Information and Data Protection Office

Make a complaint or report
Information and Data Protection Office > Information > Glossary

Glossary

This glossary explains key terms used in the Freedom of Information and Data Protection Act 2026. It is for individuals, businesses and organisations and public authorities.

Anonymisation

Anonymisation is the process of removing or changing personal data so that an individual can no longer be identified, either directly or indirectly.

It must be used where disclosure of information is otherwise lawful but personal data must be protected.

Applicant

An applicant is a person who makes a request under the Act. This includes people making Freedom of Information requests and Subject Access Requests.

Applicants do not have to give reasons for making a request.

Authority

An authority means the Government, the Koru’s Office, the Assembly, any office or agency of the State and any publicly funded body.

Authorities are responsible for handling Freedom of Information requests and for complying with data protection duties under the Freedom of Information and Data Protection Act 2026.

Binding order

A binding order is a formal direction issued by the Information and Data Protection Office. Every person or body subject to a binding order must comply within the specified timeframe.

Failure to comply is a breach of statutory duty and may lead to civil or criminal enforcement.

Consent

Consent means the clear agreement of an individual to the processing of their personal data for specific and legitimate purposes.

Consent must be given freely and with understanding of how the data will be used.

Data breach

A data breach is any breach of security leading to the loss, unauthorised access, disclosure, alteration or destruction of personal data.

A controller must notify the Information and Data Protection Office without undue delay where a breach risks harm to individuals.

Data controller

A data controller is a person or body that determines the purposes and means of processing personal data. The controller decides why personal data is used and how it is used.

Controllers are responsible for ensuring that personal data is processed lawfully, fairly and in accordance with the Freedom of Information and Data Protection Act 2026.

Data portability

Data portability is the right of an individual to receive personal data in a structured and commonly used format that can be transferred to another controller.

This right applies only to automated processing and does not apply where processing is necessary for public authority functions.

Data processor

A data processor is a person or body that processes personal data on behalf of a data controller. Processors must act only on lawful instructions from the controller.

Processors must implement appropriate security measures and are directly liable for breaches of the Act.

Freedom of Information request

A Freedom of Information request is a request for recorded information held by an authority.

It gives every Hokorian citizen the right to obtain access to information held by public authorities and must not be used to obtain personal data.

Information and Data Protection Office

The Information and Data Protection Office is the independent regulator established under the Freedom of Information and Data Protection Act 2026.

It monitors compliance, investigates complaints, resolves disputes, issues binding orders and imposes administrative fines.

Lawful basis

A lawful basis is a legal reason that allows personal data to be processed.

These include consent, legal obligation, statutory or public functions, protection of vital interests and legitimate interests that are not overridden by fundamental rights.

Personal data

Personal data means any information relating to an identified or identifiable individual. An individual is identifiable where they can be identified directly or indirectly, in particular by reference to a name, an identification number or online identifiers.

Personal data includes information held in paper records, electronic systems, emails, databases and any other recorded form.

Processing

Processing includes any operation performed on personal data. This includes the collection, recording, storage, use, disclosure, transmission, alteration or erasure of personal data.

Any activity that involves handling personal data is treated as processing under the Act.

Restriction of processing

Restriction of processing means limiting the use of personal data while an issue is being reviewed.

During restriction, personal data may still be held but must not be actively used.

Subject Access Request

A Subject Access Request is a request made by an individual to access personal data relating to them.

No fee may be charged and the request must be responded to within 14 working days.