Information Services Division


How to maintain confidentiality

Confidentiality is not guaranteed by pseudonymisation (which is where you still hold the key to re-identify someone).

If you handle highly confidential research data within the School of Life and Medical Sciences then we recommend you register the study with Information Governance services here and handle it within the Data Safe Haven.

Replacing identifiers with something unrecognisable to the general public ('pseudonymisation') is not an adequate procedure for maintaining confidentiality of research data. Pseudonymised data are considered under data protection legislation to be personal data. Moreover, partner organisations can set confidentiality restrictions on the use of anonymised data via contracts.

Confidentiality can be divided into three categories: privacy, i.e. making sure you have the right to process someone’s data, information security, i.e. taking organisational and technical measures to secure data, and contractual, i.e. complying with any terms set for the data by your own or another organisation. A breach of any of these would be a breach of what is known as the common law duty of confidentiality. Any breach involving personal data (i.e. privacy) can and should be reported to the UCL Information Security Group.

Some of UCL's central guidance on maintaining research participants’ privacy is covered within Research Ethics and Research Integrity. Ethical approval can act as a passport for a study to begin canvassing for research participants.

The UCL Data Protection Office provides central guidance on handling personal data in broader contexts than research but also covers a lot of information about the new legislation around data protection in the context of research.

UCL Information Security Group and UCL SLMS Information Governance services support the use of technical and organisational measures to secure information, and particularly information that is deemed ‘sensitive’ or as 'special category data' under the General Data Protection Regulation 2016.

UCL SLMS Information Governance services maintain policies and guidance on handling sensitive data in the School of Life and Medical Sciences here and we also provide answers to one-off questions via a support desk here: slms.pid.

If you and colleagues are required to manage confidential information then it is important that you realise where the risk of disclosure is by carrying out a risk assessment. You can read about risk management on the Information Security Group pages here.

There are different scenarios requiring contracts which it is advisable to get support for, variously from: UCL Research Contracts (third party contracts involving research data), HR (staff contracts), Data Protection (third parties where personal data is involved) and several Joint Research & Development Offices (MTAs and contracts between NHS sites and UCL).