Describes data in persistent storage such as hard disks, removable media or backups.
Process of documenting the flow of information from one physical location to another and the method by which it 'flows'. Data flows may be by email, fax, post , courier, text or portable electronic or removable media. With the help of data flow mapping, it is possible to assess the risks of operations involving the movement of data.
Under the GDPR, a 'processor', also known as a 'data processor' is "... a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
This processing must take place under a legally binding contract or data processing agreement. A data processor does not decide the puprposes for which or by which data is processed, but may make decision as to how it is processed technically. While the data controller bears the main responsibility for any processing of personal data they undertake, the GDPR imposed increased responsibilities on data processors, especially in the areas of cyber security and reporting.
The UK law that superseded the 1998 Act and currently incorporates the provisions of the GDPR (qv).
In the government's words, the Act
- makes (UK) data protection laws fit for the digital age in which an ever increasing amount of data is being processed
- empowers people to take control of their data
- supports UK businesses and organisations through the change
- ensures that the UK is prepared for the future after we leave the EU
The Act is a complete data protection system, so as well as governing general data covered by the GDPR, it covers all other general data, law enforcement data and national security data. Furthermore, the Act exercises a number of agreed modifications to the GDPR to make it work for the benefit of the UK in areas such as academic research, financial services and child protection.
Article 25 of the GDPR requires data controllers to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is 'data protection by design and by default'.
Under Articles 35 and 36 of the DPIA is an assessment that a data controller may need to complete before processing personal data.
A DPIA is mandatory where the processing
- in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons
- involves systematic profiling
- involves large scalke processing of special categories of data or personal data relating to criminal convictions and offences
- involves the systematic monitoring of a publicly accessible area on a large scale
Data controllers may undertake DPIAs on a voluntary basis as part of their 'Data Protection by Design and Default' process and to reduce risk.
The requirement that data is accurate, up-to-date where relevant, free from duplication, and free from confusion e.g. where different data are held in different places, possibly in different formats.
The DS&P Toolkit is an online NHS self-assessment assurance tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
All organisations with access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly
Agreement for one party to share personal data with another. Usually under the umbrella of an overall tiered data saharing protocol (qv).
It is a common mistake to confuse Data Sharing with the relationship between Data Controller and Data Processor, which is not Data Sharing and involves a legally binding contract or data processing agreement.
Umbrella arrangement for data sharing between two or more data controlling organisations. The organisations will also have more specific data sharing agreements (qv) in place.
The term data subject as defined in accordance with the GDPR definition of 'personal data' means an identified or identifiable natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity.
See 'right of access' under the GDPR.
The process of decoding data that has been encrypted into a secret format. Decryption requires a secret key or password.
An attack that denies legitimate users access to computer services (or resources), usually by overloading the service with requests.
Prohibiting connections or applications in order to protect systems from potential harm.
The opposite of allowlist or allowlisting q.v.
Note: This is a replacement for blacklist and blacklisting. Using 'black' and 'white' to show approval status is now regarded as pejorative. The NCSC has stopped using terms based on colour and other organisations should also deprecate and avoid them.
A type of brute force attack in which the attacker uses known dictionary words, phrases or common passwords as their guesses.
A digital asset is anything that exists in a binary format and comes with the right to use. Data that do not possess that right are not considered assets.
Digital assets include, but are not exclusive to, digital documents, audible content, motion pictures, and other relevant digital data that are currently in circulation or are, or will be stored on digital appliances such as: personal computers, laptops, portable media players, tablets, storage devices, telecommunication devices, and any apparatuses which are, or will be in existence as technology progresses.
A 'footprint' of digital information that a user's online activity leaves behind.