Data Protection


Data Protection Frequently Asked Questions*


How do I register for research registration?

Further guidance on how to register is available on the Research Registration Guidance webpage.

My research is anonymised, do I still need to register for data protection?

Data which has been irreversibly anonymised ceases to be personal data, and processing of such data does not require compliance with Data Protection law, research registration, though there may still be ethical reasons for protecting this information.

For data to be truly anonymous, the data must not be capable of being cross-referenced with other data to reveal individual(s) identity. This high standard is required because if data does satisfy the requirements for anonymity it is treated as being outside the scope of legal protection provided under data protection law.

When will I receive a registration number?

We usually aim to register all research projects within 10 working days of receipt of all of the correct information. UCL official closure days count as non-working days. 

If you do not receive your research registration number within 10 working days, you are able to submit your ethics application form marking the sections relating to DP registration as ‘to follow’ or ‘registration in progress’. You can then supply the ethics team with your DP registration number (together with any changes the Data Protection Office, advised you to make to your research project) once it is available.

Do all UCL research projects involving personal data need research registration approval?

Research projects that use personal data or special category data (sensitive) must secure registration approval where, for example, the research activities involves:

  • researchers processing information relating to an identified or identifiable living person. Note that ‘processing’ means any operation - collecting, storing, using, transferring, disclosing or destroying - performed on personal data.
  • re-using secondary data, that either identifies or could be linked to a living individual.
  • observation research of an identified or identifiable living individual including use of photo or photo devices.
  • research which requests perspective participants to answering questions about themselves, or giving personal opinions.
  • research which requires perspective participants performing requested tasks, eg an online survey or identifiable activity.
  • research which requires perspective participants to undergoing any kind of medical  procedure eg biopsy, blood test, debridement of wound, burn, or infection, surgery etc.
My project is just an undergraduate dissertation, do I need to register?

Undergraduate students who are processing personal data as part of their research activities do not have to register their research studies with the Data Protection Office (DPO), provided that they have successfully completed the ‘Information compliance training for researchers’’ .Or had their study signed off by their Department and no further action was deemed to be required. On some occasions the Department will require that the research is registered, and further data protection advice sought. For example, this may be necessary when the research involves special category data. 

The level of risk can sometimes be quite obvious. For example; research involving health data. But, other types of research may also raise potential risks. For example; the research focuses on vulnerable participants, or is carried out in an a potentially challenging environment, or which may present risks to the personal safety of the researcher. 

It is therefore important to reflect on the perceived risk of each individual study. This should help you decide whether, or not, you should still have to register their research with the DPO.

I am using data which does not identify living individuals: do I need to register?

In the situation where all the personal data has had all identifiers removed, this can only be considered truly anonymised data if it was impossible to re-identify the participants, even when cross referenced against supporting documentation.

If this is the case, registration shall not be required.

Do I need to complete a Data Protection Impact Assessment (DPIA) for my research?

Every form of processing personal data carries a certain amount of risks for the data subjects (means any person whose personal data is being collected, held or processed). It is therefore important to consider the risks prior to processing, and to take appropriate measures to limit them. Assessing the likelihood of any risk is part of the job of a DPIA

By starting a DPIA at the early stages risks and required controls to ensure legal compliance and security can be developed from outset. The earlier a DPIA is completed, the easier it is to address any privacy risks which may be identified. 

To assess the level of risk, you need to consider both the likelihood and severity of any potential harm to the data subjects through your research activities. The screening questions within our application form also offers researchers a shortened risk inventory, with making their own judgements for each project that they undertake which has potential privacy impacts. 

As the researcher of this project, you will be best placed to determine whether your processing is likely to result in a high-risk to the data subjects, and therefore require the completion of a DPIA. Having said that, it is good practice to complete a DPIA to demonstrate that you have considered the risks as part of your research preparations. 

The Information Commissioner’s Office, has prepared a DPIA. The document will also guide you through the process of determining whether your data processing activity requires a DPIA.

I am asking participants’ opinions about my research, rather than seeking their personal information. Do I need research registration to do this?

All research projects where participants are offering their personal information, opinion or data where that information, or opinion, contributes to answering a project’s research question(s) need data protection registration. However, should the research not require perspective participants giving information about themselves, and the opinions that they offer are not themselves the subject of the research.

Can I proceed with my ethics application even though I have not yet received my data protection registration number?

