Guidance for staff and students to help register their research project with the Data Protection Office (DPO).
- All research proposals that involve personal data must be registered with the DPO before processing begins. Completing the form is part of that process.
- Registration with the DPO is the second step of the Ethics Application Process.
- This policy requirement applies to all UCL staff (including honorary staff, affiliate academics and visiting researchers), and students, that require a review by a Health Research Authority (HRA), Research Ethics Committee (REC), or if your study involves the processing of special category personal data (sensitive), and you are an undergraduate, or postgraduate student.
Covid - 19
We have produced two sets of guidance to answer the most frequently asked questions:
- Guidance for research and ethical approval in light of the COVID-19 pandemic
- Covid-19 Data Protection FAQs
- Prepare for research registration
- Registration form
- Guidance on completing the research registration
- Example – completed research registration form for a study that requires UCL ethical approval
- Submitting research registration
- Amendment to registration
Before you start
- Please note:
- This guide is not intended to help if you are registering your project via DMPOnline.
- Undergraduate students who are processing personal data as part of their research activities do not have to register their research studies with the DPO, provided that they have successfully completed the ‘Information compliance training for researchers’’. Or had their study signed off by their Department and no further action was deemed to be required. On some occasions the Department will require that the research is registered, and further data protection advice sought. For example, this may be necessary when the research involves special category data (sensitive), vulnerable people, or surveillance.
- Postgraduate students including Masters, MPhil and PhD who are processing personal data as part of their research activities, must be registered with the DPO before any processing begins. Students involved in research are also required to undertake appropriate information compliance training before embarking on any research.
- Background information:
- Data protection overview
- Does my research project need to be registered with the DPO [pdf]
- Guidance for researchers [pdf]
- Guidance for students processing personal data overseas [pdf]
- Guidance on sharing data with third parties in a research context [pdf]
- App-based research experiments and data collection guidance [Word doc]
- Using Twitter data in research guidance [Word doc]
- Ethical mining – a case study on MSR mining challenges [Word doc]
- Handling personal data responsibly
- Ethical procedures for applications
- Application deadlines and meeting dates
- Use of UCL student and staff Personal Mobile Devices for Research Purposes [Word doc]
- Recommended reading:
Prepare for research registration
Determine which supplementing documents are required to complete data protection registration. Requirements will change according to the nature of your project especially when addressing special cases, e.g. working with children, collaborating with external partners.
Data Protection Impact Assessment (DPIA)
A DPIA helps identify data privacy risks when planning new, or revising existing, projects and to identify actions to mitigate these risks
Find out if you need to submit a DPIA form for your project.
If you do need to complete a DPIA you can download the form in preparation:
Children as participants?
Back to Top
Download research registration form
All research projects using personal data must be registered with the DPO before the data is collected. Completing this form is part of that process.
There are two forms you can use to register your research project with the DPO:
- If you are a UCL member of staff or student who needs to register with the DPO and/or requires a review by a Health Research Authority (HRA), Research Ethics Committee (REC),or if your study involves the processing of special category personal data (sensitive), and you are an undergraduate, or postgraduate student, use the online Microsoft data protection registration form below:
- If you are having issues acessing, or using this form, please notify us at email@example.com
- If you are external to UCL, please complete the following form below instead of completing the online Microsoft form and submit it to firstname.lastname@example.org together with the supporting documentation.
Fill in the form along with any supplemental forms identified during the preparation phase.
You will receive a data protection registration number that you will need for the main ethics application.
Back to Top
Guidance on completing research registration
All sections of the registration form should be completed. Sections which are not applicable should be marked ‘N/A’. Any form which has not been completed sufficiently will be returned for further amendment or clarification.
- The review process
The DPO reviews research applications for compliance with UCL policies on data protection and the law itself.
The review includes checks on:
- the name of the project, its purpose and objective;
- the name and contact details of the person who will be responsible for personal data gathered in the project;
- measures in place to observe the following data protection principles;
- the legal bases for processing personal data;
- evidence of the information security measures in place, eg encryption;
- the notification with the relevant data protection coordinator;
- the measures in place to ensure transfers of personal data outside the EEA comply with data protection legislation;
- data sharing/processing arrangements in place with third parties;
- the stated roles of the parties in the research proposals, eg controller, processor, recipient;
- measures to anonymise or pseudonymise personal data;
- evidence of ‘appropriate safeguards’ in place;
- any Data Privacy Impact Assessments (DPIA) produced, and
- the data protection compliance requirements for privacy notices.
