Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Data privacy · 21 pages

Data privacy & protection

Answer-first explainers of data-privacy concepts and roles — PII, PHI, personal data, controllers and processors, DPIAs and data-subject rights — written as neutral definitions, never legal advice.

Browse the topic

All 21 data privacy & protection pages

Definition

Personally identifiable information (PII)

PII (personally identifiable information) is any data that can identify a specific individual, directly through identifiers such as a name or national insurance number, or indirectly when several attributes are combined. The term originates in US guidance, notably NIST SP 800-122, and frames much of US privacy practice.

Definition

De-identification

De-identification is the process of removing or obscuring identifying details so data can no longer be linked to a specific individual. Under US HIPAA it is achieved by two recognised methods — Safe Harbor, which removes a defined set of identifiers, and Expert Determination, where a qualified expert certifies a very small re-identification risk.

Definition

Personal data (GDPR)

Personal data is the EU GDPR term, defined in Article 4, for any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers and factors specific to a person’s identity. It is broader than the US concept of PII and underpins the whole of European data-protection law.

Definition

Protected health information (PHI)

PHI (protected health information) is individually identifiable health information created, held or transmitted by a HIPAA covered entity or business associate in the United States. It links a person’s identity to their health status, care or payment for care. PHI is a health-context subset of the broader PII category and is governed specifically by HIPAA.

Definition

Sensitive data (special category data)

Sensitive data, called special category data under GDPR Article 9, is a class of personal data needing extra protection because its misuse could cause significant harm or discrimination. It includes data on health, race or ethnicity, religious or philosophical beliefs, political opinions, trade-union membership, genetics, biometrics, sex life and sexual orientation.

Definition

Data subject rights

Data subject rights are the rights GDPR grants individuals — the data subjects — over their personal data. They include the rights of access, rectification, erasure (the “right to be forgotten”), data portability, restriction of processing, objection, and rights related to automated decision-making. Together they give people meaningful control over information held about them.

Definition

Data controller

A data controller is the organisation or person that determines the purposes and means of processing personal data under GDPR. In other words, the controller decides why personal data is processed and how. Controllers carry primary accountability for compliance, in contrast to data processors, which act only on the controller’s documented instructions.

Definition

Data processor

A data processor is an organisation or person that processes personal data on behalf of a data controller, following the controller’s documented instructions rather than deciding the purposes itself. Cloud hosts, payroll bureaux and analytics vendors are common examples. Processors carry their own GDPR duties and must operate under a data processing agreement with the controller.

Definition

Data Protection Officer (DPO)

A Data Protection Officer (DPO) is an independent role, introduced by GDPR, that oversees an organisation’s compliance with data-protection law. The DPO informs and advises on obligations, monitors compliance, acts as a contact point for the supervisory authority and individuals, and must be able to operate without conflicts of interest. A DPO is required for certain processing.

Definition

Privacy impact assessment (PIA/DPIA)

A privacy impact assessment (PIA), called a data protection impact assessment (DPIA) under GDPR, is a process to identify and minimise the privacy risks of a project. It describes the processing, assesses its necessity and proportionality, evaluates risks to individuals, and sets out measures to address them. GDPR Article 35 requires a DPIA for high-risk processing.

Definition

Lawful basis

A lawful basis is one of six legal grounds in GDPR Article 6 that permit processing personal data. They are consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests. At least one basis must apply for processing to be lawful, and the chosen basis shapes which obligations follow.

Definition

Data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to personal data. It covers confidentiality, integrity and availability incidents alike. Under GDPR, certain breaches must be reported to the supervisory authority without undue delay, and where feasible within 72 hours.

Definition

Data processing agreement (DPA)

A data processing agreement (DPA) is the contract required by GDPR Article 28 whenever a controller engages a processor to handle personal data. It binds the processor to act only on documented instructions and sets out the subject-matter, duration, nature and purpose of processing, the types of data, and obligations covering security, sub-processors, breach support and data return or deletion.

Comparison

PII vs PHI

PII (personally identifiable information) is any data that can identify a specific individual, in any context. PHI (protected health information) is the narrower subset of identifiable health information held by a HIPAA covered entity. In short, all PHI is PII, but most PII is not PHI — PHI is the health-context slice governed specifically by US HIPAA.

Definition

HIPAA

HIPAA is a US federal law that regulates the privacy and security of Protected Health Information (PHI). Binding on "covered entities" (healthcare providers, health plans, and clearinghouses) and their "business associates", the act consists of several key rules: the Privacy Rule (disclosure rights), the Security Rule (safeguards for electronic PHI), and the Breach Notification Rule.

Definition

GDPR (General Data Protection Regulation)

The GDPR is the EU General Data Protection Regulation (Regulation 2016/679), adopted in 2016 and applicable from 25 May 2018. It governs the processing of personal data of individuals in the EU and EEA, sets out core principles and rights, and applies extraterritorially to organisations outside Europe that target or monitor people within it.

Definition

CCPA (California Consumer Privacy Act)

The CCPA is the California Consumer Privacy Act, enacted in 2018 and effective from 2020, which grants California residents rights over the personal information businesses collect about them. It was significantly amended by the California Privacy Rights Act (CPRA), approved in 2020 with most provisions operative in 2023, which expanded the rights and created a dedicated enforcement agency.

Definition

Privacy by design

Privacy by design is the approach of building data protection into the design of systems, processes and projects from the outset, rather than bolting it on later. Formalised in Ann Cavoukian’s seven foundational principles and reflected in GDPR Article 25 as data protection by design and by default, it treats privacy as a default setting and a proactive engineering goal.

Definition

Data minimisation

Data minimisation is the data-protection principle that personal data collected and processed should be adequate, relevant and limited to what is necessary for the purpose it is collected for. Set out in GDPR Article 5(1)(c), it requires organisations to avoid gathering or keeping more data than they genuinely need, reducing privacy risk and supporting purpose limitation.

Definition

Consent management

Consent management is the process of obtaining, recording, maintaining and honouring individuals’ consent to the processing of their personal data. It covers gathering valid consent, keeping an auditable record of what was agreed, and enabling people to withdraw it. Online it is often handled by consent management platforms (CMPs), such as cookie-consent banners that capture and store preferences.

Definition

Right to be forgotten

The right to be forgotten, formally the right to erasure, is the GDPR Article 17 right that lets individuals have their personal data deleted in certain circumstances — for example when the data is no longer needed, consent is withdrawn, or it was processed unlawfully. It is not absolute: exemptions apply, including for legal obligations and scientific research.

LAC

Partner Deal

LAC Health Supplies Mobile App

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →