The General Data Protection Regulation (GDPR) came into force on the 25 May 2018. UCL has designed a comprehensive Programme of work designed to deliver the changes necessary for GDPR compliance. We will continue to update this statement as the work develops and progresses.
As part of our legal obligations we have published Staff, Student and General Privacy notices. Where required local privacy notices will be issued to inform individuals about what personal data is gathered, how it is used, stored and retained.
UCL also has a data protection policy that sets out our commitment to the safeguarding of personal data processed by its staff and students and our stances on compliance with data protection legislation. This policy describes how UCL will discharge its duties in order to ensure compliance with the data protection principles and rights of data subjects in particular and will be updated for GDPR in due course.
You can find information about the changes from the Information Commissioner's Office (ICO). The ICO is the UK regulator who oversees compliance with data protection legislation. Information Commissioner's Office Guide to the GDPR.
UCL Privacy Notices
- General privacy notice
- Privacy notice for COVID-19 NHS Test & Trace data collection
- Staff privacy notice
- Prospective students privacy notice
- Student privacy notice
- Student Support and Wellbeing Privacy Notice
- Alumni privacy notice
- UCL General Privacy Notice for Participants and Researchers in Health and Care Research Studies
- UCL general research participant privacy notice
- UCL Data Protection Policy
- Children's privacy notice (under 13 years)
- UCL Library Services Privacy Notice: External Users
- UCL Visitors general registration privacy notice
There may be instances where local privacy notices are used to provide additional information about a UCL service. Please check these as you engage with them.
UCL Statement on the use of 'Public Task' as a lawful basis for processing
Where UCL processes personal data in connection with the carrying out of tasks in the public interest in its capacity as a public authority, UCL may rely on the 'public task' ground as its lawful basis for processing that personal data.
Where the processing of personal data by UCL is separate from UCL's tasks as a public authority, a separate basis for processing that personal data will be established.
Please note that where UCL processes 'special categories of personal data' or criminal convictions data in its capacity as a public authority then a legal basis for processing that personal data will need to be found in line with the GDPR in addition to the 'public task' ground.
For more details on UCLs use of ‘Public Task’ please see the document: