Close
Please find answers to common questions about research data information governance and related support below.
Scroll down or select one of the options below to go to the section you need:
Information governance (key information regarding information governance)
Working with sensitive and personal data
Working with anonymised data
UCL Trusted Research Environments
Register a study with the Information Governance Advisory Service
Contact the Information Governance Advisory Service
Information Governance
- What is information governance?
Information governance is the framework that ensures research data at UCL is handled securely, legally, and ethically. It supports compliance with data protection legislation at every stage of the research data lifecycle.
- Why is information governance important?
Effective information governance helps UCL researchers to:
- Protect sensitive research data.
- Minimise the risk of data breaches or misuse.
- Build trust and transparency with participants, the public and funders.
- Enable efficient research data management, making data easier to access, share, and reuse.
- What or who is the data controller of a study?
The data controller of a study is a person or organisation that determines the purposes and means of processing personal data. In the context of research, this is usually the study sponsor.
The data controller is responsible for ensuring that:
- Data is collected and processed lawfully.
- Proper consent or legal basis is in place.
- Data is stored securely and used only for the approved purposes.
- Data subjects’ rights are respected.
- What is a data management plan and a data impact assessment? Do I need these?
Data Management Plan (DMP)
A Data Management Plan (DMP) describes your planned and/or actioned data management and sharing activities. It is generally 1-3 pages in length and covers the research data lifecycle. It is generally written at the start of a research project and is revisited and updated as the project progresses. In addition to often being a prerequisite to receiving certain grants, DMPs are useful for maximising the research potential of existing research outputs, developing your strategy for data storage and long-term preservation, handling of sensitive data, data retention and sharing, anticipating legal, ethical and commercial exceptions to releasing data, deciding who can have access to data in the short and long term and estimating the costs of your research project. Support and guidance for data management planning is available from UCL Library Services. See their website for details: Research Data Management.
Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a process that helps identify and mitigate potential risks to privacy and ensure compliance with data protection laws when handling personal or sensitive data. A DPIA is required if using personal or sensitive data. If using personal data, it is also a requirement to register with UCL's Data Protection Office. A DPIA should be completed during the planning stage of a new project to identify potential issues early. A DPIA screener is available to help determine whether a full DPIA is required. For further guidance on registering with UCL's Data Protection Office, see their website for details: Research Registration Guidance.
- Will I need contracts to work and share data with third parties?
Generally yes, unless the data is non-sensitive and publicly available with an open use license. As a researcher, you should ensure that a contract is in place for all external collaborators or organisations involved in your data, regardless of the data source or type of collaboration.
Support for setting up these contracts typically comes from the UCL Contract Services team or your Joint Research Office. For suppliers of third-party services, such as transcription, contracts are handled through the Approved Suppliers list in Procurement Services.
- Can a researcher of Principal Investigator sign a research contract or data sharing agreement?
No. Signing a contract commits UCL to specific obligations, financial liabilities and other risks. Contracts can only be signed by someone who has been formally authorised by the university - a Delegated Authority.
For more information, please see guidance from UCL Research and Innovation Services’ Contracts team found here, including how to request a contract (or contract review).
- What UCL policies and guidelines should researchers be aware of?
Ultimately, researchers are responsible for staying informed about UCL's policies and guidelines, which encompass all stages of the research process, including planning, data collection, publication, data sharing, and effective data management.