The DPO reviews the documents provided by staff and will request amendments to be made for compliance purposes; this process is normally completed within ten working days (providing all relevant documentation has been provided to the DPO), but depending on the volume of submissions it may take longer.
The applicant is notified via email, together with the relevant registration number.
- Sections guidance
The title of the research should correspond with any other supporting documentation (e.g. participant information sheet, consent form etc.). Please include the proposed start and end date (if known).
The Chief Investigator (CI); Principal Investigator (PI), has overall responsibility of the research being carried out. In the case of research being carried out by students, this is normally the students’ supervisor. The contact details of the CI; PI, and, or student supervisor should be included in this section. (Please note that a student – undergraduate, postgraduate or research postgraduate cannot be the CI;PI for ethics purposes).
The details of the data collector(s) should be included in this section (provide details of the individuals that will be involved in obtaining/collecting the personal data). If the applicant is not the CI,PI provide the student’s details.
Please summarise the main purposes of the research, including an explanation of the aims, design, methodology and plans for analysis that you propose to use. If the research involves the collection of personal data overseas then you must ensure that you provide details in this section.
Privacy impact screening questions are intended to help you decide whether the processing you are intending to undertake is likley to result in a high risk to the rights and freedoms of the individuals who are participating in your study.
Will the study enrol potentially vulnerable groups (e.g. children, older persons, or adults with learning difficulties for those who fall under the remit of the Mental Capacity Act 2005) participants?
In this section, please idicate how many participants will be involved in the research.
In this section, please provide details of what type of information will be collected.
Please provide details of the types of information will be stored.
Please list all the study collaborators/third parties who will be sending/receiving personal data for study purposes or their own purposes. (If you are not working with any partners or third parties, please skip this section).
Please indicate if personal data will be transferred outside of the EU as part of this study. If so, confirm that you followed the relevant guidance.
If you are receiving sponsorship for your research. Please provide details of the sponsorship arrangement. Including details of the individual, institution, funding council, or another organisation which takes responsibility for the institution, management and/or financing of the research.
Any supporting documentation (e.g. data protection impact assessment, participant information sheets, informed consent forms, other documentation being used to invite/inform participants about the research, data sharing/processor agreements etc.) must be submitted with the application form.
Confirmation you have read and implemented the appropriate safeguards guidance.
Include previous research registration number (only if an extension to previous registarion is required).
Back to Top
We have published an example of a completed research registration form for the UCLREC. Please remember when completing your own form you give consideration to your particular research which will be needed by the DPO to approve your application.
Back to Top
Researchers who have completed the online data protection registration form should select the Submit option.
Researchers who have completed the data protection registration form [Word doc] should be sent to email@example.com together with copies of any supporting documentation (eg participant informaton sheet, informed consent form, DPIA etc.).
- Continue with the ethics application process:
- Ethics application process
- All researchers, including chief investigators and principal investigators, particularly if they are going to be handling special category data (sensitive), are expected to undertake annual training on handling highly confidential information. Further information about the training is available here
It may become apparent once you have started your study that it needs to be amended.
We only operate a pragmatic rule that providing the research objectives, and procedures, has not undergone any substantive changes or amendments to the terms of the application, or to the protocol or any other supporting documentation, the registration number previously issued by the Data Protection Office will continue to cover the activities of the study. However, more substantive amendments would likely require a new registration application.
To assist in making this determination. We have listed below some examples of substantial and non-substantial amendments which may, or may not affect your research activities to any significant degree:
Examples of substantial amendments:
• changes to the design or methodology of the study;
• changes to the procedures undertaken by participants;
• changes likely to have a significant impact on the safety or physical or mental integrity of participants, or to the risk/benefit assessment for the study;
• significant changes to study documentation such as participant information sheets, consent forms, etc.;
• inclusion of a new trial site (not listed in the original application);
• temporary halt of a study to protect participants from harm, and the planned restart of a study following a temporary halt;
• any other significant change to the protocol or the terms of the application.
Examples of non-substantial amendments:
• minor changes to the protocol or other study documentation, e.g. correcting errors, updating contact points, minor clarifications;
• changes to the chief investigator’s research*
• appointment of a new principal investigator*
• changes in the documentation used by the research team for recording study data;
• changes in the logistical arrangements for storing or transporting samples;
• extension of the study beyond the period specified in the application form.
*as part of the maintenance process, it is highly recommended that researchers regularly review their study staff listings and update any records accordingly.