Legal Services


UCL General Research Participant Privacy Notice

Version 1, published 9th November 2018

About this privacy notice

University College London ("UCL", "we", "our", "us") are committed to protecting and respecting your privacy.

This privacy notice sets out how UCL processes the personal data of:

  • participants in research other than health and care research conducted by UCL; and
  • individuals whose data may be processed indirectly as part of research conducted by UCL (examples of circumstances where this may occur are provided at section 5 below).  

Please note that if you are a participant in health and care research carried out by UCL, this privacy policy will not apply and you should instead refer to the ‘Participants in health and care research privacy notice’.

This notice applies to the personal data we collect from you and personal data which is passed to us by third parties. Please read the following carefully to understand how we process your personal data.

In addition to the information in this privacy notice, you may be given further information about the uses of your personal data when you agree to participate in a specific research project.  

We may amend this privacy notice from time to time. Any changes we make to this privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. This privacy notice was last updated on 9th November 2018.

What is research?

It is generally understood by universities that research makes an original contribution to knowledge. Research conducted by our staff and postgraduate research students is always intended to make an original contribution to knowledge. Such research is published in order to share that knowledge.

Research projects may also be conducted by undergraduate and taught postgraduate (Masters in Arts/Science etc.) students to fulfil the requirements of their programme of study. These projects are not necessarily intended to make an original contribution to knowledge and are not usually published. However, this research is integral to the students’ education and for the purpose of this privacy notice these projects are included within the definition of research.

Some research may be conducted in collaboration with commercial organisations and funders.

What is 'personal data'?

‘Personal data’ means any information which relates to or identifies an individual. This includes information which may not explicitly identify you (e.g. where your name has been removed) but which does make it possible to identify you if it is combined with other information that is readily available. For example, this might be because the information available contains a postcode, your gender and date of birth, and in these circumstances it might be possible to identify you by using other information available elsewhere. We would therefore treat the details we hold as personal information and protect it accordingly.

UCL's approach to research and personal data

UCL aims to conduct research in accordance with the highest standards of research integrity. Our research is underpinned by policies and procedures designed to help ensure we comply with regulations and legislation that govern the conduct of research, including data protection law.

We respect the confidentiality of personal information relating to research participants, including where this information is provided to us directly and where it is obtained from other organisations. We will be clear with you when your information is collected about how we intend to use that information. We will not do anything with your personal information that you wouldn’t reasonably expect. We will use your information only for the purpose of the research you are participating in and we will not usually use your information or contact you for any purpose other than research unless you have agreed to this. We commit to keeping your personal information secure.

All our researchers are asked to de-identify (anonymise), pseudonymise (remove identifiers such as your name and replace this with a unique code or key) or delete personal information collected as part of their research at the earliest opportunity. All personal information is kept in line with our policies or any regulatory requirements.

Circumstances in which personal data may be collected indirectly by UCL in connection with research

There are circumstances in which personal data may be collected indirectly by UCL in connection with research carried out, and this privacy notice will apply to the individuals whose data is processed in these situations. Examples include the following:

Department for Learning and Leadership

In the Department for Learning and Leadership at UCL, including the Centre for Education Policy and Equalising Opportunities (CEPEO), we carry out research into inequalities in educational attainment. This involves the analysis of secondary data on young people’s educational attainment (and their demographic characteristics), including National Pupil Database (NPD) data from the Department for Education (DfE), and data from the Higher Education Statistics Agency (HESA) data.

Computer Science research

  • In the Computer Science Department at UCL, including the Centre for Research on Evolution, Search and Testing (CREST), we carry out research in software engineering, including the analysis, modelling, and manipulation of source code. This includes the use of freely-available open-source software for purposes such as evaluating new techniques, understanding the characteristics of software in general, and creating models of (evolving) code.
  • Open-source code and its meta-data (e.g. commit histories) acquired from open repositories (such as github, bitbucket and similar) may contain (at the discretion of those contributing the code and documents to the repository) personal information such as developer ids, names, email addresses and similar.  This information may be indirectly collected by UCL as a result of cloning a repository for the purposes outlined above.
  • The Computer Science Department may also carry out research in circumstances where membership of a repository or website is required to obtain the data. Personal data may again be collected indirectly in this context.
  • This research will not focus on the developers but on the software and accompanying documentation and files. Personal data may therefore be processed, but only indirectly. Further information on the use of personal data in these scenarios is available on the CREST site.
UCL's data protection obligations

When we design and manage research projects, UCL will usually be the controller for the purposes of data protection law, which means that we will decide how your personal information is created, collected, used, shared, stored and deleted (processed). We will do so in line with the objectives of the research, ensuring we collect only what is appropriate and necessary and we have informed you of what we are collecting. For some research projects, the organisation funding the research may make decisions regarding your information. If this is the case, this will be made clear in the ‘participant information sheet’ or other information notice/privacy policy provided to you when you agree to participate in research (where applicable).

