IOE - Faculty of Education and Society


Data protection requirements checklist

Please use this adapted template to certify that all data protection requirements have been addressed prior to submitting your ethics application form and supporting documents for review.

  1. Check to see if project is an extension of previous research and if so provide the research reference number
  2. Consent Form and Participant Information Sheet completed and provided including privacy notice
  3. Local project privacy notice is in place and contains the criteria set out in Articles 13/14 of GDPR - see "Where can I check that I have completed my Privacy Notice correctly?"
    (i) Local project privacy notice links to one of the main UCL general research participant privacy notice
    (ii) Lawful basis for processing personal data is stated as 'performance of a task in the public interest' and special category or criminal convictions data is stated as 'research purposes'
  4. Appropriate safeguards are in place as per this guidance
    - Collect only the minimum amount of personal data required to carry out the research
    - Use pseudonymised personal data
    - Anonymise data where possible
    - Safeguards against accidental disclosure and loss or corruption of data. See here
    - Ensure that the processing will not cause substantial damage or distress to individuals
    - Ensure that the processing will not be used to support measures or decisions with respect to a particular individual
    - Confirm evidence of the information security measures in place, e.g. encryption.
  5. Ensure the terms anonymisation and pseudonymisation are used correctly in form
  6. The location of the data is specified, i.e.
    - On UCL servers
    - In the UK
    - In the EEA
    - Outside the EEA.
  7. If personal data is stored outside the EEA, ensure that measures are in place to comply with data protection legislation. See guidance here
  8. Indicate whether third parties, such as other universities or processors, are involved with processing or storage of data;
    (a) If so, confirm data sharing/processing arrangements in place?
    (b) If not, refer them to research services/contracts or procurement or solicitor in Legal Services.
  9. DPIA screening questions have been completed by staff if research deemed high risk.
    - If so, the DPIA has been provided
  10. If the research involves children, the Research with Children Guidance been followed
  11. The information compliance training been undertaken within the last two years
    - Freedom of Information
    - Data protection
    - Information security.
  12. Provisions are in place around confidentiality, e.g. wording in participant information sheet
  13. Data Protection Coordinator has been notified.