Legal Services


Data Protection Legislation: Frequently Asked Questions

This page contains questions and answers which we have collated from our engagement with staff and departments in relation to data protection legislation (Data Protection Act 2018 and GDPR)


The Data Protection Legislation will affect every part of the University and every operation that involves personal data. UCL has put in place a pervasive Programme of work to ensure the organisation complies with the new legislation, but everyone has an individual responsibility to help with the compliance effort. We have compiled this set of FAQs to help you do that, you will see that it is split into ' for everyone' and ' for researchers' this is to guide you through the FAQs as some questions and answers are specifically for researchers only, FAQs for 'everyone' can be read by all staff, academics and researchers if applicable.

If you have any queries about the FAQs or feel that more should be added please feel free to raise your question here.  

For everyone

How is data protection changing?

Two new pieces of legislation are now law:

  1. General Data Protection Regulation 2016 (GDPR)
  2. Data Protection Act 2018


Together these will be referred to as ‘Data Protection Legislation’.

The new Data Protection Legislation will affect every part of the University and every operation that involves personal data. UCL has put in place a wide Programme of work to ensure the organisation complies with the new legislation, but everyone has an individual responsibility to help with the compliance effort. We have compiled this set of FAQs to help you do that.


Does Data Protection Act 1998 still apply from 25th May 2018?

The Data Protection Legislation will take effect on 25 May 2018 and replaces the current Data Protection Act 1998.

Why Data Protection Legislation?

Since 1995 new technologies - mobile devices, social media and pervasive use of the internet - have fundamentally changed the way we use personal data. The old 1995 EC Directive, upon which the Data Protection Act 1998 was based, has proved to be inadequate in terms of protecting personal data. Completely new legislation was required to meet the challenges that these new technologies posed.

What are the implications of the Data Protection Legislation for research and non-research data handling?

The Data Protection Legislation has implications for all data handling, including handling for research and non-research purposes. There are new requirements for how personal data is collected, processed, retained and destroyed. 

How is UCL addressing the implications of the Data Protection Legislation?

This will  be determined as part of the Compliance Assessment process. Returns will be analysed to see how personal data is processed, managed, stored, shared and retained. The Policy and Process workstream of the GDPR Programme will identify actions and recommend updates to both policy and process.

What can I do now?

Familiarise yourself with the Data Protection Legislation.
All staff are encouraged to visit the UCL GDPR website for further guidance. 

What do staff need to understand to be compliant under Data Protection Legislation?

Firstly, ensure you have successfully completed UCL’s information compliance training, eg:

Data Protection 

Information Security 

Freedom of Information  

Further steps can be found on the UCL GDPR website

What is the difference between a regulation and a directive in law?

A regulation is binding legislation that applies directly to all European Union (EU) member states. A directive sets out a legislative objective that all EU member states must achieve through their own national legislation. The GDPR is a regulation within EU law and it replaces a directive. However, this Regulation does allow Member States to legislate on data protection matters e.g. where the processing of personal data is required to comply with a legal obligation, is carried out by a body with official authority, or relates to a public interest task.

When does the GDPR NOT apply?

The GDPR does NOT regulate the collection and usage of the following data (by way of example and not exhaustive):

  • activities which fall outside the scope of EU law (e.g. activities concerning national security);

  • activities undertaken as part of a “purely personal or household activity”;

  • deceased persons;

  • non persons (e.g., corporations);

  • the data being processed is anonymous; e.g. does not relate to an identified or identifiable individual or rendered in such a manner that the data subject is not or no longer identifiable;

  • the organisation processing the data is located outside of the European Economic Area (EEA) and is not processing any personal data originating from within the EEA.

 Personal data

What does personal data mean?

It is any information relating to an identified or identifiable living person (known as a ‘data subject’). The ‘identifiable’ element to this definition makes it broad and covers direct identifiers such as names but also indirect identifiers like IP addresses or online tracking data. Further examples include, contact details, health data, national insurance number.

What does identifiable mean?

The term ‘identifiable’ broadens the scope of ‘personal data’. In practice, it means that names are not necessarily required in order to identify an individual.  and other factors may reveal information about them e.g. social, cultural, genetic, physical, an ID number, biometric data.  Context may also reveal information about an individual. 

Where a name is combined with other information, such as an address, a physical description or a job title, this is likely to clearly identify one individual.

If in doubt, err on the side of caution and consider it to be personal data or take advice from the Data Protection Office.

