Version 3, published November 2021
About this privacy notice
UCL (“we” “us”, or “our”) respects your privacy and is committed to protecting your personal data.
Please read this Privacy Notice carefully – it describes why and how we collect and use personal data and provides information about your rights. It applies to personal data provided to us by individuals and supplements the following wider UCL privacy notice(s):
- General privacy notice
- Student privacy notice
- Staff privacy notice
- Visitors registration privacy notice
We keep this Privacy Notice under regular review. It was last updated November 2021.
- About us
UCL, a company incorporated by Royal Charter (number RC 000631), is the entity that determines how and why your personal data is processed. This means that UCL is the ‘controller’ of your personal data for the purposes of data protection law.
- Personal data that we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
In order to support the NHS Test and Trace service, we may collect, use, store and transfer different kinds of personal data about you. This may include:
- Your name and contact details;
- Details of your attendance at the relevant UCL building, including dates and times of arrival/departure.
We do not collect special category data about you as part of this process (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
- How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To manage attendance in UCL’s buildings as part of our Covid-19 mitigation measures
- Where requested by the NHS as part of its Test and Trace service
You can find details on how NHS Test and Trace uses personal data on the NHS Test and Trace website.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
- Who we share your personal data with
Your personal data will be collected and processed primarily by our staff and UCL (Access to your personal information is limited to staff who have a legitimate need to see it for the purpose of carrying out their job at UCL.). We may have to share your personal data with the parties set out below for the purposes outlined in section 'How we use your personal data':
- NHS Test and Trace
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
- Lawful basis for processing
Data Protection Legislation requires that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a "lawful basis" for the processing. The basis for processing will be as follows:
- Public task. The processing of your personal data may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Article 6(1)(e) of GDPR).
- International transfers
We may use third party providers to deliver our services, such as externally hosted software or cloud providers, and those providers may involve transfers of personal data outside of the EU. Whenever we do this, to ensure that your personal data is treated by those third parties securely and in a way that is consistent with UK data protection law, we require such third parties to agree to put in place safeguards, such as the EU model clauses or equivalent measures.
- Information security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have established procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
- Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
We will keep the personal data you provide for Test and Trace purposes for 21 days, as recommended by the UK Government.
- Your rights
Under certain circumstances, you may have the following rights under data protection legislation in relation to your personal data:
Right 1: A right to access personal data held by us about you (commonly known as a “data subject access request). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Right 2: A right to require us to rectify any inaccurate personal data held by us about you, though we may need to verify the accuracy of the new data you provide to us.
Right 3: A right to require us to erase personal data held by us about you where there is no good reason for us continuing to process it. This right will only apply where, for example, we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right 6 below). Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Right 4: A right to restrict our processing of personal data held by us about you. This right will only apply where, for example, you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but we require the data for the purposes of dealing with legal claims or due to having overriding legitimate grounds to use it.
Right 5: A right to receive personal data which you have provided to us in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation.
Right 6: A right to object to our processing of personal data held by us about you where we are relying on a legitimate interest (or those of a third party), and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Right 7: A right to withdraw your consent where we are relying on it to use your personal data. Note that a withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
Right 8: A right to ask us not to use information about you in a way that allows computers to make decisions about you and ask us to stop.
If you wish to exercise any of these rights, please contact the Data Protection Officer.
You can contact UCL by telephoning +44 (0)20 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT.
Please note that UCL has appointed a Data Protection Officer. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our Data Protection Officer using the details set out below:
Data Protection & Freedom of Information Officer: firstname.lastname@example.org
If you wish to complain about our use of personal data, please send an email with the details of your complaint to the Data Protection Officer so that we can look into the issue and respond to you.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.