EBPU is a collaboration between UCL Faculty of Brain Sciences and the Anna Freud National Centre for Children and Families (AFNCCF). Within the context of these two organisations, we process information about the people we work with, including research participants, project partners and training/event delegates. We also process anonymised data relating to people using or providing services, and people who are part of the target groups for approaches to improve health and wellbeing.
This privacy notice describes the range of data processing activities relevant to the work of EBPU in bridging the worlds of academic research and clinical practice. It supplements the general UCL Privacy Notices, which are available at https://www.ucl.ac.uk/legal-services/privacy.
EBPU research projects that involve the recruitment of participants provide specific privacy information to participants, which should take precedence over the information in this notice.
This notice explains the following:
- Key terms for understanding how we work with data
- Our purposes for data processing
- Your rights
- Where to find further information
- Who to contact if you have a concern
UCL and AFNCCF are committed to processing data fairly and protecting privacy. The ICO registration number of UCL is Z6364106 and the ICO Registration number of the AFNCCF is Z479393X. In the work of EBPU, these commitments are fulfilled by processing data in line with the specific purposes described in this notice, and in accordance with all applicable data protection legislation and guidance.
Please note we have taken a deliberate decision to explain our approach in lay terms for maximum transparency and ease. This means the exact terminology used in legislation is not referred to in this privacy notice. The full GDPR legislation can be found here: .
Data processing: a broad term that covers all activities involved in collecting, storing and working with data.
Data subjects: the people that the data relate to.
Identifiable data: where this notice talks about identifiable data, it means data about people that identifies who they are e.g. their name and contact details.
Anonymised data: where this notice talks about anonymised data, it means data about people that by itself does not identify who they are e.g. responses to a wellbeing questionnaire for participant number 78. This includes data where directly identifying information, such as names and contact details, has been replaced with a project-specific participant ID number or made-up name (pseudonym), which is a process called ‘pseudonymisation’. Best practice advice suggests that for most research data anonymity can be seen as a continuum. We recognise that all pseudonymised data could be argued to be ‘re-identifiable’ (even if the chance of this is very remote), depending on where the original identifiable data is kept, and how easy or difficult it would be to match it back together. We take great care to analyse and report on research data only in an anonymised form. In this privacy notice, for ease of explaining how we work with data, we consider the sort of pseudonymised data we hold as a type of anonymised data.
Linking data: sometimes the data needed to answer a research question are collected in different places, or at different points in time. Linking data is the process of connecting the data relating to the same person from these places or time points.
GDPR lawful basis: Legislation called the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 require organisations to have a valid, legal reason to process personal data, which is called a ‘lawful basis’. In addition to having a GDPR lawful basis for our data processing activities, we also meet the requirements of the common law duty of confidentiality.
Tools: where this notice talks about tools, it is referring to digital applications, information or resources to improve services, support or therapy.
The following table gives an overview of the six reasons why we process data. For each one, it explains who the data subjects are, and whether the data processed for the purpose are identifiable or anonymised.
|Purpose||Who are the data subjects?||Are the data processed for the purpose identifiable or anonymised?*|
|Administering and managing projects||Identifiable|
|Ensuring the safety of research participants||Identifiable|
|Linking data for research||Identifiable or anonymised|
|Analysing data to answer research questions and develop tools||Anonymised|
|Using contact lists to share findings and resources||Identifiable|
|Administering training and events||Identifiable|
|* Please see the previous section ‘Key terms for understanding how we work with data’ for the meanings of ‘identifiable’ and ‘anonymised’ in this privacy notice.|
For each of these purposes the lawful basis where we are not seeking consent under GDPR is ‘performance of a task in the public interest’. Where ‘special category data’ are involved, such as data about ethnicity and health (see below), we rely on the additional lawful basis of ‘scientific or historical research purposes or statistical purposes’. Research data are retained according to the UCL Records Retention Schedule: .
To note, we also use identifiable data in pursuance of our lawful contracts such as contacting people about events and training that they have already signed up for.
The rest of this section provides further details of each data processing purpose.
Administering and managing projects
We often undertake projects in partnership with external organisations, for example schools and mental health services. In order to carry out these projects, we collect and store a limited set of identifiable data relating to the people we are liaising with in each partner organisation. This information, which consists of people’s names, contact details and records of project-related correspondence, is used to manage and coordinate the project work.
