Data protection guidance and GDPR
Information for staff and students.
- IOE staff
- IOE postgraduate research students
- Data protection requirements checklist
- General Data Protection Regulation (GDPR)
IOE staff
The Research Ethics Officer submits the ethics applications to the data protection office to obtain the mandatory data protection number for their research.
Please ensure that you complete the data protection checklist before submitting your application.
IOE postgraduate research students
Postgraduate research students are required to submit their IOE Ethics Application Form to data-protection@ucl.ac.uk in order to obtain a mandatory data protection number for their research, before the ethics review. Please follow the links below for more detailed information.
Details on and forms for the student reviewing process for all postgraduate research students can be found here:
- Data Protection Impact Assessment (DPIA) – IOE students require a DPIA if the project includes sensitive personal data and/or is likely to be high risk, which will be determined by their supervisory team. In the context of a student research project, the supervisor is responsible for ensuring the completion of a DPIA.
- Process for IOE Doctoral student data protection registration and ethics applications review
For questions about information sheets:
- UCL Data Protection team: data-protection@ucl.ac.uk
Data protection requirements checklist
Please use this adapted template to certify that all data protection requirements have been addressed prior to submitting your ethics application form and supporting documents for review.
- Check to see if project is an extension of previous research and if so provide the research reference number
- Consent Form and Participant Information Sheet completed and provided including privacy notice
- Local project privacy notice is in place and contains the criteria set out in Articles 13/14 of GDPR – see "Where can I check that I have completed my Privacy Notice correctly?"
- Local project privacy notice links to one of the main UCL general research participant privacy notice
- Lawful basis for processing personal data is stated as 'performance of a task in the public interest' and special category or criminal convictions data is stated as 'research purposes'
- Appropriate safeguards are in place as per this guidance:
- Collect only the minimum amount of personal data required to carry out the research.
- Use pseudonymised personal data.
- Anonymise data where possible.
- Safeguards against accidental disclosure and loss or corruption of data.
- Ensure that the processing will not cause substantial damage or distress to individuals.
- Ensure that the processing will not be used to support measures or decisions with respect to a particular individual.
- Confirm evidence of the information security measures in place, e.g. encryption
- Ensure the terms anonymisation and pseudonymisation are used correctly in form
- The location of the data is specified, i.e.
- on UCL servers
- in the UK
- in the EEA
- outside the EEA.
- If personal data is stored outside the EEA, ensure that measures are in place to comply with data protection legislation.
- Indicate whether third parties, such as other universities or processors, are involved with processing or storage of data:
- If so, confirm data sharing/processing arrangements in place?
- If not, refer them to research services/contracts or procurement or solicitor in Legal Services.
- DPIA screening questions have been completed by staff if research deemed high risk. If so, the DPIA has been provided. Additional advice for projects meeting the threshold for conducting a DPIA can also be sought by contacting the UCL Data Protection team at data-protection@ucl.ac.uk.
- If the research involves children, the Research with Children Guidance has been followed.
- The information compliance training been undertaken within the last two years:
- Freedom of Information.
- Data protection.
- Information security.
- Provisions are in place around confidentiality, e.g. wording in participant information sheet.
- Data Protection Coordinator has been notified.
General Data Protection Regulation (GDPR)
The GDPR affirms data protection's fundamental right and should be applied in a legitimate, effective, and consistent manner.
While the GDPR does not sufficiently specify ethical standards, it is important that researchers understand what this means for the personal data that’s processed during your research projects.
The Data Protection Office (DPO) have issued guidance specifically aimed at researchers, managing individual research projects.
The DPO has also produced an extensive Frequently Asked Questions page for answers to the most common data protection queries.
For further details, including guidance for research with children on data protection issues, and examples of consent forms and information sheets with privacy notice links, please visit your relevant section (staff or students).
See further information and up-to-date guidance issued by the Information Commissioner’s Office.
Note: for ethics applications sent to the IOE REC for review, the IOE REC office will register the research with the Data protection office (DPO) and provide the researcher with a UCL data protection number. The DPO will then advise on any next steps if required.
GDPR-compliant exemplars for guidance
The consent forms and participant information sheets should be used as exemplars only. Researchers are expected to develop their own forms and information sheets as appropriate for their research and not reproduce or copy the examples as templates.
All information sheets developed for research must also include a link to the UCL general research participant privacy notice.
- Example IOE interview consent form (DOCX)
- UCL consent form template (DOCX)
- Example IOE information sheet (PDF)
- Example information sheet for children #1 (PDF)
- Example information sheet for children #2 (PDF)
- Example information sheet for children #3 (PDF)
- Data protection checklist for researchers (PDF)
For questions about information sheets:
- UCL Data Protection team: data-protection@ucl.ac.uk