Legal Services


Data Protection

UCL is required by law to comply with data protection legislation. The UK’s regulator for the legislation is the Information Commissioner’s Office. It is the commitment of the university to ensure that every current employee and registered student complies with this Act to ensure the confidentiality of any personal data held by UCL, in whatever medium. This Act came into force on 25 May 2018.

UCL processes the personal data of living individuals such as its staff, students, contractors, research subjects and customers.  To assist you with this legislation we have developed these pages  to assist all staff, researchers and students with ensuring that they are carrying out compliant practices which ensures the safety of person data.



Research Activities
Data Privacy Impact Assessment
Research with Children: Guidance on Data Protection Issues
Guidance for Researchers: Implications of GDPR and DPA 2018
Participants in health and care research privacy notice

Working with UCL Ethics Committee to ensure compliant use of personal data from subjects


All Staff

Everything you need to ensure compliant practice:
Guidance notices, privacy and privacy notices, subject access requests, polices (ISD, ISG, HR, SRS) and Legislation.

GDPR - What will be new


Anyone may make a request in writing for recorded information held by or on behalf of UCL, and UCL must comply promptly and in any case within 20 working days.  Unless subject to one of 23 exemptions described by the Act, the information must be provided.


Public Task

Where UCL processes personal data in connection with the carrying out of tasks in the public interest in its capacity as a public authority, UCL may rely on the 'public task' ground as its lawful basis for processing that personal data.

GDPR - What does this mean for me


This page contains questions and answers which we have collated from our engagement with staff and departments in relation to data protection legislation (Data Protection Act 2018 and GDPR).


Reporting a loss of personal data

In cases where there has been an incident which resulted in a potential breach of the GDPR, it is imperative that you report this immediately to Information Security Governance.