If the DP registration process is taking longer than the advertised 10 working days, please go ahead and submit your ethics application form marking the sections relating to DP registration as ‘to follow’ or ‘registration in progress’ and supply the ethics team with your DP registration number (together with any changes the DP Office advised you to make to the way in which you propose to store and collect your data for example) once it is available so that they can tie up that information with your ethics application.  

However, please note that data collection cannot commence until you have received both DP and ethical approval.

Unfunded data protection research advice

If your research is unfunded, please complete the unfunded research referral form and send to data-protection@ucl.ac.uk 

If your research is funded, please approach Research Contracts in the first instance.

Automated Transcription Services

Automated transcription provides fast turn-around at low cost, often free. While it may be appealing to consider using these services, there are some less obvious aspects that should be taken into account. Audio recordings of speech are almost certain to contain personal data. The cloud services used to deliver transcription often do not say where the data will be processed, how long it will be retained for and whether the audio will be used for other purposes, such as refining their transcription algorithms. Without proper contractual arrangements in place, these aspects are not controlled and present a data protection risk to UCL.

UCL now has an automated transcription supplier called Scrintal. This service, which is aimed at research, meets UCL’s GDPR requirements. For more information please vist the UCL Software Database

When should I use the Data Safe Haven to store my research data?

Projects that intend to use the Data Safe Haven are assessed for eligibility by the Information Governance Advisory service, where the assurance process has been designed and implemented to meet the requirements of the NHS Data Security & Protection Toolkit and ISO 27001 Information Security standard.

To begin this process, projects must register for Information Governance services.

What is a privacy notice?

Under data protection legislation, UCL has a duty to ensure that we provide individuals with information about how we process personal data. One way in which this is done is by providing a Privacy Notice. If you are collecting any form of personal data (including gathering a name / signature on a consent form), you will need to include a Privacy Notice as part of your consent documentation.This can be a separate document, or it can be included as part of your information sheet.

UCL has generic privacy notices for participants and researchers in health and care research studies and general research participants privacy notice. You should check whether your research is covered by either one of these privacy notices. If not, you may need to draft a bespoke privacy notice using the following guidance on writing a privacy notice.

Methods of data storage

When choosing the proper storing research data, one should take into account the scope, format, and volume of the anticipated data as well as the intended length of storage. 

You must ensure that personal data are kept secure and are not disclosed to unauthorised persons. You should use a locked storage container such as a filing cabinet in a locked office for paper-based personal data; for digital data, password-protected or, preferably, encrypted storage. 
When all essential documents are ready to archive, contact the UCL Records Office by email records.office@ucl.ac.uk to arrange ongoing secure storage of your research records unless you have made specific alternative arrangements with your department, or funder. Please note the UCL Records Office does not store student research data.

Data Protection Impact Assessment

Am I required to complete and submit a data protection impact assessment as part of my research?

Every form of processing personal data carries a certain amount of risks for the data subjects (means any person whose personal data is being collected, held or processed). It is therefore important to consider the risks prior to processing, and to take appropriate measures to limit them. Assessing the likelihood of any risk is part of the job of a DPIA.

Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.

All projects using personal data, or projects making notable changes to the processing of personal data must be assessed against the DPIA screening questions to identify if a DPIA is required.


Where can I find out more guidance about long-term storage of my research data?

You should make arrangements as early as possible for the secure long-term storage of your data, taking into account any specific requirements of your department or funder. 

UCL staff and PhD students can use the UCL Research Data Repository;  Undergraduate and Masters students should ask their supervisors about the Open Education Repository


For further guidance, the Research Data Management team can be contacted at lib-researchsupport@ucl.ac.uk and the Library Records Office can be contacted at: records.office@ucl.ac.uk.

How long should we keep data for?

In general, you should retain personal data only as long as necessary for the purposes of the processing such as audit, regulatory and legal record-keeping requirements.

The UCL records retention schedule applies to all records, irrespective of format and medium. It therefore covers both paper and electronic records, including emails and audio-visual materials.

Data Breach

I think I might have had a data breach. What do I need to do next?

UCL must report certain types of personal data breaches to the Information Commissioner’s Office without undue delay, and within 72 hours of becoming aware of it. 

The swift identification and reporting of personal data breaches is critical to ensuring they are effectively managed and mitigated, and that UCL complies with the obligations of the GDPR and the DPA.

