Version 2, updated 24 August 2020
UCL (“we” “us”, or “our”) respects your privacy and is committed to protecting your personal data.
Please read this Privacy Notice carefully – it describes why and how we collect and use personal data and provides information about your rights. It applies to personal data provided to us by individuals and supplements the following wider UCL privacy notice(s):
- General privacy notice
- Student privacy notice
- Staff privacy notice
- Visitors registration privacy notice
We keep this Privacy Notice under regular review. It was last updated on 24 August 2020.
- About us
UCL, a company incorporated by Royal Charter (number RC 000631), is the entity that determines how and why your personal data is processed. This means that UCL is the ‘controller’ of your personal data for the purposes of data protection law.
- Personal data that we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
In order to support the NHS Test and Trace service, we may collect, use, store and transfer different kinds of personal data about you. This may include:
- Your name and contact details;
- Details of your attendance at the relevant UCL building, including dates and times of arrival/departure.
We do not collect special category data as part of this process.
- How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To manage attendance in UCL’s buildings as part of our Covid-19 mitigation measures
- Where requested by the NHS as part of its Test and Trace service
You can find details on how NHS Test and Trace uses personal data on the NHS Test and Trace website.
- Who we share your personal data with
Your personal data will be collected and processed primarily by our staff and UCL (Access to your personal information is limited to staff who have a legitimate need to see it for the purpose of carrying out their job at UCL.). We may have to share your personal data with the parties set out below for the purposes outlined in section "How we use your personal data":
- NHS Test and Trace
- Lawful basis for processing
Data Protection Legislation requires that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a "lawful basis" for the processing. The basis for processing will be as follows:
- Public task. The processing of your personal data may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Article 6(1)(e) of GDPR).
- International transfers
We do not transfer your personal data outside the European Economic Area (EEA).
- Information security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have established procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
- Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will keep the personal data you provide for Test and Trace purposes for 21 days, as recommended by the UK Government.
- Your rights
Under certain circumstances, you may have the following rights under data protection legislation in relation to your personal data:
- Right to request access to your personal data;
- Right to request correction of your personal data;
- Right to request erasure of your personal data;
- Right to object to processing of your personal data;
- Right to request restriction of the processing your personal data;
- Right to request the transfer of your personal data; and
- Right to withdraw consent.
If you wish to exercise any of these rights, please contact the Data Protection Officer.
- Contacting us
You can contact UCL by telephoning +44 (0)20 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT.
Please note that UCL has appointed a Data Protection Officer. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our Data Protection Officer using the details set out below:
Data Protection & Freedom of Information Officer
If you wish to complain about our use of personal data, please send an email with the details of your complaint to the Data Protection Officer so that we can look into the issue and respond to you.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.