On the UCL website resources are available to raise awareness, providing links to key topics such as Research Data Management, Data Protection, Freedom of Information, and Information Security:
Area Description Link Information Security policy Information must always be protected appropriately, characterised as: Availability (ensuring authorised users always have access), Confidentiality (ensuring sensitive information is accessible only to authorised users), Integrity (safeguarding accuracy and completeness. https://www.ucl.ac.uk/information-security/sites/information_security/files/policy.pdf Information Security - supporting policies Additional policies created to support appropriate information security in all UCL operations https://www.ucl.ac.uk/information-security/information-security-policy Data Protection UCL complies with data protection legislation, including the Data Protection Act (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). This ensures that all personal data is processed lawfully, fairly and transparent. Data protection impact assessment (DPIA) must be completed if your research involves processing personal data that is likely to result in a high risk to individuals rights' and freedom. https://www.ucl.ac.uk/data-protection/guidance-staff-students-and-researchers/research/research-registration-guidance Research Ethics Service Research ethics ensures that research is conducted responsibly, safely and with integrity, and protects the rights of participant. https://www.ucl.ac.uk/research-innovation-services/compliance-and-assurance/research-ethics-service Contract Services Contract Services review, advise on, draft, and negotiate all research and research-related contracts for and on behalf of UCL, and set up data sharing agreements https://www.ucl.ac.uk/research-innovation-services/contract-services Data Management Plan A data management plan (DMP) describes your plan for data management and sharing activities, during the lifetime of your project https://library-guides.ucl.ac.uk/research-data-management/writing Classification and tiering UCL research data is categorised and assigned to an Environment Tier. Once assigned to a Tier the data will be stored and processed in an Environment of that Tier (or higher). https://isms.arc.ucl.ac.uk/rism06-data_classification_and_environment_tiering_policy/
Working with sensitive and personal data
- What is sensitive data?
Sensitive data is information that, if disclosed without authorisation, could pose a risk or cause harm to individuals or organisations. It must be protected through security measures such as encryption, access controls and secure data storage.
Examples include
- Personal identifiable information (PII): names, addresses, driver’s licence, passport details
- Medical health records: NHS number, hospital numbers, GP health records
- Financial: bank account, credit cards, tax records, HR and payroll records
- Legal documents: sensitive contracts
- Organisation information: strategic business plans, financial (non-public) reports
- Government documents: security information
The UCL Information Management policy - provide a set of guidelines to ensure information is protected effectively, responsibilities defined, confidentiality, integrity, and availability are explained with practical examples.
- What is the difference between personal and sensitive data?
Personal data is defined as any information that identifies a person directly or indirectly. Examples include Name, Address, Email, ID numbers. All personal data must be protected; however, not all personal data is considered sensitive.
Sensitive (also known as special category) data is a subset of personal data that requires more protection and can cause harm or discrimination if misused, examples include ethnicity, religion, sexual orientation.
- How do I determine whether a data contains Personal Identifiable Information (PII)?
Personal identifiable information (PII) any information that can be used, either alone or in combination with other data, to identify an individual.
Examples of PII
- Direct identifiers include name, email address, home address, national insurance number, phone number
- Indirect identify (quasi-identifiers) include date of birth, gender, postcode, job title or any combination of data that could reveal an individual’s identity
- What is sensitive personal (special category) data?
The Information Commissioner's Office defines Special Category data as personal data that needs more protection because of its sensitivity.
The UK General Data Protection Regulation (GDPR) define Special Category data as:
- Personal data revealing racial or ethnic origin.
- Personal data revealing political opinions.
- Personal data revealing religious or philosophical beliefs.
- Personal data revealing trade union membership.
- Genetic data.
- Biometric data (where used for identification purposes).
- Data concerning health.
- Data concerning a person’s sex life.
- Data concerning a person’s sexual orientation.
When processing Special Category data, you must ensure its use is lawful, fair, transparent and complies with all principles and requirements of the UK GDPR and Data Protection Act 2018 identified for basic processing.
- Why is the correct handling of sensitive data important?
Correct handling of sensitive data is crucial to protect an individual’s privacy, and to maintain trust and comply with ethical and legal standards. However, mishandling sensitive data can lead to security breaches, identity theft and reputational damage.
Adhering to good practices in research reduces the risk of misuse and protects both individuals and organisations.
Working with anonymised data
- If research data is anonymised, do we need information governance?
- Yes, information governance is required. Governance is still necessary to ensure data is properly anonymised and to manage risks.
- Great care is needed, as research data is rarely fully anonymous and always carries some risk of re-identification. Research data is more commonly pseudonymised, which is considered personal data under GRDP and data protection law. To manage risks and ensure correct information security pseudonymised research data, information governance and a UCL trusted research environment is essential.
- What is data anonymisation and pseudonymisation?
Anonymisation is the process of removing both direct and indirect personal identifiers that could potentially reveal an individual's identity. In contrast, pseudonymisation involves either replacing or removing identifiable data while keeping the linkage information separate from the pseudonymised dataset.
GDPR defines anonymous data, as ‘data which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’. GDPR does not apply to anonymised data because it has been processed so that individuals can no longer be identified, either directly or indirectly. Therefore, since it is no longer considered personal data GDPR regulations do not apply.
