Data Protection


Data Protection Frequently Asked Questions*

Children’s data

What do I need to know about the Children’s code?

In September 2020, the ICO issued the Age Appropriate Design code, also known as the Children’s code. The code outlines 15 standards which organisations must follow when designing Information Society Services (ISS) that may be accessed by children.

Examples of ISS include apps, programs, search engines, social media platforms, online messaging, online marketplaces, content streaming services (e.g. video, music or gaming services), online games, news or educational websites and websites offering goods or services to users over the internet. The code applies to ISS which are offered at a distance (i.e. online) in return for remuneration, which may come directly from the user or via another source, such as adverting. 

To ensure the code is ahered to, UCL have mandated that a DPIA is completed for any project that processes the data of under 18's. If you think your service may fall under the definition of an ISS, you must contact the Data Protection Office. The ICO have produced a flowchart to help you determine if your service could be considered an ISS.

Why do I need to complete a DPIA?

UCL is committed to ensuring that Children’s data is handled in a way that protects the child’s best interests. Completing a DPIA for all projects that involve the processing of under 18’s data will help UCL to identify any practices which may not conform to the standards set out by the Children’s code.


Do I need consent in order to process personal data?

Not always. In order to process personal data, you need to have an appropriate legal basis. There are six to choose from. 

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

For research purposes, there are two different types of consent. Consent governed by data protection legislation (a legal basis):Under data protection legislation, although the GDPR consent is one of the lawful basis for processing, staff and students should not normally rely on it for processing personal data for research purposes. Instead, you should normally rely on 'public task' as the lawful basis. 

Ethical consent governed by common law: Even though you should usually rely on 'public task' as a lawful basis, informed ethical consent is still important. In order to comply with accepted ethical standards for research and to obtain ethical approval for a project, researchers will generally need to obtain the informed consent of individual participants for their involvement in the research. This is supported in data protection legislation because researchers must act in a manner that is 'in keeping with recognized ethical standards for scientific research' - and fair. As such, research regulators will usually expect informed consent.

In order to make this determination, you will need to understand the specific purposes and the context of why you want to process the data. The ICO has published an interactive guidance tool to help you.


Data Processing Agreements

If this relates to funded research, please contact the research contracts team in the first instance.

If the research is unfunded then there are template data sharing agreements on the data protection website, at the bottom right hand side of the page.

Covid-19 Data Protection 

As a result of the impact of Covid-19, which results in questions around how to protect personal data when working in a different manner. We have produced a set of guidance to answer the most frequently asked questions.

How do I access personal data for UCL, safely & securely remotely?

There are two options for connecting remotely:

  1. Using the Virtual Private Network (VPN). Most University services can be accessed via the web using the VPN 
  2. Or via Desktop@UCL Anywhere connection
  3. Follow the various Desktop@UCL Anywhere guidelines
How do I get access to sensitive data remotely?

The Data Safe Haven is UCL's technical solution for transferring and storing research information that is highly confidential. The Data Safe Haven Assurance page introduces the Information Governance assurance process before on-boarding to the UCL Data Safe Haven.

How do I transfer personal data to my remote work location if required?

See above answers to questions 1 and 2. We recommend that you do not save data to your local machine, especially when it comes to sensitive data. Rather continue to save it to your UCL device which you are accessing remotely. If you are having trouble accessing your UCL account via the VPN or Desktop@UCL Anywhere, please contact ISD for support. 

How do I store personal data?

Personal data should be stored on UCL Managed services (e.g. S: drive, One Drive, SharePoint, Data Safe Haven etc) wherever possible. If it is not possible to store the data on a UCL managed service then you should encrypt the data, store it in a 7-Zip file before transferring onto the 3rd party device. Review Data storage options at UCL for indepth information on storage options available at UCL while working remotely.

How do I send personal data to another individual (internal / external)?

We recommend that you use UCL managed devices and software wherever possible. We understand that many systems are strained and that there are a myriad of software, which is not managed by UCL, out there and in regular use. UCL cannot guarantee the security of these software and so use of them should be taken with caution. If you must use a non-UCL managed device, please do not use them for the sharing of personal data where possible.

IT Services support the use of email, Microsoft Teams, and on SharePoint for internal collaboration. If using S: drive, you can share the link via e-mail.

If using UCL OneDrive for Business, when you share the hyperlink it will automatically send the link to the person. 

