Data Protection


Data protection (privacy) by design

This page provides guidance to staff and students on the requirements imposed by data protection legislation in respect of ‘data protection by design and default’


More information

Overview of data protection by design at UCL

The University is required to implement appropriate technical and organisational measures to ensure data protection principles such as data minimisation are met.

Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, under the DPA 1998 these issues were often bolted on as an after-thought or ignored altogether. The current data protection legislation contains provisions to ensure privacy by design bakes data protection into new systems.
Under the data protection legislation, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.

Article 32 of the data protection legislation (GDPR) gives examples of "appropriate measures", as follows:

  • Pseudonymisation, i.e. using personal data in a way that minimises the opportunity for identifying individual e.g. by using ID codes;
  • Encryption;
  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

Privacy by default

The University must only process data to an extent that is necessary, and must only store data as long as necessary.

The University must ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. It relates to the amount of personal data collected, the extent of the processing, the retention period and who has access to it. In particular, personal data should not automatically be made accessible to an indefinite number of people without the individual’s intervention. By way of practical example: counselling records should be held on a separate part of the University system and accessible only to relevant members of the counselling team.

What should you do now?

Regularly assess privacy compliance, by, for example, conducting regular Data Protection Impact Assessments (DPIAs).

The practical steps that need to be taken will depend on the likelihood and severity of the risks to privacy, the state of the art and the costs of implementation.