Data Protection


Data Protection Roadshow Resources

Following our Data Protection Gallery Walks and Lunchtime Lectures in November 2019, we have developed a suite of resources to help staff and students with some of their key data protection issues.

The resources include Lunchtime Lectures: PowerPoint presentations, video and Sli.do Question and Answer sessions, and the Gallery Walk posters, and handouts. These materials are available for you to download, print and use to improve data practices in your local communities.

We have created a suite of handouts and posters to help you take extra care when sharing work information.

They cover some of the most common mistakes we see, including sending information to the wrong recipient, leaving work documents in public view or not appropriately disposing of information.

We offer a range of free downloadable materials including posters, laptop stickers and postcards, for use within your faculty/department.

These materials are available to use within your organisation, and can be printed at A6, A5, A4 or A3 sizes.

The Lunchtime Lecture video offers guidance through a series of scenarios and talks through reporting a breach and many more real life UCL situations. Finishing with a question and answer session.

External resources

If you need further information about data and privacy, you may find the following external resources useful.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 across all EU member states, alongside a new Data Protection Act within the UK.

Information about the Regulation and the latest developments in data protection legislation in Europe is available from the European Commission.

If you have any further queries about the University’s obligations under the GDPR these should be forwarded to the University's Information Governance Office at gdpr@ucl.ac.uk.

Lunchtime Lectures Sli.do Questions and Answers sessions (Q&A)

Disclaimer: The aims of the answers to Q&A is to give you a platform to make informed decisions to your individual queries.


Are breaches that occurred before May 2018 reportable?

Yes, all breaches must be reported to isg@ucl.ac.uk.

If I misplace my personal data for UCL business do I need to report it?

Yes. This should be reported to isg@ucl.ac.uk who will assist you with this matter.

Who should complete the data breach form?

The data breach form should be completed by the person who is reporting the breach, by emailing isg@ucl.ac.uk their team will assess the email straight away.

It is extremely important that if additional questions are asked this needs to be followed up as a matter of urgency.

Note: we are in the process of formatting an online form.

Data Storage

How do you easily delete old emails?

Consider carefully whether you do need to delete the emails. If you are certain that you will not require the emails, we recommend that you contact your local IT manager for support to archive the emails you wish to delete.

Archive these emails for an appropriate period (e.g. 3 months) to ensure that you are certain you do not need them.

Prior to deletion request a log of the email files to be deleted.

Once you are certain, request that your local IT manager deletes the archive. 

How long should we keep staff and volunteer records- we may be asked for references or evidence of hours worked many years later?

UCL has retention schedule so please refer to this document. There are set periods of time set aside for UCL to keep certain data.

Will OneDrive replace the ISD N: drive in the foreseeable future?

UCL OneDrive is a cloud-based file store service and is not intended to replace the N: drive, rather it is intended to provide staff with additional methods of storing data.

Is Microsoft Teams GDPR compliant for collecting data (e.g. using it to conduct focus groups for research)?

Yes, you can use Microsoft Teams to collect data – however, you must ensure that when you set up your Team, you put the appropriate controls on that Team folder. For further details please visit the Microsoft website.

Does Microsoft Teams store data securely?

Microsoft Teams storage is the same as UCL OneDrive and SharePoint. It is therefore considered appropriate for general personal data storage. You should refrain from using Microsoft Teams to store Criminal Records data.

We use Mailchimp and store lots of data there - are there any guidelines/best practice for this?

Please see the guidance note available on the Legal Services website.

Most staff use Mailchimp to promote events and send out communication. Is this safe? Is it enough if we include a link to our privacy policy on emails?

See above.

Do SharePoint / OneDrive have a data upload limit?

SharePoint: 25 TB per Teams: no distinction between staff or students.

OneDrive for Business: is initially limited to 1 TB per person: no distinction between staff or students.

ISD can increase this allowance to 5TB on request.

What are the differences between SharePoint and OneDrive? What happens when the owner of the shared files (the person created them) leaves the organisation?

In terms of storage, they are the same storage solution, with different front ends.

If a member of staff who is the owner of a folder is leaving UCL they can assign the ownership of the folder to another person.

What are the regulations for using Dropbox and Google Drive?

