How to establish who are the data controllers
The Data Protection Act (1998) says that there are specific responsibilities which the Data Controller is accountable for. At the most basic level, the Data Controller, usually an organisation, will determine the purpose of processing personal data. In a study, the Data Controller will often be one or more of the following:
- The lead organisation on applications for funding, ethics and sponsorship
- The Sponsor in the case of research requiring collaboration with the NHS Roles and Responsibilities(link).
- The chief or principal investigator's employer
- Named on the participant consent form and information sheet
However, the Data Controller can be all of the above or in some cases the Data Controller will have chosen to delegate responsibility to another organisation to manage the personal data on its behalf.
For UCL studies, the Data Controller will usually be UCL. If UCL are not the Data Controller then we will not be determining the purpose of processing information, and someone else will be instructing us to do this. If there is no evidence of either UCL being the Data Controller or an instruction to process personal data then UCL should not be handling personal data.