The world of data comes with what can feel like an overwhelming amount of terms and phrases. To help make sense of it all, the Xero Responsible Data Use Advisory Council has created the following glossary of some of the most important terms to help you better understand topics related to data use. For more about how Xero thinks about these topics, see our responsible data use pages.
Authentication and multi-factor authentication
Authentication is the act of verifying the identity of a user, process, or device. Multi-factor authentication uses two or more different factors to achieve this verification. These factors typically include: (i) something you know (eg, password/PIN). (ii) something you have (eg, cryptographic identification device, token). or (iii) something you are (eg, biometric). Using multi-factor authentication provides an extra level of security.
Consent is one of the most important concepts in data privacy, as it underpins much of what an organisation can and can’t do with the data it collects. Definitions of consent vary in different countries. For example, the EU General Data Protection Regulation requires that consent is freely given, specific, informed, and an unambiguous, affirmative indication of an individual’s agreement to process their data for a particular purpose. This means asking people to positively opt in (i.e. no pre-ticked boxes), using plain language that clearly sets out the types of data processing activities, having separate consents for different activities (eg, services provision versus marketing), and making it clear how consent can be withdrawn. It is important to ensure that businesses understand the laws around consent that apply to them.
Data ethics is a field of ethics concerned with what is right and wrong when it comes to the generation, collection, processing, sharing and use of data. Concepts such as data privacy, data security, and data retention are all integral to data ethics. However, data ethics goes further than compliance with rules, regulations and policies. At heart, it is about extending dignity and fairness to the individuals represented in datasets. Data ethics focuses on issues (among others) like: who should benefit from the use of data; how organizations can be more transparent and accountable in their data practices; and how to reduce harm and unintended consequences, for instance when using algorithmic systems.
Data governance includes the planning, oversight, and control over management of data and the use of data and data-related sources. It is an important factor in an organisation’s ability to derive value from data in a responsible, ethical way. There are different data governance models, ranging from centralised, hierarchical frameworks, to distributed approaches that encourage greater autonomy and accountability across the organisation.
Data portability is increasingly being recognised as a right by different jurisdictions, enabling people to transfer their data between different platforms and service providers (eg, banks, insurance companies, health care service providers).
Data privacy at its simplest is the right to be able to control who can access or use information about an individual, and for what purposes. It is not an absolute right, as in some circumstances other concerns are given priority, such as public safety, the prevention of fraud, compliance with laws, or the legitimate interests of others.
The practices, safeguards and rules (regulatory and organisation-specific) set out to protect people’s personal information or data, and ensure they have control over their data.
The documentation and implementation of business rules about the types of data a business stores or archives, including how long to keep it and for what purposes. Data retention rules should align with an organisation’s business requirements and regulatory obligations.
The safeguards (people, process and technology) put in place to protect data from unauthorised access, malicious attacks, corruption or theft throughout its entire lifecycle.
General Data Protection Regulations (GDPR)
The European Union’s (EU) regulations to protect the privacy of persons in the EU. GDPR regulates collection and processing of personal data, as well as the flow of personal data to countries outside the EU (which means it can even apply to non-EU businesses). It has been adopted by many companies around the world, not only due to its wide reach, but because it is a well understood and consumer friendly standard. However, organisations that adopt GDPR need to be mindful of also remaining compliant with local data protection and data privacy laws.