What does special category personal data mean?

This was called "sensitive" personal data under the DPA 1998. Stricter conditions apply to the processing (use) of this special category personal data than to ‘standard’ personal data. Note that genetic and biometric data has been added to the DPA 1998 definition. It is information relating to:

  • racial or ethnic origin
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data;
  • health; or
  • a person's sex life or sexual orientation.

Principles of GDPR

What are the seven principles of data protection under GDPR

1. Lawfulness, Fairness and Transparency
This means personal data should be processed lawfully, fairly and in a transparent manner in relation to the individual. The transparency and fairness provisions are usually met through privacy notices, which are explained in greater detail in the “Fair Processing?” FAQs below

2. Purpose Limitation
This means personal data should only be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes. You should specify the purpose in your privacy notice.

3. Data Minimisation
This means personal data should be limited to what is necessary in relation to the purpose for they are being processed, e.g. if you are only sending a newsletter by email, you will probably only need an individual’s name and email address.

4. Accuracy
This means that you should take reasonable steps to keep personal data up to date and ensure that personal data that is inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay.

5. Storage Limitation
This means personal data should be kept in a form which permits identification of data subjects for no longer than is necessary. This means you should decide how long it is necessary to retain information give the purposes that it was collected for and securely delete information when it is no longer needed for those purposes.

6. Integrity and Confidentiality
This means personal data should be processed in a manner that ensures appropriate security of that personal data, such as protection against unauthorised processing, accidental loss, destruction or damage.

7. Accountability
This means
that controllers shall be responsible for, and be able to demonstrate compliance with, the above six principles.

Processing personal data

What is "processing"?

Processing is any action performed on personal data from the point of creation to destruction and everything in between (e.g. obtaining, disclosing, amending, storing, deleting etc.).

What is fair processing and why is it important?

The first principle of the GDPR requires that you process all personal data lawfully, fairly and in a transparent manner.  Fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them.

Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.

So, with regard to lawfulness what has changed?

The requirement to have a lawful basis in order to process personal data is not new. The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences, such as a wider scope for the ‘public task’ basis and a higher threshold for valid consent. You now need to review your existing processing, identify the most appropriate lawful basis, and check that it applies.

You can choose a new lawful basis if you find that your old condition for processing is no longer appropriate under the GDPR, or decide that a different basis is more appropriate. 

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.  Consent must be unambiguous and it means genuine choice and control.  Because consent can be withdrawn at any time, you should only rely on consent if no other basis applies.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract, e.g. monitoring academic performance is necessary to perform the tuition contract with students.

3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations), e.g. providing information when requested to do so by regulatory bodies, disclosing information in response to a court order.

4. Vital interests: the processing is necessary to protect someone’s life.

5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 

6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Public authorities like UCL cannot use this condition if the processing falls under 5. Public task above. You can rely on it for private tasks that do not fall under 5. Public task above, e.g. marketing or network security.)

What does "necessary" mean in the context of the lawful bases?

This means it must be a targeted and proportionate way of achieving the purpose [of processing]. The lawful basis will not apply if you can reasonably achieve the purpose by some other, less intrusive means.

How should you decide which lawful bases applies?

This depends on your specific purposes and the context of the processing. You should consider which lawful bases best fits the circumstances. You might consider that more than one basis applies, in which case you should identify and document all of them from the start. You can also use the ICO’s lawful basis interactive guidance tool

How do we document our lawful basis for processing personal data?

Privacy notices are the standard way to document the lawful basis for processing. You will also need to include other information in your privacy notice including the purposes for which you have obtained the personal data, the categories of recipient of that data (internal and external), the retention period, any overseas transfers and the individual’s rights. A full list of requirements is set out in Articles 13 and 14 or the GDPR.  Additional information needs to be provided when you receive personal data indirectly form a third party, e.g. the categories of personal data you hold and the source.

What happens if circumstances change?

If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose.

However, the Data Protection Legislation specifically says this does not apply to processing based on consent. You need to either get fresh consent which specifically covers the new purpose, or find a different basis for the new purpose.

If you are processing special category personal data, you need to identify both a lawful basis for processing personal data and an additional lawful basis for special category condition as set out in  Article 9 of the GDPR. You should document both your lawful bases for processing and your special category condition so that you can demonstrate compliance and accountability.

