The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This glossary is a quick reference for key terms and abbreviations. It includes links to further reading and other resources which may provide useful context and more detailed information.

Please note, this glossary is not a substitute for reading the data sharing code, the ICO’s guidance, and associated legislation.

Accountability principle This requires organisations to be responsible for their own compliance with the UK GDPR or DPA 2018, as appropriate, and to demonstrate that compliance.
Anonymisation

The UK GDPR refers to ‘Anonymous information’; information that does not relate to an individual, and is therefore is no longer ‘personal data’ and is not subject to the obligations of the UK GDPR.

In order to determine whether data is anonymised you should take into account all the means reasonably likely to be used by a third party to directly or indirectly identify an individual. Please check the ICO website for the most up to date guidance.

Appropriate policy document An appropriate policy document is a short document outlining your compliance measures and retention policies for special category data. The DPA 2018 says you must have one in place for almost all of the substantial public interest conditions (and also for the employment, social security and social protection condition), as a specific accountability and documentation measure.
Competent authority A public authority to which Part 3 of the DPA 2018 applies. Competent authorities are defined as those listed in schedule 7 of the DPA 2018, and any other organisation or person with statutory law enforcement functions. For more information, see our Guide to Law Enforcement Processing.
Consent A freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data. For more information, see our guidance on consent.
Controller The person (usually an organisation) who decides how and why to process data. For more information, see our guidance on controllers and processors.
Data protection by design and default A legal obligation requiring organisations to put in place appropriate technical and organisational measures to implement the data protection principles in an effective manner and safeguard individual rights.
Data sharing Although there is no formal definition of data sharing, the scope of the data sharing code is defined by section 121 of the DPA 2018 as “the disclosure of personal data by transmission, dissemination or otherwise making it available”.
Data sharing agreements / protocols These may be known by different names, but all set out the arrangements and a common set of rules to be adopted by the organisations involved in data sharing.
Data subject The identified or identifiable living individual to whom personal data relates.
DEA The Digital Economy Act 2017.
DPA; the DPA 2018 The Data Protection Act 2018, which sits alongside the UK GDPR and sets out the framework for data protection in the UK. For more information, see our guidance: About the DPA 2018.
DPIA Data Protection Impact Assessment. This is a process to help you identify and minimise the data protection risks of a project. You must do a DPIA for processing that is likely to result in a high risk to individuals. For more information, see our guidance on DPIAs.
DPO Data protection officer.
EDPB European Data Protection Board (formerly the Article 29 Working Party). This is the independent body established by the EU GDPR to ensure consistency within the EU on interpreting the law and taking regulatory action. EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.
Exemptions The UK GDPR and the DPA 2018 set out exemptions and qualifications to some rights and obligations in some circumstances. For more details, please see our guidance on exemptions and the Guide to Law Enforcement Processing.
Freedom of information legislation In the UK the main legislation is: Freedom of Information Act 2000 (FOIA), Freedom of Information (Scotland) Act 2002 (FOISA), Environmental Information Regulations 2004 (EIR) and the Environmental Information (Scotland) Regulations 2004.
GDPR

The General Data Protection Regulation (EU) 2016/679 (EU GDPR). Since the UK left the EU, this has been incorporated into UK data protection law as the UK GDPR, which sits alongside the DPA 2018. The EU GDPR may still apply to you if you operate in the European Economic Area (EEA), or monitor the behaviour of individuals in the EEA. For more information, see our guidance Data protection after the end of the transition period and the Guide to Data Protection.

Information Sharing Agreement (ISA) Another name for a data sharing agreement. 
Joint controllers Where two or more controllers jointly determine the purposes and means of processing. For more information, see our guidance on controllers and processors.
Law enforcement purposes For Part 3 of the DPA 2018, the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. For more information, see our Guide to Law Enforcement Processing.
Part 2 DPA 2018 This supplements and tailors the UK GDPR for general data processing. For more information, see our guidance About the DPA 2018.
Part 3 DPA 2018 This sets out a separate regime for law enforcement authorities with law enforcement functions (competent authorities) when they are processing data for law enforcement purposes. For more information, see our guidance About the DPA 2018.
Part 4 DPA 2018 This sets out a separate regime for processing, as specified in Part 4, by an intelligence service or by processors acting on their behalf. An intelligence service for the purpose of Part 4 means the Security Service (MI5), the Secret Intelligence Service (commonly known as MI6), and GCHQ.
Personal data Any information relating to an identified or identifiable natural person (‘data subject’). For more information, see our guidance on What is personal data?
Privacy information The information that organisations need to provide to individual data subjects about the collection and use of their data. For general data processing, this is specified in Articles 13 and 14 of the UK GDPR. For more details, see our guidance on the Right to be informed. For Law Enforcement Processing under Part 3 of the DPA 2018, the provisions are contained in section 44 of the DPA 2018. For more information on that, see the Guide to Law Enforcement Processing: The right to be informed.
Processing In relation to personal data, this means any operation or set of operations which is performed on it. This includes collecting, storing, recording, using, amending, analysing, disclosing or deleting it.
Processor  A person (usually an organisation) who processes personal data on behalf of a controller. For more information, see the our guidance on controllers and processors.
Pseudonymisation Data which has undergone pseudonymisation is defined in the UK GDPR as data that can no longer be attributed to a data subject without the use of additional information. You must ensure that the additional information is kept separately, and that appropriate technical and organisational controls are in place to ensure that re-identification of an individual is not possible. Please check the ICO website for the most up to date guidance.
Publication scheme For public authorities covered by FOIA and FOISA,  you must publish certain information proactively in a publication scheme. Guidance is available on the websites of the Information Commissioner and the Scottish Information Commissioner, respectively.
Sensitive processing This term is used in Part 3 of the DPA 2018 in relation to law enforcement processing. It is defined in section 35(8) of the DPA 2018 as:
(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
(c) the processing of data concerning health; or
(d) the processing of data concerning an individual’s sex life or sexual orientation.
This type of data processing needs greater protection. For more information, see the Guide to Law Enforcement Processing.
Special category data This term is used about general data processing under the UK GDPR and Part 2 of the DPA 2018. It is defined in Article 9.1 of the UK GDPR as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. The processing of this type of data needs greater protection. For more information, see our guidance on Special category data.
UK GDPR The UK version of the EU GDPR, as amended and incorporated into UK law from the end of the transition period by the European Union (Withdrawal) Act 2018 and associated Exit Regulations. The government has published a Keeling Schedule for the UK GDPR which shows the planned amendments.
WP29 Article 29 Working Party (now the European Data Protection Board).