Appropriate policy document


Biometric data

Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a human being, which allow or confirm the unique identification of that person, such as facial images or fingerprints.

Consent of the data subject

Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


The person, company, public authority (i.e. the Chief Executive), agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Criminal conviction and offence data

Personal data relating to criminal allegations, criminal proceedings, criminal convictions, or related security measures.

Data Protection Act

The current UK legislation governing data protection. This is currently the Data Protection Act 2018.

Data subject

An individual who is the subject of personal data.

Filing system

Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Genetic data

Personal data relating to the inherited or acquired genetic characteristics of a human being which give unique information about the physiology or the health of that person and which result, in particular, from an analysis of a biological sample from the person in question.

Information Commissioner (ICO)

The Information Commissioner is the UK's independent body responsible for monitoring the Data Protection Act.

Personal data

Any information relating to an identified or identifiable human being ('data subject'). An identifiable human being is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (user ID or cookie) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that human being.

Personal data includes, but is not limited to, an individual's:

  • name
  • address
  • telephone numbers
  • identification numbers, such as payroll number, service number or National Insurance number
  • recordings, photographs or reproductions of a person’s voice, likeness or image
  • bank account numbers
  • medical records, attendance and sickness records
  • online identifiers (e.g. username)

A person’s favourite football team, job title, etc. are not typically personal data.

Special categories of personal data

This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Personal data breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.


Privacy can be defined in several ways, including 'the right to be left alone'. The term also covers freedom from unauthorised access to information deemed personal or confidential and freedom from being observed, monitored, or examined without consent or knowledge. Invasion of privacy can involve intrusion on a person’s physical solitude or seclusion, public disclosure of private facts, publicly placing someone in a false light or appropriating a person’s name or likeness for your own advantage (e.g. identity theft).


Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


A person, company, public authority, agency or other body which processes personal data on behalf of the controller.


Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a human being, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interest, reliability, behaviour, location or movements.


The processing of personal data in such a manner that the personal data can be no longer attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable human being.


A person, company, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Restriction of processing

The marking of stored personal data with the aim of limiting their processing in the future.

Third party

A person, company, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.