Those bases include:

  • explicit consent;
  • employment law
  • vital interests;
  • information made public by the individual;
  • legal claims;
  • substantial public interest, 
  • preventative/occupational medical purposes,
  • public health,
  • research, provided there are safeguards and it is the public interest



If you are processing data about criminal convictions, criminal offences or related security measures, you also need both a lawful bases for processing, which are set out in the Data Protection Legislation and which are similar to the bases above.

You should document both your lawful bases for processing and your criminal offence data condition so that you can demonstrate compliance and accountability.

 Data protection impact assessment (DPIA, or PIA)

What is a Data Protection Impact Assessment (DPIA)

DPIAs (also known as privacy impact assessments or PIAs) is an assessment that is undertaken to identify potential areas of non-compliance and minimise risk.

The ICO has promoted the use of DPIAs as an integral part of taking a privacy-by-design approach (see below)

When do you need to conduct a DPIA?

You must carry out a DPIA when:

using new technologies; and the processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA should be undertaken before beginning any new “high-risk” processing activity, for example processing sepecial categories personal data or profiling activities. DPIAs are mandatory for the following:

(a) a systematic and extensive evaluations based on automated processing, including profiling,

(b) processing on a large scale of special categories of personal data

(c) CCTV or surveillance on a large scale

Some data-analytics technologies which monitor students’ access to learning resources in tandem with their academic performance may qualify for a DPIA.

What information should the DPIA contain?

A description of the processing activity and the purposes, including, where applicable, the legitimate interests pursued by the University. 

An assessment of the necessity and proportionality of the processing in relation to the purpose.

An assessment of the risks to individuals.

The measures in place to address risk, including security and to demonstrate that you comply.

The formal advice of the DPO.

The way a DPIA is conducted will depend on the proposed processing activity.

What happens if I do not conduct a DPIA when required?

Failure to adequately conduct a DPIA where appropriate is a breach of the data protection legislation and could lead to fines of up to 2% of an organisation's annual global turnover or €10 million – whichever is greater

Controller and Processor

What is a Controller?

A Controller is the legal person (i.e. the University), public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.

What is a Joint Controller?

Where two or more controllers jointly determine the purposes and means of processing. Data protection legislation requires the joint controllers to enter into “an arrangement” that reflects their roles and relationships toward the data subjects. Whilst the word “arrangement” rather than contract is used, the reality is that this is likely to be done by way of a written data sharing agreement.

What is a Processor?

A Processor is a legal person, public authority, agency or other body which processes personal data on behalf of the Controller. Therefore, it is the Controller who engages the Processor. Examples include outsourced services such as organisations which conduct surveys of behalf the University, cloud services or translation services.

Why is this distinction important?

Controllers and Processors have different responsibilities and obligations, so it is important to know which one you are so that you know what you are responsible for.

Controllers are responsible for most aspects of compliance with the GDPR even when engaging a Processor to process personal data on their behalf.

Processors act only under the instructions of Controllers. They must keep personal data secure from unauthorised access, loss or destruction. If a Processor processes personal data, other than in accordance with the Controller’s instructions, they become a Controller.

Both the Controller and the Processor can be investigated by the ICO and fined.

Both the Controller and the Processor can be sued by the data subject and both can be held liable for the full amount of the damages.

What is the relationship between Controller and Processor?

Controllers are liable for compliance with data protection legislation and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the data protection legislation will be met and the rights of data subjects protected. A Controller must only use a Processor providing sufficient guarantees that it has appropriate technical and organisational measure in place in respect of data protection. This means that you should conduct a due diligence exercise on any prospective service providers who may be acting as a Processor for you.

Processing must be governed by a written contract.

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under data protection legislation and may be subject to fines or other sanctions if they don’t comply.

What does this written contract with Processors need to contain?

Contracts must set out as a minimum

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subject; and 
  • the obligations and rights of the controller.

Contracts must also include as a minimum the following terms, requiring the processor to: 

  • only act on the written instructions of the controller;
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing;
  • only engage sub-processors with the prior consent of the controller and under a written contract; assist the controller in providing subject access and allowing data subjects to exercise their rights under the data protection legislation;
  • assist the controller in meeting its data protection legisaltion obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract; and
  • submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the data protection legislation or other data protection law of the EU or a member state.

In the future, standard contract clauses may be provided by the European Commission or the ICO,  and may form part of certification schemes. However at the moment no standard clauses have been drafted.
Any contracts in place with Processors on 25 May 2018 will need to meet the new data protection legislation requirements.
You should therefore check your existing contracts with Processors to make sure they contain all the required elements. If they do not, you should get new contracts drafted and signed. You should review all template contracts you use.