Note: Please note that OneDrive for Business as it stores local copies on machines you access OneDrive from. Therefore, you should ensure this information is deleted once it has been sent and opened by the third party, which increases the risk of a breach of confidentiality. Set reminders to review access periodically so that access is revoked when no longer needed. All communications via UCL managed services (including Microsoft Teams) are subject to Data Protection and Freedom of information rules and may be disclosable via a data subject access request or Freedom of Information request. 

Can I use UCL systems to hold a video conference with a large number of people?

Microsoft Teams can be used for large groups. Further guidance for hosting large meetings in Teams.

Can I use Zoom as a video conferencing tool?

UCL’s endorsed video conferencing tool is Microsoft Teams. Zoom has been purchased by UCL as an education tool as an alternative to Microsoft Teams in particular circumstances. 
If the aim of the use of the software is communication, and the transfer of personal data is incidental (e.g. everyone’s name comes up on the list of who is present in the meeting), then use of Zoom is acceptable. 
If you choose to use Zoom, please refer to the UK Government Cabinet Office guidance on how to make this as secure as possible. In particular, you are strongly advised to keep personal data sharing to a minimum and where you can, share documents via email or another system rather than on Zoom. For more information about the introduction of Zoom at UCL please email zoomsupport@ucl.ac.uk.

Further guidance on undertaking interviews during research is covered in the Ethics pages here

How do I print personal data securely?

Moving to working from home provides additional challenges to Data Protection. One of these is what to do with paper copies of confidential information.  When working with confidential information, UCL recommends the following: 
•    If you don’t need to print it then don’t print it.
•    If you do print documents, then please tidy them away when not using them.
•    If possible, into a lockable draw.
•    When you are done with documents dispose of these safely.
•    If you have a cross cut shredder then that is a great solution.
•    If not, you can use scissors to cut off the identifying information, and then cut this information into smaller pieces and dispose of them separately from the rest of the document, which can be placed in recycling.
•    If you don’t have a suitable shredder and there is too much information for scissor to be practical, then store documents securely for disposal once back in the office.
*Teams which know this will be a recurring issue might need to look into other options such as:
•    Purchasing shredders.
•    A secure disposal collection service.

How do I ensure security when processing hard-copies of personal data remotely?

Hard copies of personal data are generally not recommended when working remotely as there is an increased danger of them being lost or mis-placed, compared to electronic records. This is particularly the case when transporting hard copies – e.g. between the office and home. Instead we recommend only working with and process electronic files where possible. 
If there is no other way to process the information otherwise than by hard copy, (e.g. the hard copy is the only source of the personal data), then you must inform your manager they must be kept within your control and stored securely (e.g. in a locked cabinet when not in use).

What should I do if there is a personal data breach and how do I report it?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data e.g. sending personal data to an incorrect recipient, or your computing devices containing personal data being lost or stolen.

In cases where there has been an incident which resulted in a potential breach of personal data, it is imperative that it is reported immediately to Information Security Group (ISG) in UCL. Please see this guidance for full details on reporting personal data breaches.


What do we need to do if we want to use cookies on our website?

You will need to ensure that users to your website, are told that cookies are being used and what they do. If the cookies aren’t strictly necessary to the running of your website, you also need to get the users’ consent.

Data Breach

I think I might have had a data breach. What do I need to do next?

UCL must report certain types of personal data breaches to the Information Commissioner’s Office without undue delay, and within 72 hours of becoming aware of it. 

The swift identification and reporting of personal data breaches is critical to ensuring they are effectively managed and mitigated, and that UCL complies with the obligations of the GDPR and the DPA.

Details of how to report a data breach are available on the Report a Breach of Personal Data webpage.

Data Protection Impact Assessment

Am I required to complete and submit a data protection impact assessment as part of my research?

Every form of processing personal data carries a certain amount of risks for the data subjects (means any person whose personal data is being collected, held or processed). It is therefore important to consider the risks prior to processing, and to take appropriate measures to limit them. Assessing the likelihood of any risk is part of the job of a DPIA.

Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.

All projects using personal data, or projects making notable changes to the processing of personal data must be assessed against the DPIA screening questions to identify if a DPIA is required.

What about completing one DPIA for multiple research projects where processing operations are similar and present similar high risks?

In such a case, any safeguards/outcomes should be applied to all and it should be noted that should there be any significant divergence by one project/operation from the processing operations indicated in the DPIA, that a further DPIA might be needed (if those changes resulted in a high risk to the rights and freedoms of natural persons).

Data sharing

Can I share alumni group photos on social media?