There are instances where two or more controllers work together on a research project. When this happens, the organisations have contractual arrangements in place which document how they have agreed to share their responsibilities. Where applicable, this will be detailed in the ‘participant information sheet’ or other information notice/privacy policy provided to you when you agree to participate in research.

Personal data we collect about you


The type of personal information collected (either directly from you or from third parties) and used will depend on the particular research objectives of the project in question. The personal data we collect will always be proportionate to achieving those objectives.

The ‘participant information sheet’ or other information notice/privacy policy provided to you when you agree to participate in research (where applicable) will provide further details of what information will be collected about you.

Where your personal data is processed indirectly in the context of a research project (in circumstances such as those set out at section 5), we will collect only the minimum amount of personal data required to proceed with the project, and will remove or pseudonymise/anonymise that personal data as soon as possible. Please refer to section 5 for indicative examples of the categories of personal data concerned. Individual departments may also set out further information on their own web pages about personal data collected indirectly in a research contact.

Special category personal data and data relating to criminal convictions or offences

UCL may process some information about you that is considered to be ‘sensitive’. These types of personal information require additional protections.

Data considered to be sensitive includes ‘special category’ personal data’, e.g. information concerning your ethnicity, sexual orientation, gender identity, religious beliefs or health.

For specific research projects, other sensitive information may be used, such as information about past criminal convictions.

Access to, and the sharing of, this more sensitive personal data is controlled very carefully and you will be specifically informed about this in your ‘participant information sheet’ or other information notice/privacy policy provided to you when you agree to participate in research (where applicable).

Purposes for which we process your personal data and the legal basis for processing

Data protection laws require us to meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a ‘legal basis’ for the processing. Where we process special category personal data or criminal convictions information, we are required to establish an additional legal basis for processing that data.

The main legal bases on which your personal data are generally processed for research purposes are explained below.

For all information

  • Performance of a task in the public interest: when carrying out our core functions such as research, in addition to activities that are ancillary to our core functions, UCL will be performing a task in the public interest. For further details on the ‘public task’ legal basis for processing, please see our Statement of Tasks in the Public Interest.

For special category data and information relating to criminal convictions/offences

  • Research purposes: in the context of research, the additional lawful basis upon which we will process your personal information is usually that the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Third parties with whom we may share your personal data

Your information is likely to be shared within the project team, primarily in a way that we can identify you as a participant.

Most personal information used in research will be pseudonymised before sharing more widely or publishing the research outcomes.

If we are working with researchers at other universities or other organisations and information is shared with them, we will inform you in the ‘participant information sheet’ or other information notice/privacy policy provided to you when you agree to participate in research. Information will be shared on a need to know basis, and will not be excessive. Appropriate safeguards will also be put in place to ensure the security of your information. If you have any further questions about research collaborations please contact the research team you are involved with.

We also sometimes use products or services provided by third parties who carry out a task on our behalf. These third parties are known as data processors and when we use them we have contractual terms, policies and procedures to ensure that your personal data is protected. This does not always mean that they access your information. UCL remains responsible for your personal information as the controller and should researchers use another third party service to process personal your information they will provide you with details about that relationship in the ‘participant information sheet’ or other information notice/privacy policy provided to you when you agree to participate in research.

Transfers outside the European Economic Area

We may transfer your personal data outside the EEA, e.g. where we use a third party cloud services provider based outside the EEA to store that data.

Please note that many countries outside the EEA do not have data protection legislation, or have different data protection or privacy regimes, and so may not always protect their personal data to the same standard as within the EEA.

Whenever we or our suppliers transfer your data outside the EEA, to ensure that your personal data is treated by those third parties securely and in a way that is consistent with UK data protection law, we require the relevant third parties to agree to put in place safeguards, such as the EU model clauses or equivalent measures. For further information on the measures in place, please contact us using the details set out in section 18 below.


In accordance with data protection law, UCL will comply with the principles set out below when processing your personal data.

PrinciplePersonal Data shall be:
Lawfulness, fairness and transparencyprocessed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitationcollected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisationadequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracyaccurate and, where necessary, kept up to date.
Storage limitationkept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentialityprocessed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

In accordance with the additional 'Accountability' principle, UCL must also be able to demonstrate compliance with each of the above principles.