Details of how to report a data breach are available on the Report a Breach of Personal Data webpage.

Information Security

What about data security?

Data security is essential to prevent unauthorised access, disclosure, destruction or amendment of data. The level of which depends upon the nature of individual data. Higher levels of security are required for sensitive data, which may include identifiable personal information, pose risks to commercial or intellectual property rights, or compromise national security. Researchers should also be aware of the GDPR and its implications for research.

If you have any concerns about data security, you should contact the ISG team in the first instance.

Can I use Zoom?

UCL has an institution-wide agreement with Zoom for the purposes of it being used as an educational tool. This should not be used for sessions where the focus of the meeting is to transfer personal data. Microsoft Teams remains the best way to do that. However, if the aim of the use of the tool is communication and transfer of personal data is incidental (eg everyone’s name comes up on the list of who is present in the meeting) then that’s acceptable to UCL. 

If you do choose to use Zoom, our advice is to keep personal data sharing to a minimum and where you can, share documents via email or another system rather than on Zoom. 

For more information about the introduction of Zoom at UCL please take a look at the Frequently Asked Questions

Further guidance can be found on the ISD Zoom page.

Can I use third-party cloud platforms?

Before you start using any new third party based software or services, you must carry out due diligence to ensure that UCL information will be secure and appropriately managed.

In the first instance, you should check with IT Service Delivery to see if any existing centrally supported University software meets your requirements.

Further guidance on Security of Cloud Services is available on the Information Security webpage.

Privacy Notices

What are privacy notices?

Data protection law requires UCL to provide a privacy policy/notice (also known as an information notice – for example this is UCL's student privacy notice) to everyone about whom it processes data. This means that each data subject about whom you collect personal data would need to be provided with a privacy notice.

More information about drafting a privacy notice.

Children’s data

What do I need to know about the Children’s code?

In September 2020, the ICO issued the Age Appropriate Design code, also known as the Children’s code. The code outlines 15 standards which organisations must follow when designing Information Society Services (ISS) that may be accessed by children.

Examples of ISS include apps, programs, search engines, social media platforms, online messaging, online marketplaces, content streaming services (e.g. video, music or gaming services), online games, news or educational websites and websites offering goods or services to users over the internet. The code applies to ISS which are offered at a distance (i.e. online) in return for remuneration, which may come directly from the user or via another source, such as adverting. 

If you think your service may fall under the definition of an ISS, you must contact the Data Protection Office. The ICO have produced a flowchart to help you determine if your service could be considered an ISS.

General Queries

Who is the university’s Caldicott Guardian?

UCL doesn’t have a Caldicott Guardian. If the data is being obtained / processed at an NHS site, it would be that site’s Caldicott Guardian. Please direct any queries about Caldicott Guardian to infogov@ucl.ac.uk.

I have an admission query

You’ll need to redirect your queries to the Admissions teams who will be able to assist you. Their e-mail addresses are as follows:

What effect, if any, does Brexit have on GDPR?

The UK has adopted the EU’s GDPR into its domestic law from 1 January 2021 therefore currently the impact of Brexit on UK data protection law is minimal.

University College Hospital (UCH)

Sometimes confused with UCL, UCH is a separate legal entity to UCL. If you wish to submit a request, or have a query, please refer to their website contact UCH.

Ethics queries

For ethics enquiries, please contact the ethics team at ethics@ucl.ac.uk.

Who is my data protection co-ordinator?

Please note, not all departments have a local data protection coordinator. This role is different from the data protection officer (which is a centralised function) and you should check with your department whether this requirement applies to you.


Data Processing Agreements

If this relates to funded research, please contact the research contracts team in the first instance.

If the research is unfunded then there are template data sharing agreements on the data protection website, at the bottom right hand side of the page.

    COVID-19 Data Protection

    How do I access personal data for UCL, safely & securely remotely?

    There are two options for connecting remotely:

    1. Using the Virtual Private Network (VPN). Most University services can be accessed via the web using the VPN 
    2. Or via Desktop@UCL Anywhere connection
    3. Follow the various Desktop@UCL Anywhere guidelines
    How do I get access to sensitive data remotely?

    Once set up you can use your personal computer/laptop to connect or VPN to your University-managed computer to have access to all of your programs, files and network resources as though you were accessing your University computer in person.

    How do I transfer personal data to my remote work location if required?

