top of page

Glossary

Here we share short and sweet descriptions of common privacy related terms and definitions. Note, some of these terms are used or defined differently under various laws or in different countries. 

 

  • Data Backup – A copy of important information or data that is stored separately from the original in case the original is lost, destroyed or otherwise compromised. For example, a backup (or the practice of making backups) may be stored in another or various locations, from physical storage devices or data centers, and/or electronic systems or applications.  

  • Consent – In general, consent refers to an individual giving permission to collect or process their information. In data privacy, to be considered consent it often has to meet certain specific requirements to be considered valid and acceptable. For example, there may be requirements such as making sure you fully inform them about how you will process their data (including the purpose), they have a clear choice and that it is voluntary, they expressly or explicitly giver permission, etc. How consent is defined or what is required to obtain consent can vary by law and the situation (obtaining consent from an adult individual or parental consent on behalf of a child). See related term Parental Consent.

  • Cookies – Small pieces of data that may be stored in a user’s device, app or browser to collect data (by tracking a user’s activity or preferences). A common example is Google’s use of cookies or similar technologies: https://policies.google.com/technologies/cookies?hl=en-US.

  • International or Cross-Border Data Transfer – The practice of processing information in another country, meaning in a different country than the original country where that information was initially collected or processed (i.e., processing internationally or across country borders). This includes sharing personal information with an organization located in another country (internally or to third parties), or otherwise storing or processing personal information in another country (including using international data centers or online data storage providers that store information in multiple countries). These types of data processing activities (or data transfers) are often defined in different privacy laws, and legal requirements or expectations can vary by country.

  • Data Access – The process of controlling or restricting which individuals (or users) allowed to view or use specific data or systems that store certain data, such as personal information. See related term Right to Access.

  • Data Breach – Generally, it is the event of personal information (intentionally or accidentally) being accessed, lost, stolen, or disclosed without authorization or unlawfully. This may be referred to as a data breach, a security incident, a privacy breach or incident, and is a legal term that is often defined differently under various laws. 

  • Data Collection – As part of data processing, this is generally the first step or point where you request and/or receive information. For example, gathering personal information from an individual over the phone or via a form, website, or application to keep or further process. See related term Data Processing.

  • Data Deletion (or Destruction) – The process of removing information from an organization’s records. This can include removal from your digital or electronic records (from a file, system, application, online storage) or destruction of physical records (such as shredding of hard copy documents). As a privacy best practice or requirement, data deletion is completed when personal information is no longer needed or is requested to be deleted. See related Right to Deletion. 

  • Data Protection Agreement – A formal agreement between two or more organizations that outlines data protection or privacy obligations for how personal information will be protected when shared. This may be a separate contractual agreement or included as an appendix to a master service agreement or service/work order. 

  • Data Retention – The practice of managing how long you keep or store information. For example, how long certain information is kept until it is deleted, destroyed or otherwise disposed of (such as the commonly used 7 year practice for tax or financial documents). In privacy, this refers to how long personal information is kept before it is deleted or otherwise disposed, and often managed by policies, procedures, retention schedules, or controls to identify or track data, or automatically delete personal information. As a privacy best practice or requirement, personal information is only kept for as long as it is needed.

  • Data Security (or Security Controls) – These can include administrative, physical or technical measures taken or controls used to protect personal information. In privacy, these include security safeguards protecting personal information from unauthorized access or breaches (such as locked storage, passwords, encryption, etc.).

  • Data Sharing – The practice of providing personal information to third parties or other businesses for specific purposes. This could sharing by sending the information directly to or otherwise providing access to the information stored in your system or application. 

  • Data Storage – The method and location where personal information is kept, whether on paper, in computers, or online (e.g., cloud storage).

  • Data Use – As part of data processing, this is how (and how much) personal information is processed by an individual or organization for a general or specific purpose. For example, personal information can be used to view only, used to combine with other information, or used to generate new information. See related term Data Processing.