The use of Dropbox and Google Drive is not recommended as UCL does not have a licence for these devices and therefore has no control over the data that is transferred to them. If you are using these systems to store personal data this should be removed from these drives and placed on UCL OneDrive.

NHS data must not be stored on either Dropbox or Google Drive. 


Can data count be classified as anonymised if the identifying link to break anonymisation is retained by the original data controller sharing the data?

If the data has been de-identified, and passed on to another person, who would have no reasonable way of returning the data to its original form because they have no access to the key to remove the masking then this is considered anonymised data.

If preference to transfer personal data, anonymised medical images in this case, can encrypted USB be used?

You can transfer personal data via an encrypted USB drive. The approved USB drives can be found on the Information Services Division website.

Should we not use email to let colleagues know the password for a document?

When sharing a password, you should not use the same system/service that was used to transfer the document. Therefore, if you e-mail an encrypted file to a colleague then you should not use e-mail to send the password. If their email is compromised when they receive the file, then it would still be compromised when they receive the password and therefore there is no security in the encryption.

Note: ISD recommends using Lastpass as this software has sharing functions within it.

Can I send an excel file with pseudo anonymised data via email with password for the attachment file?

We recommend not sharing the file via e-mail. You should share the file using UCL OneDrive or S: drive.

If you must share the file in this manner, then do not share the password with the file. You must use another method to share the password e.g. phone call, face to face etc.

Note: pseudonymised data is still considered personal data and is still subject to data protraction legislation. UCL recommends using Lastpass to share passwords.


The Data Retention policy does not say anything about volunteer records?

The Data Retention Policy is in the process of being updated following a recent update from JISC. Further details of this will be published late this year.

What is the 'personal data threshold' which might mandate using Data Safe Haven rather than SharePoint or OneDrive?

Please see the Data Safe Haven page for further details.

How does the opportunity to unsubscribe to the UCL departmental website fit in with the business need for staff to know what is going on and be part of the team to do their job?

An individual can request to have their personal data, including their photo, removed from UCLs Public websites, however, if a departmental newsletter forms part of the basis of their role (i.e. providing information relevant to their job within the department) then they may not unsubscribe.

How do we make our calendars private?

UCLs calendars are set to ‘open’ by default as a means of open communication between staff. It is recommended that you make individual events private if necessary. Please refer to the guidance note available on the Information Services Division website.

Where can I find OneDrive?

Location of OneDrive.

What is the best way to destroy or delete electronic documents with personal data sitting in a folder on a UCL account?

Please see the guidance note available on the Information Services Division website.

Note: you must keep a record of what data was deleted. 


In a research project is it possible to ask people via consent to give up data rights they might have e.g. withdraw their consent after a project?

No, a person cannot consent away their rights.

Note: whilst a person cannot consent away their rights, there are some exceptions to when individuals’ rights apply with regards to research projects.

If using Public Task as lawful basis for processing data: the right of erasure does not always apply.

Ethical consent (common law consent) and GDPR consent are two separate areas of law, with different rules which apply to each area of law.

If using Public Task as your lawful basis, you do not require consent of the individuals for the processing of their personal data. Note: if you are gathering Special Category Data or Criminal Records you must establish a separate lawful basis for each of these.

Depending on your research, you may however need ethical consent for the person to take part in the research, which is bound by the ethics guidelines.


Is the GDPR refresher training going to be mandatory to complete annually for all staff regardless of other GDPR annual refresher training one e.g. NHS digital?

Yes, once you have completed the full GDPR training you are required to complete an annual refresher course.

Note: UCL cannot confirm if staff have taken training elsewhere so all staff have to complete our training.

Do you get a reminder when your online GDPR refresher training is due?

At present this is not automatic. UCL is currently moving to a new HR System which will automate this process going forward.

The UCL staff GDPR refresher course is now live and you can undertake this at the anniversary of your training date.

Transferring Data

Is it ok to send hyperlinks to someone via email (if the S: drive folder is set up in the correct way and limits access to the relevant people)?

Yes, this is best practice.

How do we use OneDrive to send docs to shared email mailboxes?

