enter into agreements or contracts (2) assume obligations (3) incur and pay debts (4) sue and be sued in its own right, and (5) to be accountable for illegal activities.

The obligation or duty that is enforced by a court of law.

Legal powers set out in statute.

A LHCR is a grouping of health and care organisations within a geographical boundary. Now referred to as ShCRs.

The NDG advises and challenges the health and care system to help ensure that citizens’ confidential information is safeguarded securely and used properly.

A living human being with certain rights and responsibilities under law.

The DSPT replaces the NHS IG toolkit as an online self-assessment tool that enables health and social care organisations, commissioners, IT suppliers and other relevant third parties to determine how securely the organisation manages their data.

Participating organisations are those statutory organisations or other legal entities signed up to a ShCR DSA or other organisations contracted by a statutory organisation, which could be a private sector or 3rd sector organisation.

This is where you ask the patient or service user before viewing the record. This can be overridden in certain circumstances, for example, in an emergency where the patient is unconscious.

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The Freedom of Information Act 2000 provides the public access to official information held by public authorities. It requires every public authority to have a publication scheme, approved by the Information Commissioner’s Office (ICO), and to publish information covered by the scheme.

A publication scheme is a guide to the official information an organisation holds and routinely makes available such as who they are and what they do, how they spend their money.

What a reasonable person would expect to happen, given the circumstances and information available to them. This is important to consider when relying on implied consent.

Article 30 of UK GDPR states that each controller shall maintain a record of processing activities under its responsibilities. The Article details what should be contained in the record.

DPIAs require an assessment of risks and measures to help mitigate those risks. A risk register is a tool which can support this by formally capturing the risk, information, the nature, the owner and the mitigation of each risk.

Access to data is dependent on the role of the person, for instance, a receptionist would see different information to a consultant.

An agreement negotiated between two parties where one is the customer and the other the service provider. The SLA records a common understanding about services, priorities, responsibilities, guarantees and warranties. SLAs can be binding contracts but are often used by public sector bodies to set out their relationship in a given project without the intention to create legal relations.

A ShCR is a grouping of health and care organisations within a geographical boundary.

Personal data which the UK GDPR says is more sensitive, and so needs more protection. Such data includes health, genetic, and biometric data.

These functions that an organisation is legally required to do as set out in Acts of Parliament

Under UK GDPR Individuals have a right of access to their personal data. This is commonly referred to as a SAR.  

A natural or legal person, public authority, agency or body other than the data subject, controller, processor (if they process personal data in their own right then they will also become a controller)

Any circumstance or event with the potential to adversely impact an asset through unauthorised access, destruction, disclosure, modification of data and/or denial of service.

Information provided to individuals about the collection and use of their personal data. This must include purposes for processing their personal data, retention periods for that personal data, and who it will be shared with. This must be provided at the time personal data is collected or as soon as practically possible after the collection. This used to be called a privacy notice.

The EU regulation that was passed in May 2016 and transferred into UK law with the UK leaving the EU in January 2021. It forms part of the new data protection regime in the UK, alongside the Data Protection Act 2018.

Necessary to protect an interest which is essential for the life of the data subject or that of another natural person.