We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Durham University

Information Governance


Term Definition Notes
Anonymisation The process of rendering data into a form which does not identify individuals and where identification is not likely to take place.
Commercially Valuable Information Information assets with commercial value to the institution or which could expose the institution if inappropriately disclosed. Examples include financial projections and business plans, intellectual property, press releases under embargo, some third party contracts, projected student numbers.
CONFIDENTIAL (COMMERCIAL) Classification applied to Commercially Valuable Information, as per the University's Information Security Classification Scheme.
CONFIDENTIAL (PERSONAL) Classification applied to Personal Data, as per the University's Information Security Classification Scheme.
Confidential Information Generic term covering both CONFIDENTIAL (PERSONAL) and CONFIDENTIAL (COMMERCIAL) University information. See the University's Information Security Classification Scheme.
Data Controller The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Protection Act (DPA) The UK's Data Protection Act 2018, which supports and must be read in conjunction with the EU General Data Protection Legislation (GDPR).
Data Protection Impact Assessment (DPIA) A method of identifying and addressing privacy risks in compliance with the GDPR requirements.
Data Protection Legislation The EU General Data Protection Regulation (GDPR) and UK Data Protection Act 2018.
Data Protection Officer (DPO)

A role within the University responsible for enabling compliance with data protection legislation and playing a key role in fostering a data protection culture within the University and helps implement essential elements of data protection legislation, such as:

  • The principles of data processing
  • Data subjects rights
  • Data protection by design and by default
  • Records of processing activities
  • Security of processing
  • Notification and communication of data breaches.
University Secretary
Data Sharing Agreement A legal contract outlining the information that parties agree to share and the terms under which the sharing will take place.
Durham University / The University The legal entity that is Durham University.
Employee A full-time or part-time, permanent or temporary, paid officer of the University, whether directly or indirectly engaged.
GDPR (General Data Protection Regulation) The Regulation (EU) 2016/679 (General Data Protection Regulation), enforceable as of 25 May 2018 in all Member States to harmonize data privacy laws across Europe.
Information Asset Owner A member of staff that has overall responsibility for an information asset.
Classification applied to routine University business information not normally intended for public consumption, but the release of which would be of no detriment to the University. as per the University's Information Security Classification Scheme.
Major Information Asset

One of a defined group of large information assets held by the University:

  • Student Information
  • Staff Information
  • Alumni and Supporters Information
  • Research Information
  • Financial Information.
Personal Data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymisation The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
PUBLIC Classification applied to information that the University actively places in the external domain, as per the University's Information Security Classification Scheme.
Publication Scheme A scheme relating to the publication of information in accordance with the Freedom of Information Act 2000, and a commitment to making certain classses of information routinely available, such as policies, minutes of meetings and annual reports.
Request for Information A request for information made to a public authority, pursuant to section 1(1) of the FOI Act 2000 and/or Regulation 5 of the Environmental Information Regulations 2004.
Restricted Information Generic term covering University Information that has not been classified as PUBLIC. See the University's Information Security Classification Scheme.
Senior Information Risk Owner (SIRO)

University Executive Committee member with overall responsibility for:

  • The Information Governance Policy, sub-policies and information governance framework
  • Providing independent senior board-level accountability and assurance that information risks are addressed
  • Ensuring that information risks are treated as a priority for business outcomes
  • Playing a vital role in getting the institution to recognise the value of its information, enabling its optimal effective use.
Chief Operating Officer
Special Categories of Personal Data (previously 'Sensitive Personal Data') Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and genetic data, biometric data processed for the purpose of uniquely identifying a natural person, or data concerning health, a natural person's sex life or sexual orientation. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to their processing.
Student Any person admitted to the University under Section II of the General Regulations and any other person registered as a member of the University for the purpose of full-time, part-time or occasional study, including those paying a continuation fee.

Super Information Asset Owner

University Executive Committee member with overall responsibility for the coordination of the management and handling of one of a defined group of major information assets across the University.
University Information Any data and information created or received by an employee in the performance of their duties for the University.