The short answer is yes, you (or colleagues) can post group photos on social media, straight away, provided they are not small groups. No consent or additional steps are required on the basis that people in groups (which are not small) are unlikely to be identifiable. Please see more from our guidance on the Legal Services website

The issue with photos of small groups of people is that they are likely to be identifiable and you will need to take some more steps before photos can be posted by a UCL official account or UCL colleagues in order to comply with data protection law.  

If you would like to post small groups of people, who are likely to be identifiable, you will need to comply with data protection law. At a high level - this means providing individuals in the photos with a privacy notice about how their personal data is being used. Before we can do that you will need to update the Alumni privacy notice about this activity. Depending on the age of the photos, there are likely to be issues with distributing a privacy notice directly to individuals which will need to be considered in more detail.

Do different rules apply to current UCL staff? 

No - It does not matter that UCL staff rather than UCL official channels are posting photos, UCL staff are posting the images for the same purposes, to promote UCL and alumni engagement, as part of their employment at UCL. However, if staff are posting purely for personal reasons in their personal capacity (unrelated to this activity or any instruction of UCL), then UCL would not be accountable for their activity.

Can I share information if I'm concerned about someone's safety, or wellbeing?

Yes, you should not hesitate to share students’ or staff members’ personal data to prevent serious harm to the physical or mental wellbeing of a student or staff member in an emergency situation, or to protect a life. Data protection law allows this, and you won’t get into trouble if you share information with someone who is in a position to help a someone at risk. If you are unsure, please contact data-protection@ucl.ac.uk .

Further information:


My research involves third parties. Does this mean (UCL) is a data (joint) controller, or processor?

UCL will be a controller where it decides how and why personal data is processed. For example, if UCL wishes to investigate a particular healthcare issue and designs a study involving the collection and processing of individuals' medical information, UCL will be a controller in respect of that personal data. 

Please note that multiple controllers may be involved in the same research project. For example, UCL may act as the lead institution and work with several universities and commercial organisations on a research project. If each university and commercial organisation uses personal data for both the project and their own purposes, each one will be a controller in its own right.

The Information Commissioner’s Office ICO has provided guidance on joint controllers, noting that parties will not be joint controllers where they process the same data but for different purposes. It has provided a checklist that offers potential indicators that a joint controllership exists such as when:

  • the parties have a common objective and the same purpose in relation to the processing;
  • the same set of personal data (or database) is used with the other party (and for the same purpose);
  • the parties have jointly designed the process; or
  • the parties have “common information management rules” with one another

The existence of joint ‘decision-making’ is therefore of particular importance when examining whether a joint controllership exists between two parties processing data. 

If UCL engages a third party to conduct a survey or to store personal data collected as part of a research project and that third party is not permitted to use the data for its own purposes, then that third party will be a processor.

The ICO has also published guidance on how to determine whether you are a controller or processor.


Bulk emails

Every time a message containing personal data is copied to another recipient there is an increased information compliance risk.

To minimise risk, we make the following recommendations: 

  • Where you regularly send personal information, consider using alternative sharing tools such as Sharepoint and OneDrive.
  • Limit the use of CC only to those who need to receive the information. BCC (Blind Carbon Copy) can be a useful tool. When you use BCC, all those in the ‘BCC’ field can’t see each other’s email addresses. However, forgetting to use BCC, frequently leads to the accidental disclosure of all the recipients’ email addresses.
  • With the above in mind where it is still necessary to send to multiple recipients please assess the nature of the information and the potential security risks when deciding on the best method to communicate with a large amount of people. If you are sending any sensitive personal information electronically, you should use alternatives to BCC, such as bulk email services that Information Services Division can advise on should be considered (you could suggest a DPIA should be undertaken as well in these scenarios). Please see links to the Information Commissioner’s Office’s (ICO) recent warning and new guidance about sending bulk emails.
Who is the university’s Caldicott Guardian?

UCL doesn’t have a Caldicott Guardian. If the data is being obtained / processed at an NHS site, it would be that site’s Caldicott Guardian. Please direct any queries about Caldicott Guardian to infogov@ucl.ac.uk.

I have an admission query

You’ll need to redirect your queries to the Admissions teams who will be able to assist you. 

What effect, if any, does Brexit have on GDPR?

The UK has adopted the EU’s GDPR into its domestic law from 1 January 2021 therefore currently the impact of Brexit on UK data protection law is minimal.

On 28 June 2021, the UK was granted a data protection 'adequacy decision' from the European Commission, meaning that personal data transfers from EEA-based organisations to UK-based organisations can continue without any additional safeguards.  

University College Hospital (UCH)

Sometimes confused with UCL, UCH is a separate legal entity to UCL. If you wish to submit a request, or have a query, please refer to their website contact UCH.

