Guidance for staff and postgraduate students to help register their research project with the Data Protection Office (DPO).
We understand this is a worrying time for UCL staff and students with many business processes changing as a result of the impact of Covid-19, which results in questions around how to protect personal data when working in a different manner.
We have produced two sets of guidance to answer the most frequently asked questions:
- Guidance for research and ethical approval in light of the COVID-19 pandemic
- Covid-19 Data Protection FAQs
In addition, as we currently need to prioritise research related to Covid-19, researchers in other areas looking to register their research with data protection may find the following FAQs helpful:
- All research proposals that involve personal data must be registered with the DPO before processing begins.
- Registration with the DPO is the second step of the Ethics Application Process.
- This policy requirement applies to all UCL students or staff (including honorary staff, affiliate academics and visiting researchers).
- Prepare for research registration
- Registration form
- Guidance on completing the research registration
- Example – completed research registration form for a study that requires UCL ethical approval
- Submitting research registration
- Amendment to registration
- Research Registration FAQs
Before you start
- Please note:
- This guide is not intended to help if you are registering your project via DMPOnline.
- Undergraduate students who are processing personal data as part of their research activities do not have to register their research studies with the DPO, provided that they have successfully completed the ‘Information compliance training for researchers’’. Or had their study signed off by their Department and no further action was deemed to be required. On some occasions the Department will require that the research is registered, and further data protection advice sought. For example, this may be necessary when the research involves special category data, vulnerable people, or surveillance.
- Postgraduate students (not PhD) who are processing personal data as part of their research activities, must be registered with the DPO before any processing begins. Students involved in research are also required to undertake appropriate information compliance training before embarking on any research.
- Background information:
- Data protection overview
- Guidance for researchers [pdf]
- App-based research experiments and data collection guidance [pdf]
- Using Twitter data in research guidance [pdf]
- Ethical mining – a case study on MSR mining challenges [pdf]
- Handling personal data responsibly
- Ethical procedures for applications
- Application deadlines and meeting dates
- Recommended reading:
Determine which supplementing documents are required to complete data protection registration. Requirements will change according to the nature of your project especially when addressing special cases, e.g. working with children, collaborating with external partners.
Data Protection Impact Assessment (DPIA)
A DPIA helps identify data privacy risks when planning new, or revising existing, projects and to identify actions to mitigate these risks
Find out if you need to submit a DPIA form for your project.
If you do need to complete a DPIA you can download the form in preparation:
Children as participants?
All research projects using personal data must be registered with the DPO before the data is collected. Completing this form is part of that process.
There are three forms you can use to register your research project with the DPO:
- If you are a UCL member of staff or student who needs to register with the DPO and/or requires ethics approval from the UCL Research Ethics Committee (REC), use the main data protection registration form below:
- If your study requires a review by a Health Research Authority (HRA) REC and/or HRA approval, use this form:
- If your study involves the processing of special category personal data (sensitive), and you are an undergraduate, or postgraduate (not PhD) student, use this form:
Fill in the form along with any supplemental forms identified during the preparation phase.
You will receive a data protection registration number that you will need for the main ethics application.
All sections of the registration form should be completed. Sections which are not applicable should be marked ‘N/A’. Any form which has not been completed sufficiently will be returned for further amendment or clarification.
- The review process
The DPO reviews research applications for compliance with UCL policies on data protection and the law itself.
The review includes checks on:
- the name of the project, its purpose and objective;
- the name and contact details of the person who will be responsible for personal data gathered in the project;
- measures in place to observe the following data protection principles;
- the legal bases for processing personal data;
- evidence of the information security measures in place, eg encryption;
- the notification with the relevant data protection coordinator;
- the measures in place to ensure transfers of personal data outside the EEA comply with data protection legislation;
- data sharing/processing arrangements in place with third parties;
- the stated roles of the parties in the research proposals, eg controller, processor, recipient;
- measures to anonymise or pseudonymise personal data;
- evidence of ‘appropriate safeguards’ in place;
- any Data Privacy Impact Assessments (DPIA) produced, and
- the data protection compliance requirements for privacy notices
The DPO reviews the documents provided by staff and will request amendments to be made for compliance purposes; this process is normally completed within ten working days (providing all relevant documentation has been provided to the DPO), but depending on the volume of submissions it may take longer.
The applicant is notified via email, together with the relevant registration number.
- Sections guidance
The title of the research should correspond with any other supporting documentation (e.g. information sheets, consent forms). Please include the proposed start and end date.
The Chief Investigator (CI); Principal Investigator (PI), has overall responsibility of the research being carried out. In the case of research being carried out by students, this is normally the students’ supervisor. The contact details of the CI; PI, and, or student supervisor should be included in this section. (Please note that a student – undergraduate, postgraduate or research postgraduate cannot be the PI for ethics purposes).
The details of the data collector(s) should be included in this section (provide details of the individuals that will be involved in obtaining/collecting the personal data). If the applicant is not the PI provide the student’s details.
Please summarise the main purposes of the research, including an explanation of the aims, design, methodology and plans for analysis that you propose to use. If the research involves the collection of personal data overseas then you must ensure that you provide details in this section.
Privacy impact screening questions are intended to help you decide whether the processing you are intending to undertake is likley to result in a high risk to the rights and freedoms of the individuals who are participating in your study.
Please provide a summary of the study including: any information flows, personal data being collected, the method of collection and analysis, diagram of information flows, details of nay partners involved in the study and any processors being used.
In this section, please idicate whether or not the study will enrol vulnerable particpants.
In this section, please provide details of the participants for this study. Include how many participnats will be involved in the research.
Please provide details of the types of data that will be collected.
You should provide details of what type of information will be stored and where it shall be held within UCL.
If the outside of the EU/EEA please specify and idicate on the form if any adequacy decision is in place, eg Privacy Shield.
If you are considering using a cloud provider, you should ensure that you are aware of the circumstances in which the cloud provider will process the information it receives. Some providers often have servers where data is stored, and backed up within a number of different countries.
Please list all the study collaborators/third parties who will be sending/receiving personal data for study purposes or their own purposes. (If you are not working with any partners or third parties, please skip this section).
Please idicate if personal data will be transfered outside of the EU as part of the study. If so, confirm that you followed the relevant guidance.
If you are receiving sponsorship for your research. Please provide details sponsorship arrangement. Including details of the individual, company, institution, funding council, or another organisation which takes responsibility for the initiation, management and/or financing of the research.
Any supporting documentation (e.g. data protection impact assessment, participant information sheets, informed consent forms, other documentation being used to invite/inform participants about the research, data sharing/processor agreements etc.) must be submitted with the application form.
Confirmation you have read and implemented the appropriate safeguards guidance.
Include previous research registration number (only if an extension to previous registarion is required).
We have published an example of a completed research registration form for the UCLREC. Please remember when completing your own form you give consideration to your particular research which will be needed by the DPO to approve your application.
The completed application form should be sent (electronically) to email@example.com with copies of any supporting documentation.
Covid-19 related studies need to make it clear in the cover email that they are Covid related, as this is how we are triaging requests.
- Continue with the ethics application process:
- Ethics application process
- All researchers, including principal and chief investigators, particularly if they are going to be handling special category data, are expected to undertake annual training on handling highly confidential information. Further information about the training is available here
We only operate a pragmatic rule that non-substantive (minor) amendments i.e. they do not significantly change the study objectives, and those which alters the study procedures, or makes substantive changes to the original study, are perfectly acceptable, but substantive amendments would require re-registration or sign off by the DPO and/or ethics committee.