Responsible data use: Glossary of terms

This glossary of terms is designed to help you better understand topics related to data use.

The world of data comes with what can feel like an overwhelming amount of terms and phrases. To help make sense of it all, the Xero Responsible Data Use Advisory Council has created the following glossary of some of the most important terms to help you better understand topics related to data use. For more about how Xero thinks about these topics, see our responsible data use pages.

Authentication and multi-factor authentication

Authentication is the act of verifying the identity of a user, process, or device. Multi-factor authentication uses two or more different factors to achieve this verification. These factors typically include: (i) something you know (eg, password/PIN). (ii) something you have (eg, cryptographic identification device, token). or (iii) something you are (eg, biometric). Using multi-factor authentication provides an extra level of security.

Consent is one of the most important concepts in data privacy, as it underpins much of what an organization can and can’t do with the data it collects. Definitions of consent vary in different countries. For example, the EU General Data Protection Regulation requires that consent is freely given, specific, informed, and an unambiguous, affirmative indication of an individual’s agreement to process their data for a particular purpose. This means asking people to positively opt in (i.e. no pre-ticked boxes), using plain language that clearly sets out the types of data processing activities, having separate consents for different activities (eg, services provision versus marketing), and making it clear how consent can be withdrawn. It is important to ensure that businesses understand the laws around consent that apply to them.


Cookies are small text files that websites place on a visitor’s device (computer, tablet and phones) to store a range of information specific to that visitor. Cookies are used for different purposes, including to keep a user logged in, to remember preferences on a website, or to serve tailored advertising content. Different countries have different rules around the use of cookies, including what disclosures need to be made to users. Businesses should ensure that they understand the rules that apply to them.

Data ethics

Data ethics is a field of ethics concerned with what is right and wrong when it comes to the generation, collection, processing, sharing and use of data. Concepts such as data privacy, data security, and data retention are all integral to data ethics. However, data ethics goes further than compliance with rules, regulations and policies. At heart, it is about extending dignity and fairness to the individuals represented in datasets. Data ethics focuses on issues (among others) like: who should benefit from the use of data; how organizations can be more transparent and accountable in their data practices; and how to reduce harm and unintended consequences, for instance when using algorithmic systems.

Data governance

Data governance includes the planning, oversight, and control over management of data and the use of data and data-related sources. It is an important factor in an organization’s ability to derive value from data in a responsible, ethical way. There are different data governance models, ranging from centralized, hierarchical frameworks, to distributed approaches that encourage greater autonomy and accountability across the organization.

Data portability

Data portability is increasingly being recognized as a right by different jurisdictions, enabling people to transfer their data between different platforms and service providers (eg, banks, insurance companies, health care service providers).

Data privacy

Data privacy at its simplest is the right to be able to control who can access or use information about an individual, and for what purposes. It is not an absolute right, as in some circumstances other concerns are given priority, such as public safety, the prevention of fraud, compliance with laws, or the legitimate interests of others.

Data protection

The practices, safeguards and rules (regulatory and organization-specific) set out to protect people’s personal information or data, and ensure they have control over their data.

Data retention

The documentation and implementation of business rules about the types of data a business stores or archives, including how long to keep it and for what purposes. Data retention rules should align with an organization’s business requirements and regulatory obligations.

Data security

The safeguards (people, process and technology) put in place to protect data from unauthorized access, malicious attacks, corruption or theft throughout its entire lifecycle.

General Data Protection Regulations (GDPR)

The European Union’s (EU) regulations to protect the privacy of persons in the EU. GDPR regulates collection and processing of personal data, as well as the flow of personal data to countries outside the EU (which means it can even apply to non-EU businesses). It has been adopted by many companies around the world, not only due to its wide reach, but because it is a well understood and consumer friendly standard. However, organizations that adopt GDPR need to be mindful of also remaining compliant with local data protection and data privacy laws.

Glossary sources

Key sources that were used for reference to compile this list include: Xero, GDPR, ODI, IBM, SNIA, TechTarget, iapp, CRCS, Investopedia, NIST.