Ethics queries

For further ethical and research integrity issues, please contact the ethics team at ethics@ucl.ac.uk.

Who is my data protection co-ordinator?

Please note, not all departments have a local data protection coordinator. This role is different from the data protection officer (which is a centralised function) and you should check with your department whether this requirement applies to you.

What is Direct Marketing?

The term 'direct marketing' refers to the communication of advertising or marketing material which is directed to particular individuals. 

The law around direct marketing is different depending on the medium used, and therefore it is important that staff, students, and researchers etc. is are aware of these definitions and regulations when sending communications with others.

This definition is wider than you might expect and covers any advertising, promotional or marketing material sent by UCL to a specific individual (who may be an employee of another organisation). Direct marketing is not confined to communications sent in a commercial context, e.g. in relation to the provision of goods or services – it also includes promoting UCL's aims and objectives.    

Further resources 

What do you need to consider when conducting direct marketing?

When conducting direct marketing communication, there are certain baseline requirements within the GDPR that require full compliance with:

  • Lawfulness, fairness, and transparency principle
  • Purpose limitation principle
  • Data minimization principle
  • Accuracy principle
  • Storage limitation principle
  • Integrity and confidentiality principle
  • Data subjects’ rights

Within UCL, we talk in general terms about internal marketing and external marketing. Internal marketing is generally used to mean (i) communications to UCL staff relating to their experience as a member of staff and (ii) communications to enrolled UCL students relating to their experience as a student, but not necessarily related to their actual course (for example, making students aware of a seminar on resilience or a careers event). Other than in exceptional cases, communications to UCL staff do not amount to direct marketing. 

Whilst there are likely to be more circumstances in which communications sent to enrolled UCL students could be viewed as direct marketing, in general communications to enrolled students do not amount to direct marketing; but should rather be seen as activities that form part of UCL's complete student experience for enrolled students and that, in most instances, look to further UCL's core purposes of education, research and innovation (please see UCL's Statement of Tasks in the Public Interest here for further information).

Creating and then using a mailing list from workshop/event participants (which could include internal and external participants) in order to facilitate discussion and dissemination of further events and topics could possibly count as advertising or marketing material.  Such event notifications could be considered marketing/advertising (although there’s no ‘sale’ intention as such) but then discussions of topics arising out of the event may not.  

External marketing is generally used to mean communications to individuals that are not current UCL staff members or enrolled UCL students. The most common examples of external marketing at UCL are communications sent to (i) prospective students, (ii) alumni, (iii) philanthropists or (iv) individuals that UCL consider may be interested in courses, training or events offered by UCL. 

In most instances UCL's external marketing activities do amount to direct marketing. The one obvious exception is external marketing that is not directed at a specific individual – such as a marketing email sent to a generic email address like data-protection@ucl.ac.uk.

Generative Artificial Intelligence

What is Generative Artificial Intelligence?

Generative AI refers to a category of artificial intelligence. Unlike more traditional AI systems that are designed to solve specific tasks with predefined rules. Generative AI was developed to create new content and data, such as images, sounds, text, videos, etc. on the data it was trained on.

Generative AI uses unsupervised learning and generative models and has the potential to drastically change the way we approach content creation.

Why is Generative Artificial Intelligence a hot topic at the moment?

The applications for this technology are growing every day, in turn, they will be trained on more and more data. This gives rise to concerns the data may include copyrighted material which may have been shared without the owner’s consent.

What is ChatGPT?

The GPT stands for generative pretrained transformer. It is a chatbot that can generate an answer to almost any question it has been asked.

Further reading about what is generative AI?

Information Security

Can I use a password protected encrypted portable hard drive to store and transfer personal data (Recordings containing personally identifiable information)?

Yes. However, please keep in mind the following:

1. To guard against data loss, ensure that you maintain a copy of your data in a location that has an equivalent level of security.

2. Use a hard disk that has a PIN (Personal Identification Number) and is hardware encrypted. The current encryption standard is AES-256 bit.

3. Keep the PIN in a safe place and do not store the PIN with the device. Remember, if you lose the PIN you will lose access to the data.

4. Follow the manufacturer’s instructions on the use of the disk.

5. If the disk needs to be repaired, under no circumstances should you provide the password to the repairer

6. Remember to follow relevant guidance on deletion if you dispose of the hard disk.

What constitutes a suitable device for storing personal or senstive data.

a. Please see Definition of terms used in the policy documentation here.

b. The device or system should be owned and/or managed by UCL.

c. Laptops/desktops should be encrypted with a full-disk encryption and should be running a UCL recommended Antivirus.

d. A credential such as a PIN number or password should be used to access the device and this should not be stored with the device

e. A backup of the information should be kept in a secure location. This backup device should also conform to the same security level as main device. Alternatively, the information should be stored on UCL storage that guarantees an equivalent level of security.

f. Cloud-based system fall under a separate category and this is covered in a subsequent topic.

