D

Data at rest

Describes data in persistent storage such as hard disks, removable media or backups.

Describes data in persistent storage such as hard disks, removable media or backups.

Data Controller

See Controller.

See Controller.

Data flow mapping

Process of documenting the flow of information from one physical location to another and the method by which it 'flows'.…

Process of documenting the flow of information from one physical location to another and the method by which it 'flows'. Data flows may be by email, fax, post , courier, text or portable electronic or removable media. With the help of data flow mapping, it is possible to assess the risks of operations involving the movement of data.

Data in motion

Describes data in transit between sites as opposed to 'Data at rest'.
Describes data in transit between sites as opposed to 'Data at rest'.

Data Processor

Under the GDPR, a 'processor', also known as a 'data processor' is "... a natural or legal person, public authority,…

Under the GDPR, a 'processor', also known as a 'data processor' is "... a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."

This processing must take place under a legally binding contract or data processing agreement. A data processor does not decide the puprposes for which or by which data is processed, but may make decision as to how it is processed technically. While the data controller bears the main responsibility for any processing of personal data they undertake, the GDPR imposed increased responsibilities on data processors, especially in the areas of cyber security and reporting.

Data Protection Act, 2018

The UK law that superseded the 1998 Act and currently incorporates the provisions of the GDPR (qv). In the government's…

The UK law that superseded the 1998 Act and currently incorporates the provisions of the GDPR (qv).

In the government's words, the Act

  • makes (UK) data protection laws fit for the digital age in which an ever increasing amount of data is being processed
  • empowers people to take control of their data
  • supports UK businesses and organisations through the change
  • ensures that the UK is prepared for the future after we leave the EU

The Act is a complete data protection system, so as well as governing general data covered by the GDPR, it covers all other general data, law enforcement data and national security data. Furthermore, the Act exercises a number of agreed modifications to the GDPR to make it work for the benefit of the UK in areas such as academic research, financial services and child protection.

Data protection by default and design

Article 25 of the GDPR requires data controllers to put in place appropriate technical and organisational measures to implement the…

Article 25 of the GDPR requires data controllers to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is 'data protection by design and by default'.

Data Protection Impact Assessment (DPIA)

Under Articles 35 and 36 of the DPIA is an assessment that a data controller may need to complete before…

Under Articles 35 and 36 of the DPIA is an assessment that a data controller may need to complete before processing personal data.

A DPIA is mandatory where the processing

  • in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons
  • involves systematic profiling
  • involves large scalke processing of special categories of data or personal data relating to criminal convictions and offences
  • involves the systematic monitoring of a publicly accessible area on a large scale

Data controllers may undertake DPIAs on a voluntary basis as part of their 'Data Protection by Design and Default' process and to reduce risk.

 

Data quality

The requirement that data is accurate, up-to-date where relevant, free from duplication, and free from confusion e.g. where different data…

The requirement that data is accurate, up-to-date where relevant, free from duplication, and free from confusion e.g. where different data are held in different places, possibly in different formats.

Data Security & Protection Toolkit

The DS&P Toolkit is an online NHS self-assessment assurance tool that allows organisations to measure their performance against the National…

The DS&P Toolkit is an online NHS self-assessment assurance tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations with access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly

Data Sharing Agreement

Agreement for one party to share personal data with another.  Usually under the umbrella of an overall tiered data saharing…

Agreement for one party to share personal data with another.  Usually under the umbrella of an overall tiered data saharing protocol (qv).

It is a common mistake to confuse Data Sharing with the relationship between Data Controller and Data Processor, which is not Data Sharing and involves a legally binding contract or data processing agreement.

Data sharing protocol

Umbrella arrangement for data sharing between two or more data controlling organisations. The organisations will also have more specific data…

Umbrella arrangement for data sharing between two or more data controlling organisations. The organisations will also have more specific data sharing agreements (qv) in place.

Data subject

The term data subject as defined in accordance with the GDPR definition of 'personal data' means an identified or identifiable…

The term data subject as defined in accordance with the GDPR definition of 'personal data' means an identified or identifiable natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity.

Data Subject Access (DSA)

See 'right of access' under the GDPR.

See 'right of access' under the GDPR.

Decryption

The process of decoding data that has been encrypted into a secret format. Decryption requires a secret key or password.

The process of decoding data that has been encrypted into a secret format. Decryption requires a secret key or password.

Denial of Service (DoS)

An attack that denies legitimate users access to computer services (or resources), usually by overloading the service with requests.

An attack that denies legitimate users access to computer services (or resources), usually by overloading the service with requests.

Denylist(ing)

Prohibiting connections or applications in order to protect systems from potential harm. The opposite of allowlist or allowlisting q.v. Note:…

Prohibiting connections or applications in order to protect systems from potential harm.

The opposite of allowlist or allowlisting q.v.

Note: This is a replacement for blacklist and blacklisting.  Using 'black' and 'white' to show approval status is now regarded as pejorative.  The NCSC has stopped using terms based on colour and other organisations should also deprecate and avoid them.

Dictionary attack

A type of brute force attack in which the attacker uses known dictionary words, phrases or common passwords as their…

A type of brute force attack in which the attacker uses known dictionary words, phrases or common passwords as their guesses.

Digital asset

A digital asset is anything that exists in a binary format and comes with the right to use. Data that…

A digital asset is anything that exists in a binary format and comes with the right to use. Data that do not possess that right are not considered assets.

Digital assets include, but are not exclusive to, digital documents, audible content, motion pictures, and other relevant digital data that are currently in circulation or are, or will be stored on digital appliances such as: personal computers, laptops, portable media players, tablets, storage devices, telecommunication devices, and any apparatuses which are, or will be in existence as technology progresses.

Digital footprint

A 'footprint' of digital information that a user's online activity leaves behind.

A 'footprint' of digital information that a user's online activity leaves behind.