Guidance for staff and postgraduate students to help register their research project with the Data Protection Office (DPO).
We understand this is a worrying time for UCL staff and students with many business processes changing as a result of the impact of Covid-19, which results in questions around how to protect personal data when working in a different manner.
We have produced two sets of guidance to answer the most frequently asked questions:
- Guidance for research and ethical approval in light of the COVID-19 pandemic
- Covid-19 Data Protection FAQs
In addition, as we currently need to prioritise research related to Covid-19, researchers in other areas looking to register their research with data protection may find the following FAQs helpful:
- All research proposals that involve personal data must be registered with the DPO before processing begins.
- Registration with the DPO is the second step of the Ethics Application Process.
- This policy requirement applies to all UCL students or staff (including honorary staff, affiliate academics and visiting researchers).
- Prepare for research registration
- Registration form
- Guidance on completing the research registration
- Example – completed research registration form for a study that requires UCL ethical approval
- Submitting research registration
- Amendment to registration
- Research Registration FAQs
Before you start
- Please note:
- This guide is not intended to help if you are registering your project via DMPOnline.
- Undergraduate students who are processing personal data as part of their research activities do not have to register their research studies with the DPO, provided that they have successfully completed the ‘Information compliance training for researchers’’. Or had their study signed off by their Department and no further action was deemed to be required. On some occasions the Department will require that the research is registered, and further data protection advice sought. For example, this may be necessary when the research involves special category data, vulnerable people, or surveillance.
- Postgraduate students including Masters, MPhil and PhD who are processing personal data as part of their research activities, must be registered with the DPO before any processing begins. Students involved in research are also required to undertake appropriate information compliance training before embarking on any research.
- Background information:
- Data protection overview
- Does my research project need to be registered with the DPO [pdf]
- Guidance for researchers [pdf]
- Guidance for students processing personal data overseas [pdf]
- Guidance on sharing data with third parties in a research context [pdf]
- App-based research experiments and data collection guidance [Word doc]
- Using Twitter data in research guidance [Word doc]
- Ethical mining – a case study on MSR mining challenges [Word doc]
- Handling personal data responsibly
- Ethical procedures for applications
- Application deadlines and meeting dates
- Use of UCL student and staff Personal Mobile Devices for Research Purposes [Word doc]
- Recommended reading:
Determine which supplementing documents are required to complete data protection registration. Requirements will change according to the nature of your project especially when addressing special cases, e.g. working with children, collaborating with external partners.
Data Protection Impact Assessment (DPIA)
A DPIA helps identify data privacy risks when planning new, or revising existing, projects and to identify actions to mitigate these risks
Find out if you need to submit a DPIA form for your project.
If you do need to complete a DPIA you can download the form in preparation:
Children as participants?
All research projects using personal data must be registered with the DPO before the data is collected. Completing this form is part of that process.
There are three forms you can use to register your research project with the DPO:
- If you are a UCL member of staff or student who needs to register with the DPO and/or requires ethics approval from the UCL Research Ethics Committee (REC), use the main data protection registration form below:
- If your study requires a review by a Health Research Authority (HRA) REC and/or HRA approval, use this form:
- If your study involves the processing of special category personal data (sensitive), and you are an undergraduate, or postgraduate (not PhD) student, use this form:
Fill in the form along with any supplemental forms identified during the preparation phase.
You will receive a data protection registration number that you will need for the main ethics application.
All sections of the registration form should be completed. Sections which are not applicable should be marked ‘N/A’. Any form which has not been completed sufficiently will be returned for further amendment or clarification.
- The review process
The DPO reviews research applications for compliance with UCL policies on data protection and the law itself.
The review includes checks on:
- the name of the project, its purpose and objective;
- the name and contact details of the person who will be responsible for personal data gathered in the project;
- measures in place to observe the following data protection principles;
- the legal bases for processing personal data;
- evidence of the information security measures in place, eg encryption;
- the notification with the relevant data protection coordinator;
- the measures in place to ensure transfers of personal data outside the EEA comply with data protection legislation;
- data sharing/processing arrangements in place with third parties;
- the stated roles of the parties in the research proposals, eg controller, processor, recipient;
- measures to anonymise or pseudonymise personal data;
- evidence of ‘appropriate safeguards’ in place;
- any Data Privacy Impact Assessments (DPIA) produced, and
- the data protection compliance requirements for privacy notices
The DPO reviews the documents provided by staff and will request amendments to be made for compliance purposes; this process is normally completed within ten working days (providing all relevant documentation has been provided to the DPO), but depending on the volume of submissions it may take longer.
The applicant is notified via email, together with the relevant registration number.
- Sections guidance
The title of the research should correspond with any other supporting documentation (e.g. information sheets, consent forms). Please include the proposed start and end date.
The Chief Investigator (CI); Principal Investigator (PI), has overall responsibility of the research being carried out. In the case of research being carried out by students, this is normally the students’ supervisor. The contact details of the CI; PI, and, or student supervisor should be included in this section. (Please note that a student – undergraduate, postgraduate or research postgraduate cannot be the PI for ethics purposes).
The details of the data collector(s) should be included in this section (provide details of the individuals that will be involved in obtaining/collecting the personal data). If the applicant is not the PI provide the student’s details.
Please summarise the main purposes of the research, including an explanation of the aims, design, methodology and plans for analysis that you propose to use. If the research involves the collection of personal data overseas then you must ensure that you provide details in this section.
Privacy impact screening questions are intended to help you decide whether the processing you are intending to undertake is likley to result in a high risk to the rights and freedoms of the individuals who are participating in your study.
Please provide a summary of the study including: any information flows, personal data being collected, the method of collection and analysis, diagram of information flows, details of nay partners involved in the study and any processors being used.
In this section, please idicate whether or not the study will enrol vulnerable particpants.
In this section, please provide details of the participants for this study. Include how many participnats will be involved in the research.
Please provide details of the types of data that will be collected.
You should provide details of what type of information will be stored and where it shall be held within UCL.
If the outside of the EU/EEA please specify and idicate on the form if any adequacy decision is in place, eg Privacy Shield.
If you are considering using a cloud provider, you should ensure that you are aware of the circumstances in which the cloud provider will process the information it receives. Some providers often have servers where data is stored, and backed up within a number of different countries.
Please list all the study collaborators/third parties who will be sending/receiving personal data for study purposes or their own purposes. (If you are not working with any partners or third parties, please skip this section).
Please idicate if personal data will be transfered outside of the EU as part of the study. If so, confirm that you followed the relevant guidance.
If you are receiving sponsorship for your research. Please provide details sponsorship arrangement. Including details of the individual, company, institution, funding council, or another organisation which takes responsibility for the initiation, management and/or financing of the research.
Any supporting documentation (e.g. data protection impact assessment, participant information sheets, informed consent forms, other documentation being used to invite/inform participants about the research, data sharing/processor agreements etc.) must be submitted with the application form.
Confirmation you have read and implemented the appropriate safeguards guidance.
Include previous research registration number (only if an extension to previous registarion is required).
We have published an example of a completed research registration form for the UCLREC. Please remember when completing your own form you give consideration to your particular research which will be needed by the DPO to approve your application.
The completed application form should be sent (electronically) to firstname.lastname@example.org with copies of any supporting documentation (eg participant informaton sheet, informed consent form, DPIA etc.).
Covid-19 related studies need to make it clear in the cover email that they are Covid related, as this is how we are triaging requests.
- Continue with the ethics application process:
- Ethics application process
- All researchers, including principal and chief investigators, particularly if they are going to be handling special category data, are expected to undertake annual training on handling highly confidential information. Further information about the training is available here
It may become apparent once you have started your study that it needs to be amended.
We only operate a pragmatic rule that providing the research objectives, and procedures, has not undergone any substantive changes or amendments to the terms of the application, or to the protocol or any other supporting documentation, the registration number previously issued by the Data Protection Office will continue to cover the activities of the study. However, more substantive amendments would likely require a new registration application.
To assist in making this determination. We have listed below some examples of substantial and non-substantial amendments which may, or may not affect your research activities to any significant degree:
Examples of substantial amendments:
• changes to the design or methodology of the study;
• changes to the procedures undertaken by participants;
• changes likely to have a significant impact on the safety or physical or mental integrity of participants, or to the risk/benefit assessment for the study;
• significant changes to study documentation such as participant information sheets, consent forms, etc.;
• inclusion of a new trial site (not listed in the original application);
• temporary halt of a study to protect participants from harm, and the planned restart of a study following a temporary halt;
• any other significant change to the protocol or the terms of the application.
Examples of non-substantial amendments:
• minor changes to the protocol or other study documentation, e.g. correcting errors, updating contact points, minor clarifications;
• changes to the chief investigator’s research*
• appointment of a new principal investigator*
• changes in the documentation used by the research team for recording study data;
• changes in the logistical arrangements for storing or transporting samples;
• extension of the study beyond the period specified in the application form.
*as part of the maintenance process, it is highly recommended that researchers regularly review their study staff listings and update any records accordingly