  • Employee Data (or Employee Information) – In general, records or information collected from or about your employees (including future employees or job applicants, current employees or terminated/former employees). This could include personal information or otherwise sensitive information from contact details, resumes, payroll information, benefits information, performance or disciplinary records, etc. 

  • Encryption – A method of converting data into a secure format to prevent unauthorized access.

  • Opt-out – The ability for an individual to request that their personal information not be used for specific purpose (like marketing) or processed at all (either before or after their information is collected). 

  • Opt-in – The ability for an individual to agree or permit the collection or use of their information, generally before it is processed.

  • Parental Consent – Obtaining permission from a parent or guardian to collect personal information from or about a child or minor (generally under 18 years old). How consent is defined or the requirements for obtaining consent is often defined under a specific law.

  • Personal Information (or Personal Data) – In general, this includes any information that can identify an individual (i.e., natural person). Note that this term can be defined very broadly from information that more clearly identifies a person often by itself (such as names, addresses, email addresses, phone numbers or more sensitive information such as date of birth, driver’s license, social security number or national id, passport number) to other information that more indirectly can identify a person (such as location data, online identifiers/cookies, or other factors). For example: (i) in the US under the California Consumer Privacy Act (CCPA), personal information includes “any data that identifies, relates to, or could reasonably be linked to you or your household, directly or indirectly”, or (2) in the EU under the General Data Protection Regulation (GDPR), personal data includes “any information relating to an identified or identifiable natural person (...) one who can be identified, directly or indirectly.”

  • Privacy Notice (often referred to as Privacy Policy) – An external document, disclosure or statement shared with individuals explaining an organization’s best practices for how it collects, uses, stores, and protects personal information.

  • Privacy Policy – An internal document that establishes an organization’s requirements, standards and/or best practices for handling personal information processed by the organization and complies with privacy laws.

  • Privacy Training – Guidance or instruction provided to employees on how to handle personal information. This generally focuses on how to process personal information securely and lawfully, and aligned with an organization’s internal policies, procedures and requirements. The methods of training can vary. 

  • Data Processing – Any operation performed on data (e.g., collecting, storing, using, sharing), In this context, in particular related to processing of personal information.

  • Pseudonymization – This is a type of de-identification of data, meaning a process to make personal information no longer able to identify an individual. Specifically, it is a technique that replaces personal identifiers with fake identifiers (pseudonyms) to protect individual privacy.

  • Purpose of Data Collection (or Processing) – The reason why a business collects personal information, such as for processing orders or providing services.

  • Right to Access – The right for individuals to see the personal information a business holds about them. This is not a general or absolute right or available in all countries, but rather a right that is generally only available and defined under a specific law or as a constitutional/fundamental right. 

  • Right to Correct (or Correction) – The ability for individuals to ask a business to correct inaccurate or outdated personal information. This is not a general or absolute right or available in all countries, but rather a right that is generally only available and defined under a specific law or as a constitutional/fundamental right. 

  • Right to Deletion (or Erasure or to be Forgotten) – The right for individuals to request the deletion of their personal information, often under certain conditions. This is not a general or absolute right or available in all countries, but rather a right that is generally only available and defined under a specific law or as a constitutional/fundamental right. As a privacy best practice or requirement, deletion is completed when personal information is no longer needed or an individual has exercised their right (or even simply requested) it to be deleted.

  • Risk Assessment – The process of identifying potential risks to your business by evaluating your business (including operations, systems, documentation) identify risks and measures to mitigate them. A risk assessment could have a broad scope or a more limited scope such as a privacy risk assessment (to evaluate your handling of personal information or general privacy compliance) or security risk assessment (to evaluate your security program or controls).

  • Third-Parties - These include organizations or individuals outside of your organization that handle information for your organization, including your vendors or third party service providers. This includes collecting, processing or storing information as directed by you or on your behalf. Under some laws, third-party types are defined terms such as service providers. 

bottom of page