Pseudonymisation is defined within the GDPR as ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable individual’.
GDPR applies to pseudonymised data because, even though direct identifiers have been masked, the data can still be linked to an individual using additional information. Therefore, since it remains personal data GDPR regulations continue to apply.
- What are data anonymisation and pseudonymisation techniques?
Anonymisation of quantitative data includes
- Remove direct identifiers from a dataset, for example, remove an individuals’ name, address.
- Aggregate or reduce the position of a variable, i.e., coded or category variables should prevent identification. For example, record the year of birth rather than the day, month and year, record postcode sectors or counties rather than full postcodes.
- Data masking – Replace original values with derived values, e.g. replacing real names with fake names
- Generalise the meaning of a detailed text variable by replacing potentially disclosive free text responses with more general text. For example, details of medical expertise could indirectly reveal the identity of a medical health professional.
- Restrict the upper or lower ranges of a continuous variable to hide outliers. For example, group extremely small or large values into a single category.
- Anonymise relational data by ensuring that relationships between variables in linked datasets, or when combined with publicly available data do not reveal identities.
- Anonymise geo-referenced data by substituting point coordinates with non-disclosing variables. For example, coordinates can indicate the location of individuals, potentially reveal their identities.
Anonymising qualitative data includes
- Removing direct identifiers, such as name and addresses and then eliminating indirect identifiers such as gender, age, ethnicity, etc as the combination of these variables can potentially uniquely identify an individual. Review the data collected, isolated incidents or experiences or public events could pose a risk of disclosure.
- Anonymising audio-visual data by editing digital images or censoring real names and locations, such as using a bleep.
- Allocating arbitrary ID for participants in questionnaire type studies.
Examples of Pseudonymisation techniques used
- Replacement with codes – replace direct identifiers with unique codes, a separate key is available to link the codes back to the original data. For example, replace John Smith with Mark Johnson
- Cryptographic hash functions – identifiers are transformed using cryptographic hash functions, which convert data into a fixed-size string of characters, such as a hash code
- Random number generator – identifiers are replaced with randomly generated numbers
UCL guidance on the Anonymisation and Pseudonymisation of personal data provides an overview of the main differences between these techniques and the implications for personal data processing.
UCL Trusted Research Environments (TREs)
- What is a Trusted Research Environment?
Trusted Research Environment (TRE) – A TRE is a highly secure computing platform that provides approved researchers with controlled access to sensitive or confidential data, allowing safe storage and analysis without compromising data security. At UCL, two TREs are available: DSH and the ARC TRE.
TREs safeguard data by preventing unauthorised access. Only approved researchers are granted access through a controlled accreditation process. TREs ensure that sensitive or confidential data is stored and analysed securely, maintaining both data protection and personal privacy.
- Why do I need to use a TRE?
To comply with legal, contractual, and ethical obligations, researchers working with sensitive data often need to conduct their analyses within a TRE. TREs protect sensitive data by preventing unauthorised access, keeping data within a secure environment, and adhering to ISO 27001 information security standards and other governance requirements.
- What is the difference between the UCL Data Sahr Have (DSH) and ARC Tusted Research Environment (TRE)?
At UCL, two TREs are available: DSH and the ARC TRE. Both provide secure computing platforms for storing and analysing sensitive or confidential data, are certified to ISO 27001 information security standards, and comply with the NHS Digital Data Security and Protection Toolkit for information governance.
The DSH, developed around 10 years ago, uses a ‘walled garden’ model where data remains within the secure environment, with controlled file transfer protocols. It operates via a Windows virtual desktop.
The ARC TRE is a newer environment developed by UCL’s Centre for Advanced Research Computing (ARC) to provide a more modern, flexible computing environment. It offers project-specific compute environments with scalable resources and supports contemporary research workflows, such as importing and running containerised applications. Overtime, the DSH will be phased out, and new projects will be use the ARC TRE.
- What are the eligibility requirements for researchers to gain access to a TRE?
The Information Asset Owner (IAO), usually the Principal Investigator (PI), must be a UCL member of staff (not honorary, visiting, or visitor status). The IAO must register the study with the Information Governance Advisory Service portal and complete the IG assurance process.