Use of third-party external cloud storage systems/platforms for use within trials/projects

Users should consider the classification of the data, see the Information Management Policy available here

Please complete the Data Protection screener questions to evaluate if a Data Protection Impact Assessment needs to be completed.

If you are using UCL owned Microsoft tenancy or UCL's Amazon Web Service tenancy, then no further risk assessment needs to be done. Please consult the Information Security Group (ISG) if you have concerns that you would like to address.

Trials have some specific regulations that isn't listed above, please consult with the ISG (isg@ucl.ac.uk) to evaluate the service. These evaluations can take anything from 5 days to 15 days to assess a platform.

Use of Data Safe Haven and request for induction

Data Safe Haven users are invited to induction on the completion of any relevant assurance steps, as detailed in the Data Safe Haven Assurance process.

Clarification about UCL policy on the use of Dropbox during projects

Dropbox should not be used to exchange Personal Identifiable Information or sensitive information. However, if Dropbox must be used, then encryption is recommended and a high entropy (at least 30 random characters consisting of alphabets, numbers, and special characters) password is used. It is recommended that the password to the file is shared with other recipients by another channel or OoB (Out-of Band) method. Please be aware that this can result in copies of the data existing on all computers connected to that Dropbox.

The suitability of UCL OneDrive and whether it can be shared with third parties

If it is necessary to share the data with third parties, it is recommended that the information should be stored in SharePoint. Data stored on OneDrive/SharePoint is easier to share externally, either accidentally or on purpose, and so there is a greater risk of a data breach. Care must be taken to periodically check access permissions to folders containing personal or sensitive information.

A data-sharing agreement should be completed in consultation with Legal Services or Research Contracts prior to sharing.

GDPR implications of storing data on non-encrypted devices prior to being uploaded to the Data Safe Haven

See the section Transferring data from external sources into the Data Safe Haven on the following page.

Information should not be stored on non-encrypted devices unless the information has been suitably anonymised. See.

Internal UCL Policy for storing surveys containing personal data

Users should consider the claissification of data, see the Information Management Policy available here.

Data stored on OneDrive/SharePoint is easier to share externally, either accidentally or on purpose, and so there is a greater risk of a data breach. Care must be taken to periodically check access permissions to folders containing personal or sensitive information.

It is recommended that these be stored on the S: drive. Alternatively, these can be stored in a SharePoint folder that has the relevant access permissions.

Use of UCL OneDrive for Business vs S:Drive

Users should consider the classification of data, see the Information Management Policy available here.

Data stored on One Drive/SharePoint is easier to share externally, either accidently or on purpose, and so there is a greater risk of a data breach. Care must be taken to periodically check access permissions to folders containing personal or sensitive information.

For information relating to OneDrive see:

OneDrive for Business, please see.

SharePoint and One Drive for Business, please see.

Requesting a SharePoint site, please see (UCL username and password requied).

For further information on S: Drive see

Data stored on S:Drive resides on storage devices within designated UCL premises. This is accessible only onsite and via VPN when not on UCL premises. The information on S: Drive is regulary backed-up offsite.

However, highly sensitive medical information should not be stored on any of these storage areas.

Microsoft Forms

There has been an update to privacy information added automatically to Microsoft Forms: 

The statement now reads as follows:

This content is created by the owner of the form. The data you submit will be sent to the form owner. Microsoft is not responsible for the privacy or security practices of its customers, including those of this form owner. Never give out your password.

Powered by Microsoft Forms
| Privacy and cookies | Terms of use

It is therefore important that the correct privacy notice is mentioned in the introduction to any proposed survey using Microsoft Forms.

International transfers

Some of the information we intend to process is passed outside of the European Economic Area (EEA), what do we need to consider?

If you are sending personal data to a different organisation or an individual located outside of the EEA. You will need to ensure that: 

  • the country is covered by an adequacy decision; or
  • an appropriate safeguard or exception is met.

The most relevant option will be the appropriate safeguard of standard contractual clauses that have been adopted by the Commission. These are set contractual clauses, included within an agreement between two organisations, which put obligations on the data exporter as well as the importer. The ICO has guidance on international transfers which explains the standard contractual clauses, alongside the other mechanisms for completing a restricted transfer.

