This guidance draws your attention to the provisions of data protection legislation relating to research activities, and outlines the actions required to achieve compliance with the Act. This includes information about registering your research project with Legal Services.
- Personal data
Data protection legislation lays down principles of good information handling which is designed to ensure that personal data is used in a way that is fair to individuals and protects their rights. The data protection legislation applies to personal data, i.e. data from which a living individual can be identified.
- Anonymisation in research
In order to gain a better understanding of anonymisation, you should first be aware of what is personal data and the definition that applies.
Personal data is defined as that which relates to a living individual who:
- Can be identified from that data
- Can be identified from that data and any other information which is in the possession of, or likely to come into the possession of, the data controller.
What is anonymisation?
Anonymisation refers to the process of removing personal identifiers (directly and indirectly) that may lead to an individual being identified from that information, or combined together with other information.
Examples of personal identifiers are listed below:
You can often directly identify an individual from their name, address, postcode, telephone number, photograph or image, or some other unique personal characteristic.
An individual may be indirectly identifiable when certain information is linked together with other sources of information. This may include, for example, their place of work, job title, salary, their age, their postcode or even the fact that they have a particular diagnosis or condition.
The primary reason for undertaking anonymisation is to protect an individuals’ privacy.
The data protection principles do not apply to information that been permanently rendered anonymous so that individuals are not identifiable. However, if you are unable to fully anonymise your research data, then it will still be subject to the data protection principles. This is not to say that taking steps to reduce the chance that an individual might be identified should not be undertaken; it is good practice to do so wherever possible. Legally, however the Data Protection Act still applies to this weakly anonymised data.
Risk of re-identification
The Information Commissioner’s Office has developed a “motivated intruder” test. This test determines whether an individual, who does not have any specialist skills, or prior knowledge, but is competent enough to access resources, such as the internet, to identify an individual from whose personal data the anonymized data has been derived.
The Information Commissioners’ Office has produced a anonymisation code of practice (pdf) which includes the motivated intruder test.
Pseudonymisation – The technical process of replacing person identifiers with other values (pseudonyms) from which the identities of individuals cannot be intrinsically inferred
When data has been pseudonymised, it still retains a level of information in the retained data that may allow tracking back of the identifiable data in its original state. With anonymised data the level of detail is reduced rendering a reverse compilation impossible. With this in mind, if you will be processing any personal data (e.g. details of individual participants on consent forms), then it will still be subject to the data protection principles, and registration is required.
Do I need a data protection registration?
Research projects which are using truly anonymised or aggregated information do not have to be registered with Legal Services and you do not have to worry about compliance with data protection legislation. However, if you have collected identifiable data but then taken steps to psedonymise this but ultimately you are still able to identify the participants registration will be required as you will still be processing personal data.
Likewise, if you are using consent forms containing names and the contact details of participants as part of your recruitment process you will be processing personal data even if the actual research data obtained is not identifiable as a result registration is still required.
Two videos have been recorded by the national centre for research methods where they give an outline of the anonymisation decision making framework.
The first gives the outline of the basic concepts:
The second outlines the ten steps of the framework:
- International research
International research collaborations involving transfer of personal data may not be transferred to countries outside the EEA unless that country has adequate data protection regulations, or the explicit consent of the data subject has been obtained, or there is an appropriate contract with the recipient of the data, specifying appropriate data protection requirements that must be upheld. Thus, researchers must be exceptionally careful when contemplating the transfer of research data overseas. In most cases, the safe option will be to ensure that data subjects give explicit consent for overseas transfer during data collection.
You may be able to transfer data to other countries outside of the EEA if you have the subjects' explicit consent (which can be requested on the consent form) or a contract with the recipient of the data, which provides the data with suitable protection.
In view of the recent European Court of Justice ruling on the validity of the US Safe Harbour agreement and the implications for UCL, further information is available from:
- Student led research
For students who are processing personal data in the course of their studies, UCL will be the controller.
- Research registration - A Summary
All research proposals that involve personal data must be registered with the Data Protection Office (DPO) before processing begins. This policy requirement applies to all UCL students or staff (including honorary staff, affiliate academics and visiting researchers).
All researchers who are processing personal data must adhere to the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). This includes a duty to follow university policies and procedures, in particular the UCL Data Protection Policy.
The Review Process
The DPO reviews research applications for compliance with UCL policies on data protection and the law itself; this review includes checks on:
• the name of the project, its purpose and objectives
• the name and contact details of the person who will be responsible for personal data gathered in the project
• measures in place to observe the following data protection principles:
i. Lawfulness, fairness and transparency
ii. Purpose limitation
iii. Data minimisation
v. Storage limitation
vi. Integrity and confidentiality
• the legal bases for processing personal data
• evidence of the information security measures in place, eg encryption
• the notification with the relevant data protection coordinator
• the measures in place to ensure transfers of personal data outside the EEA comply with data protection legislation
• data sharing/processing arrangements in place with third parties
• the stated roles of the parties in the research proposals, eg controller, processor, recipient
• measures to anonymise or pseudonymise the personal data
• evidence of ‘appropriate safeguards’ in place
• any Data Privacy Impact Assessments produced
• the data protection compliance requirements for privacy notices
The DPO reviews the documents provided by staff and will request amendments to be made for compliance purposes; this process is normally completed within ten working days (providing all relevant information has been provided to the Data Protection Office), but depending on the volume of submissions it may take longer.
