April 2019, version 5
University College London (UCL) aims to conduct research to the highest standards of research integrity. Our research is underpinned by policies and procedures that ensure we comply with regulations and legislation that govern the conduct of research; this includes data protection legislation such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
UCL uses personal data to conduct research to improve health, care and services. As a publicly-funded organisation incorporated under a Royal Charter, we ensure that it is in the public interest when we use personal data from people who have agreed to take part in research. This means that when you agree to take part in a research study, we will use your personal data in the ways needed to conduct and analyse the research study.
Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. Most of our health and care research follows the UK Policy Framework for Health and Social Care Research.
- What is research?
Research has a special status under data protection legislation. It is important therefore to specify what we mean by research. It is generally understood by Universities that research makes an original contribution to knowledge. Research conducted by our staff and postgraduate research students is always intended to make an original contribution to knowledge. Such research is published in order to share that knowledge.
Research projects may also be conducted by undergraduate and taught postgraduate (Masters in Arts/Science etc.) students to fulfil the requirements of their programme of study. These projects are not necessarily intended to make an original contribution to knowledge and are not usually published. However, this research is integral to the students’ education and for the purpose of this privacy notice these projects are included within the definition of research.
Some research may be conducted in collaboration with commercial organisations and funders.
- What is Personal Data (also referred to as personal information)?
‘Personal data’ means any information which relates to or identifies an individual. This includes information which may not explicitly identify you (e.g. where your name has been removed) but which does make it possible to identify you if it is combined with other information that is readily available. For example, this might be because the information available contains a postcode, your gender and date of birth; in these circumstances it might be possible to identify you by using other information available elsewhere. Therefore, in these circumstances, we would treat the details we hold as personal information and protect it accordingly.
We promise to respect the confidentiality of the personal information that you, as a participant in our research, provide to us; that we get from other organisations; and that we share with other collaborating organisations, such as other universities or our research funders. We will be clear with you when we collect your information how we intend to use it. We will not do anything with your personal information that you wouldn’t reasonably expect. We will use your information only for the purpose of the research you are participating in and we will not usually use your information or contact you for any purpose other than research unless you have agreed to this. We commit to keeping your personal information secure.
- Who is responsible for my personal information?
When we manage research projects, we will usually be the controller, which means that we will decide how your personal information is created, collected, used, shared, stored and deleted (processed). We will do so in line with the objectives of the research, ensuring we collect only what is appropriate and necessary and we have informed you of what we are collecting. For some research projects, the organisation funding the research may make decisions regarding your information. If this is the case, this will be made clear in the participant information sheet provided to you.
There are instances where two or more controllers work together on a research project. When this happens, the organisations have agreements and/or contractual arrangements in place which document how they have agreed to share their responsibilities. In these circumstances this will be detailed in the Participant Information Sheet, you will be given.
- What personal information do we use within research projects and where do we get it from?
The type of personal information collected and used will depend on the particular research objectives of the project you are taking part in. Depending on the study we may collect personal information directly from you or we may collect it from third parties (for example, GP records, hospital records). Whatever personal information we collect and no matter where we collect it from, it will always be proportionate to achieving those objectives.
Personal information that we collect from you
Where we collect personal information from you directly, a Participant Information Sheet and/or Privacy Notice will inform you about what information we are using and how we are going to use it. We often ask you for your informed consent when we contact you directly.
Personal information that we collect from other sources
Where it is not possible or practical to contact you directly and obtain your consent, we seek approval from the NHS Health Research Authority’s Confidentiality Advisory Group (CAG) to obtain your personal information directly from the NHS under a ‘Section 251 Exemption’.
Section 251 and the NHS
Section 251 of the NHS Act 2006 came about as it was recognised that there were activities of medical research that required the use of personal information; however, because patient consent had not been obtained to use patients’ confidential information for these other purposes, there was no secure basis in law for doing so.
Section 251 enables the common law duty of confidentiality to be lifted to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical. For information about the CAG and Section 251, please visit the Health Research Authority website.
To find out what choices are available in the way the NHS uses your health records, including opting out, please visit the NHS website.
Special category and criminal convictions personal data
UCL may process some information about you that is considered to be ‘sensitive’, this is called ‘special category personal data’. This includes information concerning your ethnicity; sexual orientation; gender identity, specifically whether your gender identity is the same as the gender originally assigned to you at birth; your religious beliefs; or details about your health. These types of personal information requires additional protections. For specific research projects, other sensitive information may be used, such as information about past criminal convictions. This will, of course, be for a research project dedicated and relevant to that field. Access to, and the sharing of, this more sensitive personal data is controlled very carefully and you will be specifically informed about this in your participant information sheet.
Your information will usually be shared within the research team conducting the project you are participating in. You will be made aware in the Participant Information Sheet if there are collaborators that are not employed by the University who will also access your information.
All our researchers are asked to de-identify (anonymise), pseudonymise (remove identifiers such as your name and replace this with a unique code or key) or delete personal information collected as part of their research at the earliest opportunity. All personal information is kept in line with our policies or any regulatory requirements.
Information relating to healthcare professionals and others involved in setting up and conducting research studies
UCL may collect personal information (e.g. names and contact details) from:
- Doctors, nurses and other staff involved in the recruitment, diagnosis, and treatment of participants taking part in our research studies.
- Laboratory staff, company employees, and staff from other organisations that are supporting and/or funding the research studies.
