Glossary

Identifiable - information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.

Pseudonymised - individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity

Anonymised - data which is about you but from which you cannot be personally identified.

Aggregated – grouped information about individuals that has been combined to show general trends or values without identifying individuals

Data Protection Act – UK legislation introduced in 2018 in conjunction with the EU GDPR which expands on areas specifically excluded from EU GDPR (e.g. Law Enforcement). This Act repealed the UK Data Protection Act 1998.

UK General Data Protection Regulation (UK GDPR) – Legislation on data protection which replicates the EU GDPR post BREXIT and underpins the Data Protection Act 2018.

Data Controller – natural or legal person, public body, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor – natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special Category (Sensitive) data - categories of personal data for which special safeguards are required by law. This includes records relating to health, sex life, race, ethnicity, political opinions, trade union membership, religion, genetics and biometrics.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection Officer – Under UK GDPR all Public Authorities must appoint a Data Protection Officer. The role of this person, who must be an expert in Data Protection Law is:

Monitor CCG compliance with the UK GDPR

• Provide advice and assistance with regards to the completion of Data Protection Impact Assessments
• Act as a contact point for the Information Commissioners Office (ICO), members of the public and CCG staff on matters relating to UK GDPR and the protection of personal information
• Assist in implementing essential elements of the UK GDPR such as the principles of data processing, data subjects’ rights, privacy impact assessments, records of processing activities, security of processing and notification and communication of data breaches

Primary Care - Primary care settings include GP Practices, pharmacists, dentists and some specialised services such as military health services.

Secondary Care - Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services.

Caldicott Guardian – a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Each NHS and Social Care organisation is required to have a Caldicott Guardian.

Senior Information Risk Owner (SIRO) – an executive or member of the Senior Management Board of an organisation with overall responsibility for information risk across the organisation.

Right of Access Requests – The right a data subject has from the controller for confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and further information about the processing.