In the section below you will find guidance notices to assist staff with GDPR preparations. These pages are being updated on a regular basis.
- Handling personal data responsibly
- Images and videos in relation to GDPR
This guidance covers the use of images of people, including photos and videos, for UCL’s own purposes. It applies to images already stored on UCL databases, as well as to images captured in the future. The use of images in the context of Lecturecast is also considered.
- Writing a privacy notice
The General Data Protection Regulation (GDPR), prescribes that you should be open and fair with individuals about what personal data you are collecting, for what purpose and for how long. You can do this is through a ‘Privacy Notice’ (sometimes called a ‘Fair Processing Notice’ or ‘Information Sheet’).
- Actions to take for historical communications lists
- Data Protection Impact Assessment (DPIA)
- Guidance for researchers on the implications of the GDPR and Data Protection Act 2018
- Research with children: guidance on data protection issues
- Guidance on using 'legitimate interests' as a lawful basis for processing personal information
- Guidance on using 'Out of Office' messages and information rights requests
Under both freedom of information and data protection legislation individuals have rights to information. On receipt of such requests, UCL must respond within tight timeframes to comply with the law. Requests that involve personal data are handled under the General Data Protection Regulations 2016 and Data Protection Act 2018 (‘data protection legislation’).
- Guidance on using email
- UCL statement on the use of 'Public Task' as a lawful basis for processing personal information
- Reporting a loss of personal data (data breach)
- Transfers of personal data outside the EEA
- Guidance for Supervisors on data protection where students are processing personal data
- Guidance for Researchers on Appropriate Safeguards under GDPR (2016) and DPA (2018)
This guidance note, designed to be read in conjunction with UCL’s ‘Guidance for Researchers on the Implications of the General Data Protection Regulation and the Data Protection Act 2018’ (Original Guidance), provides further information on the ‘appropriate safeguards’ that must be put in place where either:
- personal data;
- special categories of personal data; or
- personal data relating to criminal convictions or offences
are processed at UCL in a research context.
- Transparency and privacy notices for clinical research - compliance with data protection legislation
This is advice is for Heads of Divisions, all Chief Investigators, Principal Investigators and Departmental Managers. It applies to Clinical Research projects in which UCL is sponsor and controller. You can read the full guidance here.
- Data protection by design
This document provides guidance to staff and students on the requirements imposed by data protection legislation in respect of ‘data protection by design and default’ (often referred to as ‘privacy by design and default’). You can read the full guidance here.
- Guidance on direct marketing at UCL
The term 'direct marketing' refers to the communication of advertising or marketing material which is directed to particular individuals.
This definition is wider than you might expect and covers any advertising, promotional or marketing material sent by UCL to a specific individual (who may be an employee of another organisation). You can read more about the guidance here.