The applicant is notified via email, together with the relevant registration number.
Amendments to research projects after approval has been given
We only operate a pragmatic rule that non-substantive (minor) amendments i.e. they do not significantly change the study objectives, and those which alters the study procedures, or makes substantive changes to the original study, are perfectly acceptable, but substantive amendments would require re-registration or sign off by DPO and/or Ethics Committee.
- Guidance on completing the data protection registration form
All research which involves a collection or use of identifiable data relating to living individuals must be registered so that we can ensure that the data is obtained and processed in accordance with the data protection principles. This applies equally to research led by UCL staff and students.
Any processing (widely defined and covers all manner of use including obtaining, recording, holding, altering, retrieving, destroying or disclosing data) of personal data must be registered with Legal Services before the data is collected. This includes projects approved by the Joint Research Office (a partnership between UCL, UCL Hospitals NHS Foundation Trust and the Royal Free Hampstead NHS Trust), and other departmental ethics committees.
This form should only be completed if identifiable data is being collected and used as part of research because identifiable data is personal data and data protection law applies. Data protection legislation does not apply to data rendered anonymous (also known as de-identified), so that the data subjects are not identifiable. In this instances, registration will not be required.
Applications which involve the use of NHS data should also contact the Information Governance Advisory Service, which include the Data Safe Haven facility. While it is managed by UCL’s School of Life and Medical Sciences (SLMS), it is available to all. Further information is available at:
Guidance on completing the application form
All sections of the application form should be completed. Sections which are not applicable should be marked as ‘N/A’. Any application form which has not been completed sufficiently will be returned for further amendment, or clarification.
The title of the research should correspond with any other supporting documentation (e.g. information sheets, consent forms). Please include the proposed start and end date.
The Chief Investigator (CI); Principal Investigator (PI), has overall responsibility of the research being carried out. In the case of research being carried out by students, this is normally the students’ supervisor. The contact details of the CI; PI, and, or student Supervisor should be included in this section. (Please note that a student – undergraduate, postgraduate or research postgraduate cannot be the PI for Ethics purposes).
The details of the data collector(s) should be included in this section. (Provide details of the individuals that will be involved in obtaining/collecting the personal data. If the applicant is not the PI provide the student’s details.
Please summarise the main purposes of the research, including an explanation of the aims, design, methodology and plans for analysis that you propose to use. If the research involves the collection of personal data overseas then you must ensure that you provide details in this section.
You should describe the potential participants you are going to include in the research. Please explain any selection criteria for those being recruited.
Give an outline as to the type of data being processed e.g. names, dob, contact details, medical condtions/diagnosis details. Please specify whether the data will be identifiable, anonymised, or pseudo-anonymised. Include a description as to how it will be collected.
In this section, please describe whether the results of the research will be shared, and how, and where it will be published.
In this section, please describe the methods of recruitment that you intend to use.
It is important that prospective participants are provided with sufficient information, so that they can make a free and informed decision about their involvement with research. This can be achieved by the use of an information sheet, or other document to invite prospective participants to participate.
Please provide details of the security arrangement that will be in place for the research.There must be appropriate levels of security in place for the personal data being processed, both from within, and outside of the university.
The level of security, will be largely dependent as to the type of personal data being processed. Personal data which is to be held electronically, should have appropriate measures in place to minimise any risk, and to prevent unauthorised access, accidental loss, or destruction e.g. encryption. To increase the security of data processing, it is advisable to anonymise/pseudo-anonymise data to as great an extent as possible.
You should provide details of where the locations of the research is being conducted, including information about the circumstances in which the research may be transferred to other countries.
If the recipient of any transfer cannot guarantee that the data it will receive will not remain within the EEA, or is on the EC approved list of adequacy, then you must have model contract clauses in place for any transfer outside the EEA.
If you are considering using a cloud provider, you should ensure that you are aware of the circumstances in which the cloud provider will process the information it receives. Some providers often have servers where data is stored, and backed up within a number of different countries. Further information on the transfer of personal data overseas is available at:
In order to administer the UCL Data Protection Policy, and ensure UCL's commitment to comply with data protection legislation, we ask all departments to have a point of contact (Coordinator) for us to be able to disseminate any relevant information regarding the legislation.
As a prerequisite for registration, you should ensure that your local coordinator is made aware of the research, before forwarding to Legal Services for the process to be completed.
If you are applying for ethics approval, please provide the research identification number. Research which does not require ethics approval should provide further details in this section.
If you are receiving sponsorship for your research. Please provide details of the individual, company, institution, funding council, or another organisation which takes responsibility for the initiation, management and/or financing of the research.
