Legal Services


Guidance notices for UCL staff

In the section below you will find guidance notices to assist staff with GDPR preparations. These pages are being updated on a regular basis.


Handling personal data responsibly

The GDPR applies to ‘personal data’ meaning any information relating to an identified or identifiable person. This guidance provides definitions of types of personal data and how to to handle it.

Images and videos in relation to GDPR

This guidance covers the use of images of people, including photos and videos, for UCL’s own purposes. It applies to images already stored on UCL databases, as well as to images captured in the future. The use of images in the context of Lecturecast is also considered.

Writing a privacy notice

The General Data Protection Regulation (GDPR), prescribes that you should be open and fair with individuals about what personal data you are collecting, for what purpose and for how long. You can do this is through a ‘Privacy Notice’ (sometimes called a ‘Fair Processing Notice’ or ‘Information Sheet’). 

Actions to take for historical communications lists

This guidance note is the first step that staff should take in reviewing their historical communications (mailing) lists.

Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. This must be carried out before the project begins.

Guidance for researchers on the implications of the GDPR and Data Protection Act 2018

This guidance note has been compiled to provide an overview of data protection key points for researchers, in line with the General Data Protection Regulation (GDPR) and the new UK Data Protection Act 2018. 

Research with children: guidance on data protection issues 

This guidance provides an overview of the key points to consider from a data protection perspective in relation to research projects involving children.

Guidance on using 'legitimate interests' as a lawful basis for processing personal information

This guidance applies to UCL employees who are looking to process personal data, i.e. information relating to an identified or identifiable living person, and are looking for a lawful basis to do so.

Guidance on using 'Out of Office' messages and information rights requests

Under both freedom of information and data protection legislation individuals have rights to information. On receipt of such requests, UCL must respond within tight timeframes to comply with the law. Requests that involve personal data are handled under the General Data Protection Regulations 2016 and Data Protection Act 2018 (‘data protection legislation’).

Guidance on using email

This guidance has been produced to help you to ensure the proper and efficient use of UCL’s email service. Following these recommendations helps UCL comply with new data protection legislation and assists you to manage your email more effectively.

UCL statement on the use of 'Public Task' as a lawful basis for processing personal information 

Where UCL processes personal data in connection with the carrying out of tasks in the public interest in its capacity as a public authority, UCL may rely on the 'public task' ground as its lawful basis for processing that personal data.

Reporting a loss of personal data (data breach)

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed. 

Transfers of personal data outside the EEA

This note explains the restrictions applicable to transfers outside the EEA and the steps that UCL staff must take in order to ensure that any transfers comply with data protection law. It is designed to be read in conjunction with the other data protection guidance available on our website.

Guidance for Supervisors on data protection where students are processing personal data

Where students at UCL process personal data as part of their studies (whether they are undergraduates or post-graduates), UCL will be the controller of that personal data. UCL therefore has obligations in respect of that data under data protection legislation, i.e. the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

Guidance for Researchers on Appropriate Safeguards under GDPR (2016) and DPA (2018)

This guidance note, designed to be read in conjunction with UCL’s ‘Guidance for Researchers on the Implications of the General Data Protection Regulation and the Data Protection Act 2018’ (Original Guidance), provides further information on the ‘appropriate safeguards’ that must be put in place where either:

  • personal data;
  • special categories of personal data; or
  • personal data relating to criminal convictions or offences
    are processed at UCL in a research context.
Transparency and privacy notices for clinical research - compliance with data protection legislation

This is advice is for Heads of Divisions, all Chief Investigators, Principal Investigators and Departmental Managers. It applies to Clinical Research projects in which UCL is sponsor and controller. You can read the full guidance here.

Data protection by design

This document provides guidance to staff and students on the requirements imposed by data protection legislation in respect of ‘data protection by design and default’ (often referred to as ‘privacy by design and default’). You can read the full guidance here.

Guidance on direct marketing at UCL

The term 'direct marketing' refers to the communication of advertising or marketing material which is directed to particular individuals.

This definition is wider than you might expect and covers any advertising, promotional or marketing material sent by UCL to a specific individual (who may be an employee of another organisation). You can read more about the guidance here.