International data transfer (personal)

What do we mean when we refer to an international transfer of personal data?

Personal data is considered to be transferred internationally when:

It is physically transferred across a border; or

It is accessed across borders.

Which borders should we be concerned about?

Transfers of personal data are not restricted within the EU. Transfers to other countries are prohibited unless such country provides “an adequate level of data protection” as determined by the European Commission or unless certain other conditions are fulfilled.

Which countries outside the EU are considered adequate?

Faroe Islands
Isle of Man
New Zealand
US - if the company is signed up to Privacy Shield - you can go on privacyshield.gov to check this.

Are there other options for international transfer of personal data?

Contractual safeguards:

  • Use of EU-approved Model Contracts between the Data Exporter and Data Importer
  • Binding Corporate Rules
  • Codes of Conduct and Certification – an external Controller or Processor may commit to a scheme approved at EU level.

If none of these options applies, you can transfer the personal data if:

  • you have the individual’s explicit consent;
  • the transfer is a necessary to enter into or perform a contract perform with the individual (e.g to provide a mandatory overseas placement);
  • the transfer is a necessary to enter into or perform a contract perform with another person/organisation for the benefit the individual (e.g. when the University takes out local insurance for students on overseas field trips); or
  • the transfer is necessary for legal proceedings/advice.

(This is not exhaustive).

Consider whether any of your arrangements necessitate the international transfer of personal data. If so:

  • Is that country considered adequate?
  • If not, is there a contractual safeguard is in place?
  • If not, can you rely on consent, contractual necessity etc.?

This should also be set out in your privacy notice.

Data protection by design and default (privacy by design)

What is privacy by design?

Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, under the DPA 1998 these issues were often bolted on as an after-thought or ignored altogether. The current data protection legislation contains provisions to ensure privacy by design bakes data protection into new systems.
Under the data protection legislation, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
The University is required to implement appropriate technical and organisational measures to ensure data protection principles such as data minimisation are met.

What are appropriate technical and organisational measures?

Article 32 of the data protection legislation (GDPR) gives examples of "appropriate measures", as follows:

  • Pseudonymisation, i.e. using personal data in a way that minimises the opportunity for identifying individual e.g. by using ID codes;
  • Encryption;
  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluation the effectiveness of technical and organisational measures for ensuring the security of processing.
What is privacy by default?

The University must ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. It relates to the amount of personal data collected, the extent of the processing, the retention period and who has access to it. In particular, personal data should not automatically be made accessible to an indefinite number of people without the individual’s intervention. By way of practical example: counselling records should be held on separate part of the University system and accessible only to relevant members of the counselling team.

The University must only process data to an extent that is necessary, and must only store data as long as necessary.

What should you do now?

Regularly assess privacy compliance, by, for example, conducting regular Data Privacy Impact Assessments (DPIAs).

The practical steps that need to be taken will depend on the likelihood and severity of the risks to privacy, the state of the art and the costs of implementation. 

Personal data breach

What is a personal data breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Some examples include:

  • loss or theft of data or equipment on which data is stored, such as memory sticks and laptops;
  • inappropriate access controls allowing unauthorised use, i.e. giving staff members access to all data;
  • equipment failure;
  • human error;
  • hacking attacks; and
  • inadvertent disclosure. 
How can I prevent personal data breaches?

Complying with the requirements for privacy by design and default and conducting DPIAs where appropriate will help to prevent personal data breaches.

What should I do if a personal data breach occurs?

The Information Security Group (ISG) and The Data Protection Officer (DPO) are responsible for handling data breaches. If you believe there has been a breach of personal data you must notify ISG or (0)20 7679 7338 (internal 37338).
If the breach relates to electronic records you should also notify your local computer representative.To identify and assess the nature of the breach, you should provide ISG with the following information:

  • full details as to the nature of the breach;
  • an indication as to the volume of material involved;
  • the sensitivity of the breach; any timeframes that apply.


Contracts - what do I need to consider?

Most contracts will already include clauses which address data protection issues, but  it is highly likely that many contracts at the time they were completed would not have made provision for the possibility of the DPA 1998 being superseded, never mind the requirements of the new data protection legislation.