All members of the research team, including the IAO, are required to:
Sign the Approved Researcher Agreement (ARA) and upload a copy to the Information Governance Advisory Service portal,
Complete the required annual training, the NHS Data Security and Awareness training through e-Learning for Health. Once completed, you can download your training certificate from the portal under ‘My Activity’ (located in the top right corner) and then upload your certificate to the Information Governance Advisory Service portal, after which the team will update your training record accordingly.
- What are the costs associated with using a TRE?
Costs for using the ARC TRE depend on the required levels of data storage and computing power. Projects with larger datasets or higher performance needs may incur additional charges. For the most up to date pricing information, visit the Pricing page in the ARC TRE documentation. Researchers are encouraged to include anticipated storage and compute costs in their grant applications and to contact the TRE ARC team for guidance and detailed cost estimates.
Future changes - we are currently working to integrate ARC-hosted high-performance computing and storage into the TRE. This enhancement will significantly reduce costs and expand the free usage tier. Once available, we will contact all active paid projects to discuss migration options and how any remaining credit can be utilised.
The UCL Data Safe Haven (DSH) is generally available to UCL researchers at no additional cost for a standard storage allocation. However, additional storage beyond the initial allocation is charged at a rate of £50 per TB per year for research projects that are part of an active, funded research project.
- What is data ingress and egress?
Data ingress refers to the process of transferring data into a TRE. The process is tightly controlled to prevent any unauthorised access and includes the following measures:
- Authorisation: Only authorised users are permitted to upload data.
- Secure Transfer: Data is encrypted during transfer using secure transfer protocols to ensure safe and protected file transmission.
Data egress refers to transferring data out of a TRE. This process is tightly controlled to ensure data security and integrity:
- Request: Users must submit a request to export data.
- Approval Process: ARC TRE - requests are reviewed and either approved or rejected based on predefined criteria, whereas DSH - only Approved Researchers with outbound rights are trusted to egress safely. Complete the Service Request form 'Add/Revoke Outbound Rights’ or request for Data Ingress/Egress desktop.
- Audit Logs: All egress activities are logged for transparency and accountability.
- What tools are available in a TRE?
A list of available services and software for the DSH is provided, and only the IAO or IAA can submit requests for new software to be added to the DSH.
Analysis software is ingressed into a TRE project just like data. The recommended method is to package your tools in a Docker container outside the TRE and bring it in through the airlock, ensuring the software stays stable and unaffected by updates to the TRE environment.
- What actions do I need to perform at the end of the study (using DSH)?
Check the status of the project - Do you have project members assigned or data available in the DSH share?
Remove project members- Complete the Service Request form 'Add/remove user to share’
Delete data securely from DSH share - Complete the Service Request form 'Secure data deletion’
Archive data- Retain data on DSH share after study is finished, complete the Service Request form 'Archive study’
Study closure Complete the ‘Study Closure’ form in the Information Governance Service portal under Self-Service Forms.
- How do I remove collaborators from my DSH study – internal or external collaborators (using DSH)?
The Information Asset Owner (IAO) or Information Asset Administrator (IAA) has the authority to manage user access to a DSH share. This includes conducting annual reviews to verify that access is appropriate and removing users without delay when their employment ends or their role changes. To remove a team member, they should first be removed from the share, followed by closure of their DSH account.
To close a DSH share
- Remove the project member from the DSH share by completing the Service Request form - Data Safe Haven - Add/Remove User to Share
- After submitting the closure request in MyServices, the IAO must also close the project in the Information Governance Service portal.
- In the Information Governance Service portal and navigate to Self-Service Forms on the left-hand side.
- Select Study Closure.
- Enter the CaseRef or Project Title.
- When prompted, upload evidence that the project is no longer in use.
- Click Submit Study Closure Request.
- How do I close a DSH share when our project never started (using DSH)?
First, check the status of the DSH share: Has the project started, and is there any data or any project members associated with it?
- If the project has never started and there is no data or project members, the IAO can request that the project be closed.
- If the IAO has retired but still has an active account and the project contains data, ownership must be transferred to another person.
Register a study with the Information Governance Advisory Service (required when using a UCL Trusted Research Environment)
- How do I register a new study and what information do I need?
