Handling sensitive, personal & 'special category' information

Research using personal data needs ethical approval to ensure that the research conforms to general ethical principles and standards. There are three main routes for this at UCL:

• The UCL Research Ethics Committee approves research involving healthy volunteers, vulnerable groups and certain other categories.
• The UCL / UCLH / Royal Free Joint Research Unit (JRO) is responsible for the clinical research portfolio: research involving NHS patients and those who do not have capacity to consent to participate in research, clinical trials of drugs, medical devices, and human tissue.
• For research undertaken within the IOE, UCL's Faculty of Education and Society, ethical approval should be sought from the IOE Research Ethics Committee.

Regardless of who is responsible for ethical approval, all research using personal data must be registered with the UCL Data Protection Officer before any collection of data begins.

If you do need to use personal data, the Act makes special provisions for research data, as long as it fulfils all of the following conditions:

• You are using the data only for research purposes. This includes statistical and historical research.
• You do not use the information to support decisions about the research subject or any other living person.
• You do not use the data in such a way that it causes substantial damage or substantial distress to the subject.
• You do not make the results of the research available in a way that identifies any of the research subjects (except if identification is part of the explicit consent condition - see Data Protection Principle 1). Students and supervisors should be particularly careful about the potential for identifying individuals in theses containing interview transcripts.

If you meet all these conditions, you will then need to comply with the Principles.

If you do not need to identify research subjects, you should not collect personal data, or should anonymise the data. Projects using anonymised data do not have to be registered with the Data Protection Officer and you do not have to worry about compliance with the Act.

Data is only truly anonymised if it is impossible to identify subjects from that information and, if relevant, any other information that UCL holds. For example, if you have a list of research subjects and anonymise it by giving each one a number, but keep a list of the numbers with the names of the subjects, the information has not been anonymised. In this case, it is personal data, and the project must be registered.

Here are a few resources to help you anonymise your data:

• The UK Data Service has published clear guidance to anonymise quantitative and qualitative data.
• The Information Commissioner's Office has produced a useful code of practice.
• The General Medical Council offers guidance on how to deal with sensitive data related to deceased individuals.

If you use identifiable patient information for your research, you should use anonymised or pseudonymised data wherever possible, following IT for SLMS guidance. However, if identifiable data is absolutely required, you must take care to follow your NHS Trust's information governance policies and procedures, especially those concerned with ICT security and information risk, as well as the Joint Research Office's Standards Operating Procedures (JRO's SOPs). Section 10 of the UCL Data Protection Policy deals specifically with research data.

UCL Data Safe Haven can be used to store such personal sensitive data. Information and guidance is available.

If you do not have, and cannot practicably obtain, research subjects' consent to use their data in your research, you will need to apply for permission to obtain the data via section 251 of the NHS Act 2006. You should contact the Information Governance Advisory Service to do this.

Identifiable data held by NHS Trusts may not be:

• Held outside Trust systems without the written approval of your Trust's Information Governance Manager and / or Caldicott Guardian
• Copied to portable devices, unless approved or supplied by the Trust's IM&T / information governance function, using approved encryption software and devices
• Stored on PC hard drives (the 'C' drive) and shared drives (the 'S' drive)
• Transmitted by email except within nhsmail
• Stored with 'cloud' providers.

Remote access to NHS systems must always be via equipment owned and controlled by the relevant Trust, enabled by a virtual private network. You must not attempt to circumvent NHS institutional firewalls by using remote desktop software such as GoToMyPC, and you must not connect or download data to your own mobile device, including smartphones.