When sharing the link to the file you can share this to a shared mailbox – however, do take care that a shared mailbox, by virtue of it being shared, means that more than one person will have access to this file. If it is not your intention for multiple persons to have access to the file, then it is better to send the link to the individual.

If you can find an email address online, does that means its public information? Can you then add that person to a contact list without their consent?

No, the processing of personal data which is in the public domain is still processing personal data, and you need to establish a lawful basis for processing. If you were to add a contact to a contact list and subsequently provide them with marketing material this would be a breach of PECR and GDPR.

Can files sent by UCL OneDrive be copied and edited by externals?

Depending on the protocols which you establish when you send the link, yes.

The purpose of sharing a link is to share information – if you would like to restrict the actions that can be taken with files shared via a OneDrive link then you should adjust the restrictions at the point of creating the link.

Should I not be including personal sickness record data by email to the employee in OneDrive or just use Dropbox?

Sickness record data should be held and shared in the UCL HR System.

If you are required to share it outside of the UCL HR System, then you should take appropriate steps to secure the data and share this via UCL OneDrive links.

How do you send a hyperlink without email?

If using UCL OneDrive, when you share the hyperlink it will automatically send the link to the person.

If using S: drive, you can share the link via e-mail.

Just because someone has asked for personal data does it mean we have to pass it on?

No, the person requesting the personal data must establish a lawful basis for processing the data. It is reasonable for UCL to request personal data of its staff for UCL administration. There are several instances where the request would be reasonable, but if you are unsure you can ask the requester to provide details of why they need the personal data.

Note: if you require support on this, please contact: data-protection@ucl.ac.uk.

Can I share documents using OneDrive with UCL colleagues in other departments? Also, do I have to password protect when using OneDrive?

Yes, you can use OneDrive to share documents with other UCL colleagues. If you are handling sensitive information/ data, it is recommended that you encrypt the document.

Can managers have restricted access to folders on S: drive for appraisals etc?

Yes, it is recommended you talk to your IT manager on how to structure your S: drive. A separate area set up with role-based access controls can be established for this requirement.

What happens if you share a folder with your colleague in S: shared drive and then they move to another UCL department? Who stops them from having access?

Speak to your IT manager and ensure that role-based access controls are in place.

Folders should be established with role-based access controls. If this has been done, then they will lose access once they move departments.

It is important that departments complete the appropriate HR form when a member of staff leaves their department should complete the Leavers Checklist and follow up with ISD Service Desk to ensure that the staff account has been amended to remove access to these areas.

How can external people transfer data in to UCL systems securely?

You should avoid e-mail where possible. You can use:

UCL OneDrive: Create a folder on your UCL OneDrive – Share the link to this folder to the external person – They can then open the folder and upload their file to you.

UCL Dropbox: This is a file transfer service, however, you must encrypt the file prior to sending. Follow the instructions here: If neither of these methods are suitable please contact isg@ucl.ac.uk to discuss your requirements.

What are the regulations for transferring data to Russia in a manner compliant with GDPR?

This is called Cross Border Transfer. Some countries outside of the EU area have adequacy: the EU have said their Data Protection laws are enough for the EU. That enables the transfer of data between the countries.

Russia does not have adequacy laws with the EU. You can use the following to transfer data to Russia:

Most frequently used: Standard Contractual clauses – these clauses are fixed and define how the data will be used. There are two types of these clauses depending on how the other party will use the data. There are additional considerations for any project involving Russian citizen’s data. Please contact the Data Protection Office data-protection@ucl.ac.uk to discuss this requirement.

Are speakers and video personal data, for the purposes of advertising and recording lectures can we evoke UCL Public Task?

The recording of a speaker is considered personal data and is usually covered by Public Task.

If the speakers is an external speaker you should inform them that a recording of the lecture is being made and the purpose of processing including that you will be using the personal data to advertise the event. You do not need to seek their consent to process their personal data.

If the speaker asks not to be recorded, then you should not record the event.

If you wish to use the recording to undertake any further advertising beyond the purposes of UCLs Public Task you may need to seek further consent from the individual.

Note: You can use a picture or recording of a person to advertise a lecture under Public Task. You would need to double check the statement of Public Task to ensure it falls within the purposes of educational value to UCL.

Last reviewed 29 January 2020