The Approved Researcher, typically the Principal Investigator, must register the study with the Information Governance Advisory Service portal and complete the Information assurance process. All researchers, within the research team, including the Principal Investigator, must:
- Sign the Approved Researcher Agreement (ARA) and upload a copy to the Information Governance Advisory Service portal.
- Complete the NHS Data Security and Awareness training via e-Learning for Healthcare
The UCL Information Governance Advisory Service team will review the study registration, including the assigned risk score for the new study, and confirm that the training certificates and ARAs have been uploaded to the Information Governance Advisory Service portal.
The Information Governance assurance process consists of four stages:
Stage 1. Study Agreement
- Completed by the UCL researcher, who is the Information Asset Owner (IAO), to formally accept accountability for managing and overseeing the research data and project team.
- A UCL Information Asset Administrator (IAA), selected by the IAO, can update certain stages of the Information Governance assurance process on behalf of the IAO.
Stage 2. Third-Party Contracts
- Researchers must declare all relevant third-party and data sharing agreements, including those with partners and external collaborators.
Stage 3. Information Asset Register
- Compile a comprehensive list of all assets used in the study, such as research data and consent forms.
Stage 4. Annual Sign-Off
The IAO must review and update the Information Governance assurance information annually to ensure ongoing compliance.
Although an ongoing task and esential to keep up to date, the IAO and IAA will be formally asked to review and confirm user access is correct on a termly basis; automatic reminders will be issued.
- Why do I need complete an Information Asset Register?
An Information Asset Register at UCL helps identify and manage information that is critical for maintaining data security, assessing risks, and ensuring compliance with data protection policies such as GDPR. The register includes a brief description of each asset, its classification, how potential impacts will be mitigated, and its current storage location. Each asset is assigned a risk rating, and if the rating is Amber or Red, the Information Governance Advisory Service will provide guidance to researchers on how to minimise or mitigate the identified risks.
Furthermore, if any assets on the register are identified as Confidential or Highly confidential, the Information Asset Owner will need to formally accept responsibility for them, as outlined in Roles and Responsibilities. The Information Asset Owner is accountable for any confidential information processed by project users and is responsible for ensuring the safe use of that information.
- What are the prerequisites for research team members?
All researchers, within the research team, including the UCL Information Asset Owner (IAO) and UCL Information Asset Administrator (IAA) must:
Sign the Approved Researcher Agreement (ARA) and upload a copy to the Information Governance Advisory Service portal,
Complete the required annual training, the NHS Data Security and Awareness training through e-Learning for Health. Once completed, you can download your training certificate from the portal under ‘My Activity’ (located in the top right corner) and then upload your certificate to the Information Governance Advisory Service portal, after which the team will update your training record accordingly.
- What is the role of the Information Asset Owner (IAO)?
The Owner is equivalent to the Data Owner as defined in the UCL Data Protection Policy. Within a study, this is typically the Principal Investigator (PI) and must be a UCL employee, not an Honorary member of staff or student. The Owner must be in a position to mandate responsibilities within the team, such as training and will be in a position to secure funds and resources to ensure information will be properly handled within the study. If the PI is not employed by UCL then a similarly senior UCL staff member closely involved with the project should be appointed as Owner. In research this will most often be the UCL grant holder.
The Information Asset Owner is accountable to the UCL Senior Information Risk Officer for ensuring risks associated with handling confidential information are properly managed.
The Information Asset Owner must ensure:
- Their own Information Governance training is maintained
- A record is maintained of annual training for all team members, including the Owner
- Risks associated with data transfers have been assessed and additional security controls implemented where required
- The physical security of the team's work environment, or any changes to this, is assessed and, if necessary, improved
- Suitable standard operating procedures are documented and implemented
- Technical measures are in place to protect all personal data form unauthorised access
- Appropriate data processing contracts are in place where external parties are processing personal data under UCL's behalf
- All members of the research team handling personal data have suitable UCL contracts
- Contractual requirements, relating to data in use by the study, are met
- Suitable joiners, movers and leavers processes are in place
- Records are kept of all information assets that they are responsible for
- Incidents are reported promptly
- Data is securely destroyed when no longer needed
- There is a legal basis for holding personal data
- All onward sharing of data is legal
In addition, the Owner must ensure that all members of the study team understand their responsibilities. In particular, team members must receive Information Governance training before being given access to data.
