Skip to main content


Term Definition
Anonymisation The process of rendering data into a form which does not identify individuals and where identification is not likely to take place.
Advanced Persistent Threat (APT) A form of cyber attack that uses advanced tools and techniques to achieve and maintain compromise of a system or environment. These are typically available only to the most sophisticated groups, such as state actors.
British Standard 31111 (BS 31111) A British standard providing guidance on cyber risk and resilience for executive management.
Center for Internet Security A non-profit organisation that promotes Internet security, offering a number of frameworks and standards.
Center for Internet Security Controls A list of 20 cybersecurity controls recommended as best practice by the Center for Internet Security.
Commercially Valuable Information Information assets with commercial value to the institution or which could expose the institution if inappropriately disclosed. Examples include financial projections and business plans, intellectual property, press releases under embargo, some third party contracts, projected student numbers.
CONFIDENTIAL (COMMERCIAL) Classification applied to Commercially Valuable Information, as per the University's Information Security Classification Scheme.
CONFIDENTIAL (PERSONAL) Classification applied to Personal Data, as per the University's Information Security Classification Scheme.
Confidential Information Generic term covering both CONFIDENTIAL (PERSONAL) and CONFIDENTIAL (COMMERCIAL) University information. See the University's Information Security Classification Scheme.
Cyber Essentials A scheme run by the UK National Cyber Security Centre that demonstrates an organisation has controls in place to protect against the most common threats.
Data Controller The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Protection Act 2018 (DPA 2018) The UK's Data Protection Act 2018, which supports and should be read in conjunction with the EU General Data Protection Legislation (GDPR).
Data Protection Impact Assessment (DPIA) A method of identifying and addressing privacy risks in compliance with the GDPR requirements.
Data Protection Officer (DPO)

A role within the University responsible for enabling compliance with data protection legislation and playing a key role in fostering a data protection culture within the University and helps implement essential elements of data protection legislation, such as:

  • The principles of data processing
  • Data subjects rights
  • Data protection by design and by default
  • Records of processing activities
  • Security of processing
  • Notification and communication of data breaches.
Data Sharing Agreement A legal contract outlining the information that parties agree to share and the terms under which the sharing will take place.
Durham University / The University The legal entity that is Durham University.
Employee A full-time or part-time, permanent or temporary, paid officer of the University, whether directly or indirectly engaged.
General Data Protection Regulation (GDPR) The Regulation (EU) 2016/679 (General Data Protection Regulation), enforceable as of 25 May 2018 in all Member States to harmonize data privacy laws across Europe.
Generally Accepted Recordkeeping Principles® (GARP)

The Principles® constitute a widely leveraged global standard that identifies the critical hallmarks and a high-level framework of good practices for records management, records and information management (RIM), and information management programs. Published by ARMA International in 2009 and updated in 2017, the Principles are grounded in practical experience and based on extensive consideration and analysis of legal doctrine and information theory. They are meant to provide organizations with a standard of conduct for governing information and guidelines by which to judge that conduct.

Government Communications Headquarters (GCHQ) The UK intelligence agency.
Hactivists Individuals who use cyber attack techniques to promote a political or ethical position.
Information Asset Owner (IAO) A member of staff that has overall responsibility for an information asset.
Information Asset Register An Information Asset Register documents the types of information held by an organisation with the purpose of helping it to understand and manage its information assets (e.g. identify duplication, increase business efiiciency and manage risks).
Information Commissioner's Office (ICO) The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Information Governance Oversight Group (IGOG)

A Group, reporting to University Executive Committee, that oversees the Information Governance Framework, Records and Information Management, Information Security, Data Protection and Freedom of Information across Durham University. The purpose of the Group is to support University Strategy by helping the University to identify its information assets, requirements, risks and responsibilities; promoting efficient, effective and economic lifecycle records and information management across all media and formats to meet operational and legal requirements; seeking to reduce overall risk for the University through good information governance; and proactively engaging with University communities.

Information Security Management System (ISMS) A set of policies, procedures and technologies to manage the risks associated with information security.
Classification applied to routine University business information not normally intended for public consumption, but the release of which would be of no detriment to the University. as per the University's Information Security Classification Scheme.
International Standard 27001 (ISO 27001)

An international standard for implementing an ISMS.

Major Information Asset

One of a defined group of large information assets held by the University:

  • Student Information
  • Staff Information
  • Alumni and Supporters Information
  • Research Information
  • Financial Information.
(UK) National Cyber Security Centre (NCSC) A wing of GCHQ tasked with promoting and maintaining cyber security in the UK.
Personal Data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Pseudonymisation The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
PUBLIC Classification applied to information that the University actively places in the external domain, as per the University's Information Security Classification Scheme.
Publication Scheme A scheme relating to the publication of information in accordance with the Freedom of Information Act 2000, and a commitment to making certain classses of information routinely available, such as policies, minutes of meetings and annual reports.
Request for Information A request for information made to a public authority, pursuant to section 1(1) of the FOI Act 2000 and/or Regulation 5 of the Environmental Information Regulations 2004.
Restricted Information Generic term covering University Information that has not been classified as PUBLIC. See the University's Information Security Classification Scheme.
Script Kiddies

Individuals who attempt to compromise IT systems using widely available tools that exploit the most obvious vulnerabilities. Typically they have minimal cyber security skills beyond the use of those tools.

Senior Information Risk Owner (SIRO)

University Executive Committee member with overall responsibility for:

  • The Information Governance Policy, sub-policies and information governance framework
  • Providing independent senior board-level accountability and assurance that information risks are addressed
  • Ensuring that information risks are treated as a priority for business outcomes
  • Playing a vital role in getting the institution to recognise the value of its information, enabling its optimal effective use.
Special Categories of Personal Data (previously 'Sensitive Personal Data') Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and genetic data, biometric data processed for the purpose of uniquely identifying a natural person, or data concerning health, a natural person's sex life or sexual orientation. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to their processing.
State Actors Individuals or groups acting on behalf of a national government.
Student Any person admitted to the University under Section II of the General Regulations and any other person registered as a member of the University for the purpose of full-time, part-time or occasional study, including those paying a continuation fee.

Super Information Asset Owner (SIAO)

University Executive Committee member with overall responsibility for the coordination of the management and handling of one of a defined group of major information assets across the University.
UK Data Protection Legislation The EU General Data Protection Regulation (GDPR) and UK Data Protection Act 2018.
University Information Any data and information created or received by an employee in the performance of their duties for the University.