Any supporting documentation (e.g. information sheets, consent forms, protocols, questionnaires, advertisement of project, other interview formats, or other documentation being used to invite/inform participants about your research etc.) must be submitted with the application form.
Submitting your application
The completed application form should be sent (electronically) to email@example.com with copies of any supporting documentation.
What Happens Next?
Upon review, the application form will be returned with the appropriate registration number, which may be quoted on the ethics application form, or any other related forms. Applicants should normally allow 10 working days (once all relevant information has been received by the Data Protection Office) for their application to be processed.
- Research Ethics
If you are applying to the UCL Research Ethics Committee for approval of your research project, you are also required to gain approval from Legal Services that it complies with the DPA, and that you have included the appropriate registration number in your application form.
We may have some questions about the information you provide, but you will normally be provided with a registration number (providing all relevant information has been provided to the Data Protection Office) within ten working days of submitting the form.
The period leading up to meetings of the UCL Research Ethics Committee is always very busy, and you should allow more time for your application to be processed. It is therefore very important to check in good time whether you need to register your project.
Further advice and guidance on Research Ethics at UCL is available from:
Researchers who are applying to the IOE Research Ethics Committee (IOE REC) follow a slightly different process but they are also required to ensure that it complies with data protection legislation, and gain approval from Legal Services.
Further advice and guidance on the IOE REC and the data protection registration process is available from:
- Information Governance and Research Facilitation
Researchers in the School of Life and Medical Sciences (SLMS) who work with sensitive data should be aware of and comply with the SLMS Information Governance Framework. Studies requesting data from the Health and Social Care Information Centre (HSCIC) may be required to submit an Information Governance Toolkit assessment. This is a requirement for Section 251 exemptions. In these cases, IT for SLMS can provide support and guidance on completing the IG Toolkit. More information about the SLMS IG Framework and supporting services can be found here:
Researchers should be aware of the distinction between identifiable, pseudonymised and anonymous data as there's often an assumption that the last two are equivalent.
Further information on anonymisation is also provided by SLMS:
Further information is also available from the Information Commissioner's Office anonymisation code of practice:
Copyright is a legal right that gives the control of original works for its use and distribution to the creator of the material. Copyright is therefore an important consideration for researchers who gather information during the life cycle of a research project. Ownership will often rest with the contributing research participants, rather than the researcher who are carrying out the activity.
In order to avoid the exploitation of the copyright owner’s material it is important that researchers seek advice before it is copied, reformatted or used. Further information is available at:
- Research amendments
We need to be notified of changes to your research which shall effect data protection compliance. Examples of the changes are that new personal data is collected, such as collecting contact details, ethnicity, religion, sexuality etc., more health data. Other changes might be that the data is to be shared with another organisation or with an organisation/researcher based in a country outside the EEA, or that personal data is going to be used for a new purpose e.g. further research.
- Studies requiring Health Research Authority Approval
Guidance from the MRC and HRA is currently awaited but preliminary reading suggest that the Data Controller ie UCL or UCLH will have many more legal obligations which will require new policies and processes.
UCL has published general information about data protection legislation on these web pages. Among other things these pages explain Privacy Notices, the importance of Data Holdings survey and provides general information in relation to consent. The pages will be updated regularly as implementation proceeds. In addition to this general information, research teams should be aware of the following:
- Genetic data eg DNA or RNA which can identify the individual is now unambiguously subject to the Data Protection principles.
- Data breaches must be reported in 72 hours.
- Particular types of research where the data subjects are vulnerable may require a Data Privacy Impact Assessment. This is formal process for documenting the nature of the processing, the proportionality and necessity of processing, the management the risks to the rights of data subjects and the views of data subjects or their representatives.
- There will be a requirement to insert relevant data protection legislation compliant clauses in all active contracts.
- The new accountability principle means that data controllers, eg UCL and UCLH, will be required to document compliance with the Regulation. This will require the creation of a register of personal data assets held, showing what personal data is collected, how it is used, how it is secured, if it is shared and how long it is retained.
- For research that is likely to result in a high risk to data subjects a Data Protection Impact Assessment will be required. This is formal process for documenting the nature of the processing, the proportionality and necessity of processing, the management the risks to the rights of data subjects and the views of data subjects or their representatives.
- Depending on the risk to data subjects, there may be a requirement to insert relevant GDPR compliant clauses in all active contracts.
- Data Protection Impact Assessment
- Research with Children: Guidance on Data Protection Issues
The guidance paper below provides an overview of the key points to consider from a data protection perspective in relation to research projects involving children, focusing on the following topics:
- the ‘legal bases’ under data protection law for processing children’s personal data;
- data protection rules in relation to children’s consent;
- what information must be provided to children before their data is processed; and
- the new principle of ‘accountability’ set out in data protection legislation.
It has been produced to assist researchers to comply with their obligations under the General Data Protection Regulation (GDPR) and the new UK Data Protection Act 2018.