You should review your existing contracts which will still be live by the time the new data protection legislation is in force and check the data protection clauses within them. It is highly likely the clauses within these contracts will need to be updated to ensure that the data protection obligations reflect the data protection legislation requirements.

Equally, any contracts currently being negotiated should contain provisions which incorporate the GDPR. Otherwise, you run the risk of breaching data protection legislation as soon as it applies.

For which contracts do I need to think about data protection legislation?

You need to consider data protection legislation when negotiating any contracts which involve the sharing of personal data between the parties or processing personal data generally; this will cover most contracts.

What do I need to think about in terms of contracts?

The type of clauses that you will need to add to the contract will depend on the relationship between the contracting parties.

They could be:

Controller to Controller
Controller to Processor
Processor to Sub-Processor


As mentioned in the FAQs “Controller vs Processor”, data protection legislation requires very specific provisions to be included in a written contract between a Controller and a Processor. 

You can contact the Data Protection Office if you require further assistance.



Information Asset Register (IAR)

What is an Information Asset Register

An Information Asset Register or IAR is a record of all the personal data stores that the University holds, as well as key stores of non-personal data.

  • helps the University meet its obligation under data protection legislation to have a good understanding of personal information it holds;
  • allows the University to answer subject access requests more quickly;
  • informs policy creation and process updates; and
  • allows the University to identify and manage any risks to personal data that it holds.

Example questions

Our current system (contact database and mailing lists) is being redesigned and we are unsure whether we have the correct consents for subscribers in place. We may also be processing special category personal data, like health information and ethnicity. What should we do?

As a first step you should complete a Data Privacy Impact Assessment (DPIA).

This will help inform the safeguards and protection that you should build in to your new system.

A key principle of Data Protection Legislation is data protection by design and default, which means planning for privacy at the very outset. The fact that you are taking this step is a good start.

To observe the accountability principle and requirement for recording processing activities it is important that you document the processes that you follow and demonstrate the safeguards you have put in place.

Our department wants to start using encrypted emails to send personal information to central HR. When would we be able to use encryption?

As part of the Policy and Process Workstream we are undertaking a review of UCL’s email policy and secure information handling processes to understand what steps could be taken to meet our compliance requirements whilst still meeting UCL’s business needs.

In the meantime follow guidance from ISD on encryption  

Ordinarily, you do not need to encrypt items you send to internal recipients. You should only use encryption after you have classified the information properly according to UCL’s Information Management Policy. This policy will help guide you on how to handle the information you have classified. You can use this this tool to help you with the classification process.

What webforms can I use to collect personal data?

You can use Microsoft Forms through UCLs Office 365 licence, as well as Opinio.  

The use of these tools is only one aspect of your GDPR requirements.  Ask yourself: what is the purpose of the data gathering, and what is the lawful basis? It is likely that this will fall under ‘Public Task’, but please check the table in the link to make sure that your tasks are covered.

You will probably need a local Privacy Notice too.

For researchers

What are the implications of the data protection legislation for research and non-research data handling?

The GDPR has implications for all data handling, including handling for research and non-research purposes. There are new requirements for how personal data is collected, processed, retained and deleted. More information about this can be found on our guidance page.  The guidance note has been compiled to provide an overview of data protection key points for researchers, in line with the General Data Protection Regulation (GDPR) and the new UK Data Protection Act 2018. 

How will these changes affect ongoing and new research?

UCL is focusing its compliance efforts on new data collection from 25th May 2018 onwards. For historical research data collection PIs will need to review their research and make a decision on whether it is high risk and then make decisions on issues such the need for reconsents, the use of pseudonymisation, the effectiveness of adequate safeguards already in place according to the risk.

If you feel that you have a high- risk study, then you should conduct a Data Privacy Impact Assessment (DPIA) as described below, and following on from that take decisions about how to protect the data that you have collected.

Can I use opt-out clause for consent in my research?

For UCL ethically-approved research, the lawful basis for processing personal data will be 'public task' rather than 'consent'. It may be that researchers get consent from participants for ethical purposes, e.g. to confirm an individual's participation in a study, or perhaps to meet their obligations under the common law duty of confidentiality, but it will not be the lawful basis for processing under Data Protection Legislation.

While consent to participate in a project that is obtained for ethical purposes must be fully informed and freely given, in addition to meeting other requirements, researchers do not therefore need to obtain consent that meets the high standards set out in the GDPR, which is:

'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data'.

Given the above, in the context of research and subject to ethical approval ‘opt out’ consent is often acceptable.