- Members of the public who contribute to the design and conduct of our research or sit on local working groups or committees.
- Healthcare professionals who contribute to the trial management groups and oversight committees.
- What safeguards do we have in place to protect your personal information?
In order to protect your rights and freedoms when using your personal information for research and to process special category information the University must have special safeguards in place to help protect your information. We have the following safeguards:
Policies and procedures that tell our staff and students how to collect and use your information safely.
Training which ensures our staff and students understand the importance of data protection and how to protect your data.
Security standards and technical measures that ensure your information is stored safely and securely.
All research projects involving personal data are scrutinised and approved by a research ethics committee.
Contracts with companies or individuals not associated with the University have confidentiality clauses to set out each party’s responsibilities for protecting your information.
We carry out data protection impact assessments on high risk projects to ensure that your privacy, rights as an individual or freedoms are not affected.
If we use collaborators outside of Europe, we will ensure that they have adequate data protection laws or are part of privacy and security schemes such as the privacy shield in the US.
In addition to the above University safeguards the data protection legislation also require us to meet the following standards when we conduct research with your personal information:
(a) the research will not cause damage or distress to someone (e.g., physical harm, financial loss or psychological pain).
(b) the research is not carried out in order to do or decide something in relation to an individual person, unless the processing is for medical research approved by a research ethics committee.
(c) the Data Controller has technical and organisational safeguards in place (e.g. appropriate staff training and security measures).
(d) if processing a special category personal data, this must be subject to a further public interest test to make sure this particularly sensitive information is required to meet the research objectives.
- The lawfulness of using your personal data
Data protection legislation requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you.
In the context of research, the lawful basis upon which we will process your personal information is usually where “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6 of GDPR):
Where we also collect and use sensitive personal information (special category personal data) we only do so where:
“the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes... which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”. (Article 9 of GDPR).
Personal data relating to criminal convictions must also be treated with extra care and Schedule 1 of the Data Protection Act 2018 provides a specific condition to allow it to be collected for research purposes if the special safeguards are in place.
Where we need to rely on a different legal condition, such as consent, we will inform you of this in the Participant Information Sheet provided to you. In some studies, for example, we may use the following condition:
“Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards”.
- Who will my personal information be shared with?
Your information is likely to be shared within the project team, primarily in a way that we can identify you as a participant, however most personal information used in research will be psuedeonymised before sharing more widely or publishing the research outcomes. It may sometimes be necessary to share your personal information with other researchers for the purpose of achieving the research outcomes. If this is relevant to the research you are involved with, you will be provided with information about this in your Participant Information Sheet. If you have any further questions about research collaborations please contact the research team you are involved with.
If we are working with other organisations and information is shared with them, we will inform you in the Participant Information Sheet. Information shared will be on a need to know basis, not excessive and with all appropriate safeguards in place to ensure the security of your information.
We also sometimes use products or services provided by third parties who carry out a task on our behalf or used for sharing research data for collaboration. These third parties are known as data processors and when we use them we have contractual terms, policies and procedures to ensure confidentiality is respected. This does not always mean that they access your information. The University remains responsible for your personal information as the controller and should researchers use another third party service to process personal your information they will provide you with details about the relationship they have with the service provider / supplier/collaborator on the Participant Information Sheet.
Your personal information will only be used for the purpose of health and care research, and cannot be used to contact you or to affect your care. It will not be used to make decisions about future services available to you.
- Your rights
Under data protection legislation you have individual rights in relation to the personal information we hold about you. For the purposes of research where such individual rights would seriously impair research outcomes, such rights are limited. However under certain circumstances, these include the right to:
- access your personal information
- correct any inaccurate information
- erase any personal information
- restrict or object to our processing of your information
- move your information (portability)
It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances rights may be restricted. If it is considered necessary to refuse to comply with any of your individual rights, you will be informed of the decision within one month and you also have the right to complain about our decision to the Information Commissioner. It should also be noted that we can only implement your rights during the period upon which we hold personal identifiable information about you. Once the information has been irreversibly anonymised and becomes part of the research data set it will not be possible to access your personal information.
- For how long is my information kept?
We ask our researchers to de-identify information wherever possible (anonymisation or pseudonymisation). Information where you can be identified will, as such, be kept for a minimum amount of time and in accordance with the research objectives. We may, however, keep consent forms which contain personal information for a number of years after the research has been completed, as this is sometimes a requirement the research’s funder. Further details about how long personal information obtained for research is kept can be found in our retention schedule.
For some research projects we cannot de-identify the information as it is necessary for achieving the outcome of the research. For such projects, we store your personal information as part of the research for the duration of the project and for a defined period after the project has ended. This is usually defined by external regulations but may be defined by our own policies and procedures.
You will be informed in your Participant Information Sheet with regards to how long your personal information will be kept for.
- Who can I contact?
If you have any questions about how your personal information is used, or wish to exercise any of your rights, please consult the University’s data protection webpages. If you need further assistance, please contact the University’s Data Protection Officer
You can contact UCL by telephoning +44 (0)20 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT.
Please note that UCL has appointed a Data Protection Officer. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our Data Protection Officer
- How can I complain?
If you wish to complain about our use of personal data, please send an email with the details of your complaint to the Data Protection Office so that we can look into the issue and respond to you.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.
- When was this privacy notice last updated?
This privacy notice was last updated in March 2019 and may be amended from time to time.