
Data Protection


Studies Requiring Health Research Authority Approval | Data protection guidance

Guidance from the MRC and HRA is currently awaited but preliminary reading suggest that the Data Controller ie UCL or UCLH will have many more legal obligations which will require new policies and pro

UCL has published general information about data protection legislation on these web pages. Among other things these pages explain Privacy Notices, the importance of Data Holdings survey and provides general information in relation to consent. The pages will be updated regularly as implementation proceeds.  In addition to this general information, research teams should be aware of the following:

  • Genetic data eg DNA or RNA which can identify the individual is now unambiguously subject to the Data Protection principles.
  • Data breaches must be reported in 72 hours.
  • Particular types of research where the data subjects are vulnerable may require a Data Privacy Impact Assessment.  This is formal process for documenting the nature of the processing, the proportionality and necessity of processing,  the management the risks to the rights of data subjects and the views of data subjects or their representatives.  
  • There will be a requirement to insert relevant data protection legislation compliant clauses in all active contracts. 
  • The new accountability principle means that data controllers, eg UCL and UCLH, will be required to document compliance with the Regulation. This will require the creation of a register of personal data assets held, showing what personal data is collected, how it is used, how it is secured, if it is shared and how long it is retained.
  • For research that is likely to result in a high risk to data subjects a Data Protection Impact Assessment will be required.  This is formal process for documenting the nature of the processing, the proportionality and necessity of processing,  the management the risks to the rights of data subjects and the views of data subjects or their representatives.  
  • Depending on the risk to data subjects, there may be a requirement to insert relevant GDPR compliant clauses in all active contracts.