Safeguards that we put in place to protect your data

In order to protect your rights when using your personal information for research and to ensure that we meet the conditions set out in data protection law for processing special category information in a research context, we implement specific safeguards, including the following:

  • Policies and procedures that tell our staff and students how to collect and use your information safely;
  • Training which ensures our staff and students understand the importance of data protection and how to protect your data;
  • Security standards and technical measures that ensure your information is stored safely and securely;
  • All research projects involving personal data are scrutinised and approved by a research ethics committee;
  • Contracts with third parties have clauses setting out each party’s responsibilities for protecting your personal information;
  • We carry out data protection impact assessments on high risk projects to ensure that your privacy, rights as an individual or freedoms are not affected; and
  • If we use collaborators outside of Europe, we will ensure that transfers of personal information to them are carried out in compliance with data protection legislation.

In addition to the above safeguards, in accordance with data protection law, we will meet the following standards when we conduct research with your personal information:

  • The research will not cause damage or distress to someone (e.g., physical harm, financial loss or psychological pain);
  • The research is not carried out in order to do or decide something in relation to an individual person, unless the processing is for medical research approved by a research ethics committee;
  • UCL (as the controller) has technical and organisational safeguards in place (e.g. appropriate staff training and security measures); and
  • When we process special category personal data, this is subject to a further public interest test to make sure this particularly sensitive information is required to meet the research objectives.
Retention periods

We ask our researchers to de-identify information wherever possible (anonymisation or pseudonymisation). Information where you can be identified will, as such, be kept for a minimum amount of time and in accordance with the research objectives. We may, however, keep consent forms which contain personal information for a number of years after the research has been completed, as this is sometimes a requirement the research’s funder.

For some research projects we cannot de-identify the information as it is necessary for achieving the outcome of the research. For such projects, we store your personal information as part of the research for the duration of the project and for a defined period after the project has ended. This is usually defined by external regulations but may be defined by our own policies and procedures.

You will be informed in the ‘participant information sheet’ or other information notice/privacy policy provided to you when you agree to participate in research as to how long your personal information will be kept for.

Further details about how long personal information obtained for research is kept can be found in our Data Retention Schedule.

Your rights

Under data protection legislation you have certain individual rights in relation to the personal information we hold about you. For the purposes of research where such individual rights would seriously impair research outcomes, such rights are limited. However, subject to certain conditions, you have the following rights in relation to your personal data:

Right 1: A right to access personal data held by us about you (please see section entitled "How can I access my personal information" below).

Right 2: A right to require us to rectify any inaccurate personal data held by us about you.

Right 3: A right to require us to erase personal data held by us about you.  This right will only apply where, for example, we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right 6 below).

Right 4: A right to restrict our processing of personal data held by us about you.  This right will only apply where, for example, you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but we require the data for the purposes of dealing with legal claims.

Right 5: A right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation.

Right 6: A right to object to our processing of personal data held by us about you.

Right 7: A right to withdraw your consent, where we are relying on it to use your personal data.

Right 8: A right to ask us not to use information about you in a way that allows computers to make decisions about you and ask us to stop.  

It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances your rights may be restricted.

If you notify us (using the contact details set out below) that you wish to exercise any of the above rights and it is considered necessary to refuse to comply with any of your individual rights, you will be informed of the decision within one month and you also have the right to complain about our decision to the Information Commissioner’s Office (see sections 17 and 18 below for further detail on this).

Please also note that we can only comply with a request to exercise your rights during the period for which we hold personal information about you. If that information has been irreversibly anonymised and has become part of the research data set, it will no longer be possible for us to access your personal information.

Keeping personal data up-to-date

Data protection law requires us to take reasonable steps to ensure that any personal data we process is accurate and up-to-date. If your contact details or any other personal information about you that is held by us changes, please do notify us using the contact details set out at section 18 below.

Automated processing

UCL does not use automated processing and decision making without manual intervention.

Who regulates the use of my personal information?

UCL maintains a data protection registration with the Information Commissioner's Office, the independent authority which oversees compliance with data protection laws. Our registration number is Z6364106 and this registration sets out, in very general terms, the full range of purposes for which we use personal information. You have the right to lodge a complaint about how your personal data has been used. Please see the Information Commissioner's Office website for details.

Who do I contact with questions?

If you have any questions about your personal data and UCL that are not answered by this privacy notice then please consult UCL's data protection web pages, where further guidance and relevant UCL policy documentation can be found.  

If you need further assistance or wish to complain about our use of your personal data or exercise any of your rights, please contact UCL's Data Protection Officer: data-protection@ucl.ac.uk or Data Protection Officer, UCL Gower Street, London WC1E 6BT.

If we are unable to adequately address any concerns you may have about the way in which we use your data, you have the right to lodge a formal complaint with the UK Information Commissioner's Office.  Full details may be accessed on the complaints section of the Information Commissioner's Office website.