An important administrative aspect of many of our research projects is the collection of informed consent from research participants. This ensures that the research is conducted in an ethical manner, with voluntary participation and awareness of the benefits and any potential risks of taking part. To do this we collect and store identifiable data in the form of research participant names and their signed consent forms. Please note that informed consent to participate in research is different to consent as a lawful basis for processing data under GDPR. Please see above for the GDPR lawful bases we use for processing data.
Ensuring the safety of research participants
We follow a safeguarding procedure to ensure children, young people and vulnerable adults are protected from harm. If we have a concern about the safety of a research participant, we let them know that we will have to tell someone else about it. Concerns are discussed with line managers and/or the AFNCCF Safeguarding Oversight Group as appropriate. The following information are recorded and discussed for this purpose: name; address; date of birth/age; name of parent(s)/carer(s); description of what prompted the concern; details of what was said and when; whether anyone has been alleged to be the abuser.
Linking data for research
Sometimes the data needed to answer a research question exist in different places, or are collected at different points in time during a project. Linking data is the process of connecting the data relating to the same person from these places or time points.
- Where data exist in different places, the data are linked using either identifiable information (e.g. ID number), or anonymised information (e.g. a combination of variables including gender, ethnicity, age and dates of referral, appointments and case closure). For example, one project is linking anonymised children and young people’s mental health services data with data collated by NHS Digital.
- Where data are collected at different time points, for example through a survey taken by participants before and after they undertake a training course, the data are linked using identifiable information (e.g. ID number, participant email address)
Linking different types of data obtained from different sources is often a subject that can raise privacy questions. For this reason, any project using this approach involves the pre-agreement of research questions with funders, and the application of additional information security controls.
Analysing data to answer research questions and develop tools
To answer research questions and inform the development of tools to improve services, support or therapy, we analyse and interpret data across four themes of risk, resilience, change and choice.
The particular items of data we analyse will be specific to the research questions or aims of the project, but will fall under the categories below:
- Demographic information e.g. gender, age, ethnicity
- Measures of services, support or therapy used
- Measures of health, wellbeing, resilience or goals of those using services, support or therapy
- Measures of health, wellbeing or resilience of those in receipt of ‘population-level’ approaches to improve mental health, wellbeing or resilience
- Measures of confidence or skills of those providing or seeking help
We carry out analysis in secure data processing environments using anonymised data. This means that if the data we have collected are not already anonymised, we will remove identifiable information (such as participant names) from the data set before commencing analysis.
Findings from data analysis are presented at conferences or used as part of publications such as booklets and academic articles. When results are published, further care is taken to ensure the privacy of data subjects is protected, for example by not including results that relate to small numbers of people.
Using contact lists to share findings and resources
We share the outputs of our work with project partners and with wider audiences through the electronic newsletters and communications of the AFNCCF and Child Outcomes Research Consortium (CORC). To deliver these communications, we ask people if they are happy for us to use their contact details to contact them.
Administering training and events
To run EBPU training courses and events, we process the names, contact details, and where applicable, job titles, organisation names and dietary requirements, of training and event attendees.
AFNCCF and UCL adhere at all times to data protection legislation (currently the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (GDPR)), which provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
You can read more about data rights on theInformation Commissioner's website: . Please note the rights available to you depend on our purpose and lawful basis for processing your information.
If you would like to find out more about how data about you is being processed, please see the information relevant to you below.
Project partner contacts
If you are working with EBPU to administer a project, and you would like to find out more about how information about you is being processed, please email your request to .
If you are participating in a project and would like to know more, please refer to the information sheet or privacy notice given to you when you joined the project. The information sheet will contain the details of the researcher to contact if you have any questions. If you would like another copy of the information sheet, please email , including the name of the project that you are participating in.
If you are receiving newsletters from the AFNCCF, further details about how your information is processed and who to contact with any questions are provided in the privacy section of the AFNCCF website, by following the link titled ‘Your Privacy’ at the bottom of the website homepage.
Training and event delegates
If you have attended an EBPU training course, further details about how your information is processed and who to contact with any questions are provided in the privacy section of the AFNCCF website, by following the link titled ‘Your Privacy’ at the bottom of the website homepage.
If you have any concerns about how data about you is being processed, please contact us at , otherwise you can contact the Data Protection Officer at UCL or the Anna Freud National Centre for Children and Families.
UCL Data Protection Officer: firstname.lastname@example.org
AFNCCF Data Protection Officer: DPO@annafreud.org, 020 7794 2313
If you wish to make a complaint about our data processing activity you can contact the Information Commissioner’s Office: .