The Owner must also appoint an Information Asset Administrator (IAA) who is responsible for the day-to-day operations of a project such as assigning access rights to data. IAA responsibilities are outlined below.
- What is the role of the Information Asset Administrator (IAA)? Who can be the IAA?
The Information Asset Administrator (IAA) is a UCL substantive employee appointed to a study by an Information Asset Owner (IAO) to manage the day-to-day handling of data within a study. While the IAA may be responsible for the proper handling of information, the IAO remains accountable. It is important to ensure that the IAA understands and has the required competencies to undertake their responsibilities.
Delegated responsibilities typically include:
- Managing the joiners, movers and leavers process within the team
- Ensuring all team members keep their annual training up-to-date
- Granting and revoking access to confidential information
- Recognising potential or actual security incidents
- Consulting the IAO on incident management
- Ensuring that risk assessments and other documents for the study are accurate and maintained
- How can I add an external collaborator get access?
Only the Information Asset Owner (IAO) or Information Asset Administrator (IAA) can invite an external collaborator to a study.
- The IAO or IAA must complete the New User Account request
- The external collaborator will receive an 'invitation to register' email from UCL which outlines the registration process and the Information Governance assurance requirements for data security. They must follow the link in the email and complete the Information Governance assurance process.
- A data sharing/processing agreement must be set up with support from the UCL Contracts team.
- All external user will need to sign a Non-Disclosure Agreement to access UCL's Trusted Research Environments.
- Can the Information Asset Owner remove or change the Information Asset Administrator?
To remove an Information Asset Administrator (IAA), the Information Asset Owner (IAO) should follow these steps via the Information Governance Advisory Service portal:
- Select your project under the ‘My Studies’ section.
- From the menu on the left-hand side, choose ‘Assign an Information Asset Administrator’.
- Remove the current administrator’s name from the box.
If no new individual is selected from the UCL directory, the current administrator will be removed, and the administrator field for the project will remain blank.
Additionally, the IAO must complete the Add/Remove User form to remove the individual’s access.
- Where and how do I upload my training certificate?
After completing the required annual NHS Data Security and Awareness training, download your training certificate from e-Learning for Health. You can find this under ‘My Activity’ (located in the top right corner).
Once you have your certificate, please upload it to the Information Governance Advisory Service portal, and the Infomation Governance team will review and update their training records accordingly.
- What is an Approved Researcher Agreement and who needs to sign this?
The Approved Researcher Agreement (ARA) is a formal, legally recognised UCL document that sets out the terms and conditions for using a Trusted Research Environment (ARC TRE or UCL DSH). It is a requirement for approved researchers, outlining their responsibilities, which include completing annual mandatory Information Governance training (NHS Data Security and Awareness training via e-Learning for Health) and adhering to strict rules for data security, confidentiality, and compliance when handling confidential data.
We also use redundancy to safeguard your data.- What are the Information Governance assurance stages?
The Information Governance assurance process consists of four stages:
Stage 1. Study Agreement
Completed by the UCL researcher, who is the Information Asset Owner (IAO), to formally accept accountability for managing and overseeing the research data and project team. A UCL Information Asset Administrator (IAA), selected by the IAO, can update certain stages of the Information Governance assurance process on behalf of the IAO.
Stage 2. Third-Party Contracts
Researchers must declare all relevant third-party and data sharing agreements, including those with partners and external collaborators.
Stage 3. Information Asset Register
Compile a comprehensive list of all assets used in the study, such as research data and consent forms.
Stage 4. Annual Sign-Off
The IAO must review and update the Information Governance assurance information annually to ensure ongoing compliance.
- How do I access the Information Governance Advisory Service portal?
Researchers can access the Information Governance Advisory Service portal via the ARC website or the UCL Trusted Research Environment webpage. The direct link is: https://liveuclac.sharepoint.com/sites/ISD.IGAdvisoryService/SitePages/Portal-2.aspx
Contact the Information Governance Advisory Service
- Is there somebody who can help advise me on Information Governance?
The UCL’s Information Governance Advisory Service provides one-to-one support and guidance on research data information governance. The team can be contacted via MyServices or by email at infogov@ucl.ac.uk.