Data Protection


COVID-19 Data Protection FAQs

These FAQs complement other resources already available.

FAQs last updated 02 August 2020. For further guidance, please see:

How do I access personal data for UCL, safely & securely remotely?

There are two options for connecting remotely:

  1. Using the Virtual Private Network (VPN). Most University services can be accessed via the web using the VPN 
  2. Or via Desktop@UCL Anywhere Desktop connection
  3. Follow the various Desktop@UCL Anywhere guidelines
How do I get access to sensitive data remotely?

Once set up you can use your personal computer/laptop to connect or VPN to your University-managed computer to have access to all of your programs, files and network resources as though you were accessing your University computer in person.

How do I transfer personal data to my remote work location if required?

See above answers to questions 1 and 2. We recommend that you do not save data to your local machine, especially when it comes to sensitive data. Rather continue to save it to your UCL device which you are accessing remotely. If you are having trouble accessing your UCL account via the VPN or Desktop@UCL Anywhere, please contact ISD for support. 

How do I store personal data?

Personal data should be stored on UCL Managed services (e.g. S: drive, One Drive, SharePoint, Data Safe Haven etc) wherever possible. If it is not possible to store the data on a UCL managed service then you should encrypt the data, store it in a 7-Zip file before transferring onto the 3rd party device. Review Data storage options at UCL for indepth information on storage options available at UCL while working remotely.

How do I send personal data to another individual (internal / external)?

We recommend that you use UCL managed devices and software wherever possible. We understand that many systems are strained and that there are a myriad of software, which is not managed by UCL, out there and in regular use. UCL cannot guarantee the security of these software and so use of them should be taken with caution. If you must use a non-UCL managed device, please do not use them for the sharing of personal data where possible.

IT Services support the use of email, Microsoft Teams, and on SharePoint for internal collaboration. If using S: drive, you can share the link via e-mail.

If using UCL OneDrive for Business, when you share the hyperlink it will automatically send the link to the person. 

Note: Please note that OneDrive for Business as it stores local copies on machines you access OneDrive from. Therefore, you should ensure this information is deleted once it has been sent and opened by the third party, which increases the risk of a breach of confidentiality. Set reminders to review access periodically so that access is revoked when no longer needed. All communications via UCL managed services (including Microsoft Teams) are subject to Data Protection and Freedom of information rules and may be disclosable via a data subject access request or Freedom of Information request. 

Can I use UCL systems to hold a video conference with a large number of people?

Microsoft Teams can be used for large groups. Further guidance for hosting large meetings in Teams.

Can I use Zoom as a video conferencing tool?

UCL’s endorsed video conferencing tool is Microsoft Teams. Zoom has been purchased by UCL as an education tool as an alternative to Microsoft Teams in particular circumstances. 
If the aim of the use of the software is communication, and the transfer of personal data is incidental (e.g. everyone’s name comes up on the list of who is present in the meeting), then use of Zoom is acceptable. 
If you choose to use Zoom, please refer to the UK Government Cabinet Office guidance on how to make this as secure as possible. In particular, you are strongly advised to keep personal data sharing to a minimum and where you can, share documents via email or another system rather than on Zoom. For more information about the introduction of Zoom at UCL please email zoomsupport@ucl.ac.uk.

Further guidance on undertaking interviews during research is covered in the Ethics pages here

How do I print personal data securely?

Moving to working from home provides additional challenges to Data Protection.  One of these is what to do with paper copies of confidential information.  When working with confidential information, UCL recommends the following: 
•    If you don’t need to print it then don’t print it.
•    If you do print documents, then please tidy them away when not using them.
•    If possible, into a lockable draw.
•    When you are done with documents dispose of these safely.
•    If you have a cross cut shredder then that is a great solution.
•    If not, you can use scissors to cut off the identifying information, and then cut this information into smaller pieces and dispose of them separately from the rest of the document, which can be placed in recycling.
•    If you don’t have a suitable shredder and there is too much information for scissor to be practical, then store documents securely for disposal once back in the office.
*Teams which know this will be a recurring issue might need to look into other options such as:
•    Purchasing shredders.
•    A secure disposal collection service.

How do I ensure security when processing hard-copies of personal data remotely?

Hard copies of personal data are generally not recommended when working remotely as there is an increased danger of them being lost or mis-placed, compared to electronic records. This is particularly the case when transporting hard copies – e.g. between the office and home. Instead we recommend only working with and process electronic files where possible. 
If there is no other way to process the information otherwise than by hard copy, (e.g. the hard copy is the only source of the personal data), then you must inform your manager they must be kept within your control and stored securely (e.g. in a locked cabinet when not in use).

What should I do if there is a personal data breach and how do I report it?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data e.g. sending personal data to an incorrect recipient, or your computing devices containing personal data being lost or stolen.

In cases where there has been an incident which resulted in a potential breach of personal data, it is imperative that it is reported immediately to Information Security Group (ISG) in UCL. Please see this guidance for full details on reporting personal data breaches.

If I need further help and support - Contact: data-protection@ucl.ac.uk

Please note: All communications via UCL managed services (including Microsoft Teams) are subject to Data Protection and Freedom of information rules and may be disclosable via a data subject access request or Freedom of Information request. 

Other sources of information you might find interesting:

  • HR Remote working resources launch

Remote, not distant  is a collection of resources and advice to support staff while working remotely, including tips on how to manage your working environment, your wellbeing, and staying in touch with colleagues. 

  • Remote working tips & data security

Remote working page for tools and best practices. Note that it is important to follow data protection measures at home, including observing confidentiality during meetings, ensuring documents containing personal data are destroyed securely in accordance with this guidance, do not write passwords down, take measures to ensure computer screens cannot be viewed through windows and make sure your computer is locked when you are away from it. Please visit the Information Security website or more information on keeping your computer secure.

Please take steps to ensure that confidential phone or video calls cannot be overheard by others in the household.  This also includes digital assistants, such as Amazon Echo or Google Home. While these require a trigger or "wake" word to respond, this means the microphone is constantly activated in order to listen to the trigger word, potentially listening in on everything that is spoken. IP cameras and baby monitors, basically, anything internet connected that can listen or see shouldn't be in your vicinity (audio) pointing at your screen (cameras) if you're working on anything confidential.  It is safest to remove these devices from any areas where you are likely to be conducting confidential calls. 

Research Working from home guidelines during the COVID-19 pandemic.

  • COVID-19 information

See UCL’s coronavirus page for information about the latest position; you can submit questions not currently answered on the site using the following form. The daily coronavirus email updates cover breaking news from UCL. 

For the latest advice please visit the National Health Service, Public Health England and the University coronavirus website.