Personal Data

What is Personal Data?

Personal data is defined as data, (whether stored electronically or paper based) relating to a living individual who can be identified directly or indirectly from that data, (or from that data and other information in our possession).

Processing is any activity that involves use of personal data. It includes obtaining, recording, or holding the data, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring personal data to third parties under privacy control conditions.

Sensitive personal data includes contact info, address, session activity on the platform, IP location etc. Sensitive personal data can only be processed under strict conditions, and used for express purpose that it was collected for.

Privacy Notices

What are privacy notices?

Data protection law requires UCL to provide a privacy policy/notice (also known as an information notice – for example this is UCL's student privacy notice) to everyone about whom it processes data. This means that each data subject about whom you collect personal data would need to be provided with a privacy notice.

More information about drafting a privacy notice.

Do I need to provide a privacy notice as twitter provides an information notice?

This does not remove UCL’s obligation to provide a privacy notice. An information notice must still be provided to persons from whom data has not been collected directly, regardless of whether such users have “consented” for their data to be used in such a way, about how their data will be used. This means that UCL needs to provide an information notice to twitter users. There is an exemption to providing an information notice to individuals where this would provide impossible or disproportionate.

If after further consideration it is not possible or would be considered disproportionate to provide an information notice, you will need to complete a DPIA to consider ways to mitigate the effect of not providing an information notice, including with respect to ensuring fairness and lawfulness of processing. UCL has a template assessment document online to assist with this process and the ICO’s website includes further detail about relying on this exemption and suggestions about how to mitigate the effect of not providing an information notice which may prove helpful in completing the assessment. 


How do I register for research registration?

Further guidance on how to register is available on the Research Registration Guidance webpage.

My research is anonymised, do I still need to register for data protection?

Data which has been irreversibly anonymised ceases to be personal data, and processing of such data does not require compliance with Data Protection law, research registration, though there may still be ethical reasons for protecting this information.

For data to be truly anonymous, the data must not be capable of being cross-referenced with other data to reveal individual(s) identity. This high standard is required because if data does satisfy the requirements for anonymity it is treated as being outside the scope of legal protection provided under data protection law.

When will I receive a registration number?

We usually aim to register all research projects within 10 working days of receipt of all of the correct information. UCL official closure days count as non-working days. 

If you do not receive your research registration number within 10 working days, you are able to submit your ethics application form marking the sections relating to DP registration as ‘to follow’ or ‘registration in progress’. You can then supply the ethics team with your DP registration number (together with any changes the Data Protection Office, advised you to make to your research project) once it is available.

Do all UCL research projects involving personal data need research registration approval?

Research projects that use personal data or special category data (sensitive) must secure registration approval where, for example, the research activities involves:

  • researchers processing information relating to an identified or identifiable living person. Note that ‘processing’ means any operation - collecting, storing, using, transferring, disclosing or destroying - performed on personal data.
  • re-using secondary data, that either identifies or could be linked to a living individual.
  • observation research of an identified or identifiable living individual including use of photo or photo devices.
  • research which requests perspective participants to answering questions about themselves, or giving personal opinions.
  • research which requires perspective participants performing requested tasks, eg an online survey or identifiable activity.
  • research which requires perspective participants to undergoing any kind of medical  procedure eg biopsy, blood test, debridement of wound, burn, or infection, surgery etc.
My project is just an undergraduate dissertation, do I need to register?

Undergraduate students who are processing personal data as part of their research activities do not have to register their research studies with the Data Protection Office (DPO), provided that they have successfully completed the ‘Information compliance training for researchers’’ .Or had their study signed off by their Department and no further action was deemed to be required. On some occasions the Department will require that the research is registered, and further data protection advice sought. For example, this may be necessary when the research involves special category data. 

The level of risk can sometimes be quite obvious. For example; research involving health data. But, other types of research may also raise potential risks. For example; the research focuses on vulnerable participants, or is carried out in an a potentially challenging environment, or which may present risks to the personal safety of the researcher. 

It is therefore important to reflect on the perceived risk of each individual study. This should help you decide whether, or not, you should still have to register their research with the DPO.

I am using data which does not identify living individuals: do I need to register?

In the situation where all the personal data has had all identifiers removed, this can only be considered truly anonymised data if it was impossible to re-identify the participants, even when cross referenced against supporting documentation.

If this is the case, registration shall not be required.

Do I need to complete a Data Protection Impact Assessment (DPIA) for my research?

Every form of processing personal data carries a certain amount of risks for the data subjects (means any person whose personal data is being collected, held or processed). It is therefore important to consider the risks prior to processing, and to take appropriate measures to limit them. Assessing the likelihood of any risk is part of the job of a DPIA

By starting a DPIA at the early stages risks and required controls to ensure legal compliance and security can be developed from outset. The earlier a DPIA is completed, the easier it is to address any privacy risks which may be identified. 

To assess the level of risk, you need to consider both the likelihood and severity of any potential harm to the data subjects through your research activities. The screening questions within our application form also offers researchers a shortened risk inventory, with making their own judgements for each project that they undertake which has potential privacy impacts. 

As the researcher of this project, you will be best placed to determine whether your processing is likely to result in a high-risk to the data subjects, and therefore require the completion of a DPIA. Having said that, it is good practice to complete a DPIA to demonstrate that you have considered the risks as part of your research preparations. 

The Information Commissioner’s Office, has prepared a DPIA. The document will also guide you through the process of determining whether your data processing activity requires a DPIA.

I am asking participants’ opinions about my research, rather than seeking their personal information. Do I need research registration to do this?

All research projects where participants are offering their personal information, opinion or data where that information, or opinion, contributes to answering a project’s research question(s) need data protection registration. However, should the research not require perspective participants giving information about themselves, and the opinions that they offer are not themselves the subject of the research.

Can I proceed with my ethics application even though I have not yet received my data protection registration number?

If the DP registration process is taking longer than the advertised 10 working days, please go ahead and submit your ethics application form marking the sections relating to DP registration as ‘to follow’ or ‘registration in progress’ and supply the ethics team with your DP registration number (together with any changes the DP Office advised you to make to the way in which you propose to store and collect your data for example) once it is available so that they can tie up that information with your ethics application.  

However, please note that data collection cannot commence until you have received both DP and ethical approval.

Unfunded data protection research advice

If your research is unfunded, please complete the unfunded research referral form and send to data-protection@ucl.ac.uk 

If your research is funded, please approach Research Contracts in the first instance.

Automated Transcription Services

Automated transcription provides fast turn-around at low cost, often free. While it may be appealing to consider using these services, there are some less obvious aspects that should be taken into account. Audio recordings of speech are almost certain to contain personal data. The cloud services used to deliver transcription often do not say where the data will be processed, how long it will be retained for and whether the audio will be used for other purposes, such as refining their transcription algorithms. Without proper contractual arrangements in place, these aspects are not controlled and present a data protection risk to UCL. 

Office 365 subscribers have access to a transcription option, which can be used along with ensuring that a suitable set of processes are in place to ensure access is properly managed (when sharing files, when people leave the team etc.) and that files are not copied to local machines, including use of OneDrive.

When should I use the Data Safe Haven to store my research data?

Projects that intend to use the Data Safe Haven are assessed for eligibility by the Information Governance Advisory service, where the assurance process has been designed and implemented to meet the requirements of the NHS Data Security & Protection Toolkit and ISO 27001 Information Security standard.

To begin this process, projects must register for Information Governance services.

What about research amendments?

Further guidance is available here

I think my project is a service evaluation, do I still need to register?

It can sometimes be difficult to differentiate between a project which is intended for research, or as a service evaluation. The distinction between the two categories can be a grey area.

It is important that you know which of these categories your project aligns to in order to ensure that you are adhering to the relevant data protection, ethical and governance standards.

The key differences in approach relates mostly to the project scope and intent. This should help you decide whether your project is research or a service evaluation. For example:

If a project involves the processing (means any operation - collecting, storing, using, transferring, disclosing or destroying - performed on personal data), of information relating to an identified or identifiable living person. Or re-using secondary data, that either identifies or could be linked to a living individual. Must secure registration approval.    

If a project is designed and conducted with the sole purpose of defining or judging a service, with a view of improving the service based on the evidence collected. With the results of the evaluation used to generate information that can be used to inform local decision-making. Then, this type of activity, does not normally require registration approval.

Use of previously collected data (‘secondary’) within research

The use of secondary data in research, can still raise data protection issues around confidentiality, data sharing, privacy, and security. It is therefore important to ensure it is processed and protected in compliance with data protection legislation.

If you are processing personal data in your research project without the express consent of the original participants, you must explain in your research application how you will obtain the data, justify their use and ensure that the processing is fair to the original participants. 

If you are using data which is publicly available, you must provide details of the source(s) and confirm in your research application, that the data are openly and publicly accessible and may be used for research purposes.

Use of public data (in a research context)

The GDPR doesn't distinguish between personal information in the public domain and personal information collected privately and directly from the individual. It is therefore important, for researchers to respect the GDPR's rules for collecting and processing data, from any open source platform, community, forum, register, or company. This is a question of degree, and will depend on the circumstances.

The correct approach will always be to look at the effect the disclosure would have in light of the information already in the public domain. This will vary from case to case, depending on the exact content and context of the information.

Other considerations include, the data subject expectations, whether they made the data public themselves, the sensitivity of data and vulnerability of data subjects, will be extremely important.

The use of public data, does not remove UCL’s obligation to provide a privacy notice. A privacy notice must still be provided to persons from whom data has not been collected directly, regardless of whether such users have “consented” for their data to be used in such a way, about how their data will be used. There is an exemption to providing an information notice to individuals where this would provide impossible or disproportionate. If after further consideration it is not possible or would be considered disproportionate to provide an information notice, you will need to complete a Data Protection Impact Assessment to consider ways to mitigate the effect of not providing a privacy notice, including with respect to ensuring fairness and lawfulness of processing. UCL has a template assessment document online to assist researchers with this process and the ICO’s website includes further detail about relying on this exemption and suggestions about how to mitigate the effect of not providing a privacy notice which may prove helpful in completing the assessment. 

Further guidance and exemptions for using data in the public domain is available from the Information Commissioners’ website.

What is data scraping?

Data scraping describes the extraction of Internet-based data from websites, used without the permission of the data owner. Data scraping can be manual or   automatic. This process, however, carries the risk that it may go against some of the GDPR's key principles, purpose limitation and data minimisation. Where personal data is involved, organisations (in this case UCL) must have a lawful basis to conduct data scraping.

Where special categories of personal data are scraped, that is personal data requiring extra levels of protection under GDPR, such as race, religion, health data, political opinions, etc., the explicit consent of the individual is required unless an exemption applies.

The GDPR also requires controllers to be transparent. Data scraping, by its very nature, is a practice that is often difficult to be fair and transparent about.

The ICO consider this activity to be "high risk" processing for which a Data Protection Impact Assessment (DPIA) is required.

Where organisations engage with data scraping service providers, they are responsible for providing the individuals with a privacy notice. There are some exemptions to this rule in cases where this would be impossible or disproportionate. If applicable, you will need to complete a DPIA to consider ways to mitigate the effect of not providing a privacy notice, including with respect to ensuring fairness and lawfulness of processing. UCL has a template assessment document online to assist researchers with this process and the ICO’s website includes further detail about relying on this exemption and suggestions about how to mitigate the effect of not providing a privacy notice which may prove helpful in completing the assessment. 

If a controller engages a service provider to undertake scraping on its behalf, it must ensure that it has in place a Data Processing Agreement with the service provider, incorporating the GDPR's processor obligations.

Please note, data scraping may also breach the terms of conditions of the website, so these need to be considered carefully. In addition, it also raises ethical considerations and ethics approval may be declined.


Where can I find out more guidance about long-term storage of my research data?

You should make arrangements as early as possible for the secure long-term storage of your data, taking into account any specific requirements of your department or funder. 

UCL staff and PhD students can use the UCL Research Data Repository;  Undergraduate and Masters students should ask their supervisors about the Open Education Repository


For further guidance, the Research Data Management team can be contacted at lib-researchsupport@ucl.ac.uk and the Library Records Office can be contacted at: records.office@ucl.ac.uk.

How long should we keep data for?

In general, you should retain personal data only as long as necessary for the purposes of the processing such as audit, regulatory and legal record-keeping requirements.

The UCL records retention schedule applies to all records, irrespective of format and medium. It therefore covers both paper and electronic records, including emails and audio-visual materials.

Subject Access Request 

Making a subject access request

Under data protection legislation an individual has the right to access the personal data that an organisation holds about them. Accessing personal data in this way is known as making a subject access request.  

Your subject access request to UCL may be submitted in whatever format you wish, but we have created a standard Subject Access Request Form for your convenience, which can be completed and emailed to data-protection@ucl.ac.uk

Handling a subject access request

Whilst the University Data Protection Office will normally carry out the subject access request procedure, it is important that staff are aware of what a subject access request is and have an understanding of what the University’s obligations are to comply with such a request.

We have published guidance to help staff comply and this should be read in conjunction with the University’s Data Protection Policy

If you are unsure about how to deal with a subject access request or have any concerns or have any questions relating to one, please contact the Data Protection Office data-protection@ucl.ac.uk  as soon as possible.

 *General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA)