Data protection: terminology


This page provides readers with the definitions of words and phrases that appear in our Data Protection policy, our procedures and our web-pages.

The University

All references to the University in this policy mean the Heriot-Watt University Group.


The definition of information includes, but is not confined to, paper and electronic documents and records, email, voicemail, still and moving images and sound recordings, biometric or genetic data, the spoken word, data stored on computers or tapes, transmitted across networks, printed out or written on paper, carried on portable devices, sent by post, courier or fax, posted onto intranet or internet sites or communicated using social media.

Personal data

Information in any format that relates to an identified or identifiable living person. An identifiable living person is someone who can be identified directly or indirectly from an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Although the GDPR and the UK Data Protection Act 2018 apply only to living people, the scope of this policy also includes information about deceased individuals. This is because disclosure of information about the deceased may still be in breach of confidence or otherwise cause damage and distress to living relatives and loved ones.

Special categories of personal data

Special categories of Personal Data (formerly known as sensitive personal data) (as defined in Articles 9 and 10 of the GDPR) are personal data relating to an identifiable person’s

  1. racial or ethnic origin;
  2. political opinions;
  3. religious or philosophical beliefs;
  4. membership of a trade union;
  5. physical or mental health or condition;
  6. sexual life or sexual orientation;
  7. proven or alleged offences, including any legal proceedings and their outcome
  8. genetic or biometric data when processed to identify that individual

In addition, the University definition of High Risk Confidential Information includes the following personal data:

IT user passwords

Any other information that would cause significant damage or distress to an individual it was disclosed without their consent, such as bank account and financial information, marks or grades.

Data protection law

Relevant privacy legislation includes but is not confined to European Union General Data Protection Regulation 2016/679 (GDPR); the UK GDPR and Data Protection Act, 2018; UK Privacy and Electronic Communications Regulations; the Malaysia Personal Data Protection Act, 2010, and equivalent legislation in other jurisdictions in which the University operates.

Data controller

An organisation which determines the purposes for which personal data is processed and is legally accountable for the personal data that it collects and uses or contracts with others to process on its behalf.

Data processor

In relation to personal data, any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Data subject

A living person whose personal data is held by the University or any other organisation.

Natural person

A living person/an individual - not a 'legal person' i.e. a company or other legal entity.

Processing (also referred to as data processing)

Any operation performed on personal data, such as collecting, creating, recording, structuring, organising, storing, retrieving, accessing, using, seeing, sharing, communicating, disclosing, altering, adapting, updating, combining, erasing, destroying or deleting personal data, or restricting access or changes to personal data or preventing destruction of the data.

Confidential information

The definition of confidential information can be summarised as:

  • Any personal information that would cause damage or distress to individuals if disclosed without their consent 
  • Any other Information that would prejudice the University's or another party’s interests if it were disclosed without authorisation

More details can be found in our information security classification scheme.

Information Security Management System (ISMS)

'That part of the overall management system based on a business risk approach to establish, implement operate, monitor, review, maintain and improve information security. The management system includes organisational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.' - BS ISO/IEC 27001: Information Security


Irreversible removal of personal identifiers from information so that the data subject is no longer identifiable. Anonymised information therefore no longer falls within the definition of personal data.


The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable person. Pseudonymised data is therefore re-identifiable and falls within the definition of personal data.


Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a person, in particular to analyse or predict aspects concerning their  performance at work or studies, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Restriction of processing

The marking of stored personal data with the aim of limiting their processing in the future.

Records of Processing Activities

Detailed records of the personal data processing activities that a Data Controller or Processor is required to maintain and make available under the GDPR.

Substantial public interest conditions

The UK Data Protection Act 2018 Schedule 1 defines conditions for processing special categories of personal data about criminal offences.  Those that potentially apply in the University context are more fully outlined in the pdf downloadable version of this policy.

Supervisory authority

An independent public authority established by the UK or another state to regulate compliance with data protection law by Data Controllers and Processors and take enforcement action in the case of non-compliance. In the UK the supervisory authority is the Information Commissioner’s Office (ICO).