Data Protection


Frequently Asked Questions about Cloud Services

We are compiling the top questions and answers in this section. Please check back regularly as we add the latest topics to this area.

If you are planning to transfer data outside of the EEA, please consult with the data protection office before doing so on: data-protection@ucl.ac.uk.

Can I use Survey Monkey to undertake a survey as part of my research project or dissertation?

We're aware that members of the University have considered using services like Survey Monkey as part of their research study activities. Although this is a popular and useful tool, we would advise caution before using these services to process any personal information.

If colleagues want to use a Cloud based service, they should first evaluate whether it is suitable and complies with UCL data protection and information security policies.

There are a number of different service levels offered by UCL such as SharePoint or One Drive for Business. UCL’s agreement with Microsoft ensures that the data processed within these services is stored in Microsoft Data Centres. This meets both UK and EU data protection and security standards. REDCap and Opinio can also be used. ISG can also help you to establish an appropriate alternative.

What about Qualtrics?

Qualtrics is a web-based survey software tool which can be used to conduct publicly-available surveys, or to give specific users access to a survey.

The University does not have a site wide licence for all staff and students to use. Departments may have their own arrangements. ISD has published suggestions on survey tools suitable for researchers, including training courses and licence.
To discuss how research IT might benefit your research, please contact itforslms.research@ucl.ac.uk.

Can I use Otter.ai to transcribe data for my doctoral research project?

We strongly recommend that users avoid using such a service which are controlled from outside the EU.

If UCL does not currently have an institutionally approved contract with a third party transcriber then you should go through the normal channels of procurement, who would then flow this on to legal services as appropriate to ensure that the contract is appropriate. 

The ISD helpdesk may be able to provide assistance as to whether there are any existing arrangements in place between UCL and Otter.ai  and if so, what the arrangements are for becoming a subscriber/user of this platform.

What about Google Drive?

We normally recommend the use of services that UCL has arrangements with already as the appropriate contractual terms should have already been reviewed by the legal team. So the appropriate measures and security vulnerabilities (eg exploitable to scammers), are adequately assessed, to ensure the personal data is managed securely, with relevant controls and in accordance with the law.

UCL’s Office365 provision facilitates collaboration in a secure way. Work is stored securely, under the same agreement that covers our other Microsoft products. This means that they pass GDPR compliancy, with Microsoft hosting data held within UK / EU Datacentres.

If there is not an enterprise agreement (in this case Google), such use will be offered the standard service to end users. This means the personal data being collected may be stored in various countries across the world including the US. Data may also be transferred from one location to another, or may reside on multiple locations at a time. This makes it hard to determine applicable law, and watch data flows.

Is OneDrive for Business ok to use?

All current staff and students has access to the Office 365 suite of Microsoft applications. This includes OneDrive for Business that can be used for storage and sharing of data. It provides the user with a reliable way of accessing documents remotely across a number of different devices. It also allows for easy and secure sharing of files to others.

What about Amazon Mechanical Turk?

If researchers would like to use Amazon Mechanical Turk, then they should take all necessary steps as would be required for data collection in research with participants not gathered through this cloud platform.

Assess your data and read the terms and conditions (including the privacy policy) of the cloud service provider before use so that you have an appropriate level of certainty about where the data will be stored; Data could be stored outside the EU who may have their own data privacy laws.

I would like to use a third party recruitment service (Gorila) to assist with recruiting participants. Are there GDPR considerations when recruiting this way?

You should use a UCL approved applications where an enterprise agreement is in place where possible. This is our DP policy:

Use of externally hosted services (e.g. cloud) for the processing of personal data for which UCL is the data controller should be restricted to services for which UCL has entered into an enterprise agreement.

If there is not an enterprise agreement, you should seek advice from your supervisor as to how best to proceed.


Services levels such as SharePoint is tailored to collaborative work. It is suitable for storing and sending information with the caveat that individuals and teams get prior training on using SharePoint.

What other cloud services can I use for file storage and sharing of data?

When dealing with university-related information you should first consider using services provided or otherwise approved by UCL. If there is any further clarity needed or you're not sure on whether a cloud service is approved, contact ISG directly.

How do I get a new service approved?

A list of what you can already use and guidance on how to get new services approved is available on the ISD website.