    See above answers to questions 1 and 2. We recommend that you do not save data to your local machine, especially when it comes to sensitive data. Rather continue to save it to your UCL device which you are accessing remotely. If you are having trouble accessing your UCL account via the VPN or Desktop@UCL Anywhere, please contact ISD for support. 

    How do I store personal data?

    Personal data should be stored on UCL Managed services (e.g. S: drive, One Drive, SharePoint, Data Safe Haven etc) wherever possible. If it is not possible to store the data on a UCL managed service then you should encrypt the data, store it in a 7-Zip file before transferring onto the 3rd party device. Review Data storage options at UCL for indepth information on storage options available at UCL while working remotely.

    How do I send personal data to another individual (internal / external)?

    We recommend that you use UCL managed devices and software wherever possible. We understand that many systems are strained and that there are a myriad of software, which is not managed by UCL, out there and in regular use. UCL cannot guarantee the security of these software and so use of them should be taken with caution. If you must use a non-UCL managed device, please do not use them for the sharing of personal data where possible.

    IT Services support the use of email, Microsoft Teams, and on SharePoint for internal collaboration. If using S: drive, you can share the link via e-mail.

    If using UCL OneDrive for Business, when you share the hyperlink it will automatically send the link to the person. 

    Note: Please note that OneDrive for Business as it stores local copies on machines you access OneDrive from. Therefore, you should ensure this information is deleted once it has been sent and opened by the third party, which increases the risk of a breach of confidentiality. Set reminders to review access periodically so that access is revoked when no longer needed. All communications via UCL managed services (including Microsoft Teams) are subject to Data Protection and Freedom of information rules and may be disclosable via a data subject access request or Freedom of Information request. 

    Can I use UCL systems to hold a video conference with a large number of people?

    Microsoft Teams can be used for large groups. Further guidance for hosting large meetings in Teams.

    Can I use Zoom as a video conferencing tool?

    UCL’s endorsed video conferencing tool is Microsoft Teams. Zoom has been purchased by UCL as an education tool as an alternative to Microsoft Teams in particular circumstances. 
    If the aim of the use of the software is communication, and the transfer of personal data is incidental (e.g. everyone’s name comes up on the list of who is present in the meeting), then use of Zoom is acceptable. 
    If you choose to use Zoom, please refer to the UK Government Cabinet Office guidance on how to make this as secure as possible. In particular, you are strongly advised to keep personal data sharing to a minimum and where you can, share documents via email or another system rather than on Zoom. For more information about the introduction of Zoom at UCL please email zoomsupport@ucl.ac.uk.

    Further guidance on undertaking interviews during research is covered in the Ethics pages here

    How do I print personal data securely?

    Moving to working from home provides additional challenges to Data Protection. One of these is what to do with paper copies of confidential information.  When working with confidential information, UCL recommends the following: 
    •    If you don’t need to print it then don’t print it.
    •    If you do print documents, then please tidy them away when not using them.
    •    If possible, into a lockable draw.
    •    When you are done with documents dispose of these safely.
    •    If you have a cross cut shredder then that is a great solution.
    •    If not, you can use scissors to cut off the identifying information, and then cut this information into smaller pieces and dispose of them separately from the rest of the document, which can be placed in recycling.
    •    If you don’t have a suitable shredder and there is too much information for scissor to be practical, then store documents securely for disposal once back in the office.
    *Teams which know this will be a recurring issue might need to look into other options such as:
    •    Purchasing shredders.
    •    A secure disposal collection service.

    How do I ensure security when processing hard-copies of personal data remotely?

    Hard copies of personal data are generally not recommended when working remotely as there is an increased danger of them being lost or mis-placed, compared to electronic records. This is particularly the case when transporting hard copies – e.g. between the office and home. Instead we recommend only working with and process electronic files where possible. 
    If there is no other way to process the information otherwise than by hard copy, (e.g. the hard copy is the only source of the personal data), then you must inform your manager they must be kept within your control and stored securely (e.g. in a locked cabinet when not in use).

    What should I do if there is a personal data breach and how do I report it?

    A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data e.g. sending personal data to an incorrect recipient, or your computing devices containing personal data being lost or stolen.

    In cases where there has been an incident which resulted in a potential breach of personal data, it is imperative that it is reported immediately to Information Security Group (ISG) in UCL. Please see this guidance for full details on reporting personal data breaches.

    *General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA)