Data Protection


Data Protection Frequently Asked Questions*

Does my research require registration?

Guidance for staff and postgraduate students on the research registration process, including details regarding what research projects need to be registered, is available on the Research Registration Guidance webpage.

How do I register for research registration?

Further guidance on how to register is available on the Research Registration Guidance webpage.

I’m not sure if my research involves personal data, how can I check?

Personal data is any information relating to an identified or identifiable living person (known as a ‘data subject’). 
Further guidance is available on the Understanding Data Protection at UCL webpage.

My research is anonymised, do I still need to register for data protection?

Data which has been irreversibly anonymised ceases to be personal data, and processing of such data does not require compliance with Data Protection law, research registration, though there may still be ethical reasons for protecting this information.

For data to be truly anonymous, the data must not be capable of being cross-referenced with other data to reveal individual(s) identity. This high standard is required because if data does satisfy the requirements for anonymity it is treated as being outside the scope of legal protection provided under data protection law.

Am I required to complete and submit a data protection impact assessment as part of my research?

Every form of processing personal data carries a certain amount of risks for the data subjects (means any person whose personal data is being collected, held or processed). It is therefore important to consider the risks prior to processing, and to take appropriate measures to limit them. Assessing the likelihood of any risk is part of the job of a DPIA.

Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects.

All projects using personal data, or projects making notable changes to the processing of personal data must be assessed against the DPIA screening questions to identify if a DPIA is required.

Where can I find out more guidance about long-term storage of my research data?

You should make arrangements as early as possible for the secure long-term storage of your data, taking into account any specific requirements of your department or funder. 

For further guidance, the Research Data Management team can be contacted at lib-researchsupport@ucl.ac.uk and the Library Records Office can be contacted at: records.office@ucl.ac.uk.

When will I receive a registration number?

We usually aim to register all research projects within 10 working days of receipt of all of the correct information. UCL official closure days count as non-working days. 

If you do not receive your research registration number within 10 working days, you are able to submit your ethics application form marking the sections relating to DP registration as ‘to follow’ or ‘registration in progress’. You can then supply the ethics team with your DP registration number (together with any changes the Data Protection Office, advised you to make to your research project) once it is available.

Who is the university’s Caldicott Guardian?

UCL doesn’t have a Caldicott Guardian. If the data is being obtained / processed at an NHS site, it would be that site’s Caldicott Guardian. Please direct any queries about Caldicott Guardian to infogov@ucl.ac.uk.

I have an admission query

You’ll need to redirect your queries to the Admissions teams who will be able to assist you. Their e-mail addresses are as follows:

What effect, if any, does Brexit have on GDPR?

The UK has adopted the EU’s GDPR into its domestic law from 1 January 2021 therefore currently the impact of Brexit on UK data protection law is minimal.

I think I might have had a data breach. What do I need to do next?

UCL must report certain types of personal data breaches to the Information Commissioner’s Office without undue delay, and within 72 hours of becoming aware of it. 

The swift identification and reporting of personal data breaches is critical to ensuring they are effectively managed and mitigated, and that UCL complies with the obligations of the GDPR and the DPA.

Details of how to report a data breach are available on the Report a Breach of Personal Data webpage.

What are privacy notices?

Data protection law requires UCL to provide a privacy policy/notice (also known as an information notice – for example this is UCL's student privacy notice) to everyone about whom it processes data. This means that each data subject about whom you collect personal data would need to be provided with a privacy notice.

More information about drafting a privacy notice.

Can I use Zoom?

UCL has an institution-wide agreement with Zoom for the purposes of it being used as an educational tool. This should not be used for sessions where the focus of the meeting is to transfer personal data. Microsoft Teams remains the best way to do that. However, if the aim of the use of the tool is communication and transfer of personal data is incidental (eg everyone’s name comes up on the list of who is present in the meeting) then that’s acceptable to UCL. 

If you do choose to use Zoom, our advice is to keep personal data sharing to a minimum and where you can, share documents via email or another system rather than on Zoom. 

For more information about the introduction of Zoom at UCL please take a look at the Frequently Asked Questions

Further guidance can be found on the ISD Zoom page.

How long should we keep data for?

In general, you should retain personal data only as long as necessary for the purposes of the processing such as audit, regulatory and legal record-keeping requirements.

The UCL records retention schedule applies to all records, irrespective of format and medium. It therefore covers both paper and electronic records, including emails and audio-visual materials.

Can I use third-party cloud platforms?

Before you start using any new third party based software or services, you must carry out due diligence to ensure that UCL information will be secure and appropriately managed.

In the first instance, you should check with IT Service Delivery to see if any existing centrally supported University software meets your requirements.

Further guidance on Security of Cloud Services is available on the Information Security webpage.

I want to conduct research using a third party app. What do I need to do?

It is important to understand whether the app will be UCL’s data processor or a separate data controller. Further guidance is available on the Understanding Data Protection webpage under the heading ‘Controller and Processor’.

Following that, you will need to ensure an appropriate data sharing agreement is in place. If the research is funded then Research Contracts should be able to assist.

If the research is unfunded then there are template data sharing agreements on the data protection website, at the bottom right hand side of the page. 

Once the appropriate contract is in place, it will be important to ensure the various data protection principles are adhered to, and in particular that of transparency. As with ethical requirements, it is important that the research participants understand what they are signing up to & what will happen to their data. For example, can the app use the data for their own purposes even after the research project has come to an end? A privacy notice should be provided as part of the research registration, as should a DPIA. Further details are available on the Research Registration Guidance webpage.

What about data security?

Data security is essential to prevent unauthorised access, disclosure, destruction or amendment of data. The level of which depends upon the nature of individual data. Higher levels of security are required for sensitive data, which may include identifiable personal information, pose risks to commercial or intellectual property rights, or compromise national security. Researchers should also be aware of the GDPR and its implications for research.

If you have any concerns about data security, you should contact the ISG team in the first instance.

University College Hospital (UCH)

Sometimes confused with UCL, UCH is a separate legal entity to UCL. If you wish to submit a request, or have a query, please refer to their website contact UCH.

Data Processing Agreements

If this relates to funded research, please contact the research contracts team in the first instance.

If the research is unfunded then there are template data sharing agreements on the data protection website, at the bottom right hand side of the page.

Ethics queries

For ethics enquiries, please contact the ethics team at ethics@ucl.ac.uk.

Who is my data protection co-ordinator?

Please note, not all departments have a local data protection coordinator. This role is different from the data protection officer (which is a centralised function) and you should check with your department whether this requirement applies to you.


*General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA).