Terminology in the IDPro Body of Knowledge
Heather Flanagan, editor - @ 2020 IDPro
| Term | Definition | Source |
| Agile Project Management | a framework that uses a continuous, iterative process to deliver a defined piece of functionality, typically a component of a product or service. Scrum is a popular framework ( https://www.scrumalliance.org/about-scrum/overview ) | Intro to Project Management |
| Consumer Protection Law | Laws and regulations that are designed to protect the rights of individual consumers and to stop unfair, deceptive, and fraudulent business practices. | Laws Governing Identity Systems |
| Contract Law | Laws that relate to making and enforcing agreements between or among separate parties. | Laws Governing Identity Systems |
| Data Controller | Defined in Article 4(7) of the GDPR: “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;”. This article uses the term “organisation” as a synonym for “data controller”, since organisations involved in IAM will normally be data controllers. | An Introduction to the GDPR |
| Data Mapping | “a system of cataloguing what data you collect, how it’s used, where it’s stored, and how it travels throughout your organization and beyond.” | Impact of GDPR on Identity and Access Management |
| Data Processor | Defined in Article 4(8) of the GDPR for situations where an organisation processes personal data solely on the instructions of others. A Data Processor must not determine the purposes of processing, for example by processing in its own interests, or, beyond limited technical choices, the means of doing so. Data Processors are regulated by Article 28: in particular they must have a contract with the Data Controller that covers all the subjects listed in Article 28(3). Data Processors are excluded from some, but not all, of the liabilities and duties of Data Controllers. | An Introduction to the GDPR |
| Data Protection by Design | Data protection through technology design. See GDPR Article 25 for more detail | Impact of GDPR on Identity and Access Management |
| Data Protection Officer | An individual who must be appointed in any organization that processes any data defined by the GDPR as sensitive. The DPO is responsible for “Working towards the compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly, as well as collaborating with the supervisory authorities.”(See GDPR Articles 35, 37, 38, and 39 for more detail) | Impact of GDPR on Identity and Access Management |
| Data Subject | Defined in Article 4(1) of the GDPR (see “Personal Data” above) as the formal term for the human to whom personal data relates. This article uses the term “individual” as a synonym for “data subject”. | An Introduction to the GDPR |
| External identifier | the means by which a person in control of a digital identity refers to that identity when interacting with a system | Identifiers and Usernames |
| Fraud Law | Laws that protect against the intentional misrepresentation of information made by one person to another, with knowledge of its falsity and for the purpose of inducing the other person to act, and upon which the other person relies with resulting injury or damage. | Laws Governing Identity Systems |
| Gantt Chart | a popular schedule format that displays both activity and timeframes in a single chart | Intro to Project Management |
| General Data Protection Act (GDPR) | Formally, Regulation 2016/679 of the European Union, in force May 25, 2018. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679 | An Introduction to the GDPR |
| Identity Theft Law | Laws governing crimes in which the perpetrator gains access to sensitive personal information belonging to the victim (such as birth dates, passwords, email addresses, driver's license numbers, social security numbers, financial records, etc.), and then uses this information to impersonate the victim for personal gain, such as to commit fraud, establish credit in the victim’s name, or access the victim’s accounts. | Laws Governing Identity Systems |
| Internal identifier | the way an identity management system refers to a digital identity | Identifiers and Usernames |
| Personal Data | Defined in Article 4(1) of the GDPR: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”. Note: “natural person” (human) is used to distinguish from companies and other corporate entities that are “legal persons”. | An Introduction to the GDPR |
| Personal Data | Personal data are any information which are related to an identified or identifiable natural person. | Impact of GDPR on Identity and Access Management |
| Privacy Law | Laws that regulate the collection, use, storage, and transfer of personal data relating to identified or identifiable individuals. | Laws Governing Identity Systems |
| Processing | Defined in Article 4(2) of the GDPR: “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. Note that even this long list of activities is not exhaustive: other activities may also fall within the definition of “processing”. Additional rules, in Article 22, apply to “automated individual decision-making, including profiling”. These generally have the effect of strengthening the rights of information and objection described later and may limit the use of automation for some high-impact decisions. | An Introduction to the GDPR |
| Project | a time-limited activity to achieve a defined outcome(s) | Intro to Project Management |
| Project Charter | documented authority for the project manager to proceed with a project; it will usually include a succinct statement of the project’s purpose | Intro to Project Management |
| Project Plan | a document that describes a project; it will usually include a scope statement, schedule, resource plan, communications plan, and quality plan | Intro to Project Management |
| Schedule | a document that defines the activity and resources required to achieve the planned deliverable(s) and outcome(s) | Intro to Project Management |
| Special Category Data (SCD) | Categories of data that are regarded as particularly sensitive, so subject to additional regulation. Defined in Article 9(1) of the GDPR as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”; Article 10’s “personal data relating to criminal convictions and offences” requires similar treatment, so is normally considered as another category of SCD. | An Introduction to the GDPR |
| Task | Lowest level of defined activity; multiple tasks will typically be grouped into stages of project phases | Intro to Project Management |
| Tort Law | The body of law that covers situations where one person’s behavior causes injury, suffering, unfair loss, or harm to another person, giving the injured person (or the person suffering damages) a right to bring a civil lawsuit for compensation from the person who caused the injury. Examples include battery, fraud, defamation, negligence, and strict liability. | Laws Governing Identity Systems |
| Username | a common term used for an external identifier | Identifiers and Usernames |