Data Protection Glossary
Many of the definitions in this glossary are based on the key definitions from the Office of the Information Commissioner and are shown in bold. The full definitions together with further information and useful examples can be found on the key definitions webpage of the Office of the Information Commissioner’s website. Additional information and information specific to BIMM Institute is given as non-bold text.
Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
In the case of BIMM Institute, the Institute is the Data Controller because it determines the purposes for which, and the manner in which, any personal data are processed or are going to be processed. This includes being responsible for destroying the data when no longer relevant. Individual members of staff or students, who process data on behalf of the Institute, are data users. Personal data should always be processed according to the Data Protection Principles (see below).
Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
In the case of BIMM Institute, a data processor is any person or organisation that processes data or disposes of confidential waste on our behalf.
This very often extends to suppliers of software and services that the Institute (the Data Controller) use.
We are required by law to have certain mandatory terms within our contracts or agreements with these suppliers to govern the responsibilities for data security.
We are also required to perform necessary due diligence on these suppliers to ensure they can protect the data they are processing for us.
Data Protection (DP) Principles
The General Data Protection Regulation (GDPR) 2016, sets out the Data Protection Principles. In summary these state that personal data should be:
- processed lawfully, fairly and in a transparent manner,
- collected for specified, explicit and legitimate purposes,
- adequate, relevant and limited to what is necessary,
- accurate and where necessary kept up to date,
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed, and
- processed in a manner that ensures appropriate security of the personal data.
- Accountability is central to GDPR. Data controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the regulator.
Further details are given on the website of the Office of the Information Commissioner.
Data subject means an individual who is the subject of personal data.
In other words, the data subject is the individual whom particular personal data is about. The Act does not count as a data subject an individual who has died or who cannot be identified or distinguished from others.
Data Subject Access Request
Fair Processing Notice (FPN)
Fair processing notices are the “small print” that appear on forms, which are sometimes called privacy statements or collection texts. They are used to inform the person from whom personal data are being collected, the data subject (see below), and how their data will be processed.
Guidance from the Office of the Information Commissioner on writing fair processing notices is given here.
Personal data means any information relating to an identifiable person (‘data subject’) who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifiers. Personal data can include any of the below:
Date of Birth
Postal Address(es) (to include postcodes)
Unique Identifiers (to include: Student ID numbers, Staff ID numbers, Passport numbers, NHS numbers, National Insurance numbers, Learner Record Numbers, vehicle registration, driving licence numbers)
Images of individuals, including CCTV, photos
Location Data (to include any GPS tracking data)
Online Identifiers (to include IP address data)
Economic/financial data (relating to an identifiable individual)
Educational records including but not limited to records held by the Institute and other education providers
Pastoral records, including Extenuating Circumstances Forms
Employment records to include CV’s, references
Mental Health (status, medical records conditions, to include disability)
Physical Health (status, medical records conditions, to include disability)
Sexual Orientation/Sexual life
Genetic Data (to include DNA data)
Biometric data (such as facial image or fingerprint data)
Trade Union membership
Religious or philosophical beliefs
Criminal Convictions and offences (to include alleged offences and convictions)
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can also fall within the scope of the definition of personal data.
See our Privacy information.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Recipient, in relation to personal data, means any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.
Crime Prevention Exemptions
These are exemptions in the Data Protection Act (2018) that allows an organisation to give out personal data where the disclosure is for one of the “crime and taxation purposes”, as follows:
- The prevention or detection of crime
- The apprehension or prosecution of offenders or
- The assessment or collection of any tax or duty or of any
imposition of a similar nature
and complying with the normal provisions of Data Protection Law would be likely to prejudice one of these purposes.
Sensitive Personal Data
Sensitive personal data (or ‘Special Category’ data under the GDPR) means personal data consisting of information as to the Data Subject’s –
(a) racial or ethnic origin,
(b) political opinions,
(c ) religious beliefs or philosophical beliefs,
(d) a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) genetic data,
(f) biometric data,
(g) data concerning health,
(h) sex life or sexual orientation,
Sensitive Personal data can include any of the below:
*Mental Health (status, medical records conditions, to include disability)
*Physical Health (status, medical records conditions, to include disability)
*Sexual Orientation/Sexual life
*Genetic Data (to include DNA data)
*Biometric data (such as facial image or fingerprint data)
*Trade Union membership
*Religious or philosophical beliefs
Subject Access Request (SAR)
“Subject access” is the right of an individual to access personal data relating to him or her which are held by BIMM Institute.
Your request will be processed by a very limited number of staff within the Privacy team, under the supervision of the Data Protection Officer, who will be required to view all the data you request, including personnel, financial and occupational health records. By submitting a Subject Access Request you are accepting that the Privacy team will need to request and view the data about you in order to assess what can be disclosed. Information of third parties, including staff in some circumstances may be withheld. All data will be handled securely and in the strictest confidence.
The Privacy team has a duty to establish the identity of the requester. The identification required is usually one document that includes photo identification and a signature, such as a photo driving licence or a passport, plus a current utility bill or bank statement showing your name and address. Requests from internal members of staff may not require this and you will be advised on making your request if this is the case.
The Privacy team will then coordinate the gathering together of the appropriate information. The Institute will comply with SARs as quickly as possible but will ensure that a response is provided within 1 calendar month from receipt of identification unless there is good reason for delay. Data protection laws allow for an extension of up to 2 months for responding to very complex requests. If you are able to describe the data you seek clearly this is less likely. We may also refuse requests that are deemed manifestly unfounded or excessive and reserve the right to charge a fee. In such cases the reason for refusal, delay, or any fees payable will be explained in writing.
In the case of the BIMM Institute, a subject access request (SAR) should be made to the Data Protection Officer, via the Privacy team – [email protected].
If you require information about examination results please contact the Examinations teams. Examination scripts are exempt from Subject Access rights.
Third party, in relation to personal data, means any person other than –
(a) the data subject,
(b) the data controller, or
(c) any data processor or other person authorised to process data for the data controller or processor.
The expression third party does not include employees or agents of the data controller or data processor, who are treated as being part of the data controller or processor. Note that “third party” is different from “recipient”, which effectively separates employees/agents of the data controller/processor from the data controller/processor itself.