In the section below you will find guidance notices to assist staff with GDPR preparations. These pages are being updated on a regular basis.
- Handling personal data responsibly
- Images and videos in relation to GDPR
The General Data Protection Regulation (GDPR) prescribes that images and video recordings of individuals constitute personal data, and therefore falls within the GDPR; however, determining whether personal data is in images is not always clear-cut. Thus, the taxonomy of ‘crowds, small groups and individuals’ is used in this guidance note to differentiate scenarios.
- Writing a privacy notice
The General Data Protection Regulation (GDPR), prescribes that you should be open and fair with individuals about what personal data you are collecting, for what purpose and for how long. You can do this is through a ‘Privacy Notice’ (sometimes called a ‘Fair Processing Notice’ or ‘Information Sheet’).
- Actions to take for historical communications lists
- Data Protection Impact Assessment (DPIA)
- Guidance for researchers on the implications of the GDPR and Data Protection Act 2018
This guidance note has been compiled to provide an overview of data protection key points for researchers, in line with the General Data Protection Regulation (GDPR) and the new UK Data Protection Act 2018.
- Research with children: guidance on data protection issues
- Guidance on using 'legitimate interests' as a lawful basis for processing personal information
- Guidance on using 'Out of Office' messages and information rights requests
Under both freedom of information and data protection legislation individuals have rights to information. On receipt of such requests, UCL must respond within tight timeframes to comply with the law. Requests that involve personal data are handled under the General Data Protection Regulations 2016 and Data Protection Act 2018 (‘data protection legislation’).
- Guidance on using email
This guidance has been produced to help you to ensure the proper and efficient use of UCL’s email service. Following these recommendations helps UCL comply with new data protection legislation and assists you to manage your email more effectively.
- UCL statement on the use of 'Public Task' as a lawful basis for processing personal information
Where UCL processes personal data in connection with the carrying out of tasks in the public interest in its capacity as a public authority, UCL may rely on the 'public task' ground as its lawful basis for processing that personal data.
- Reporting a loss of personal data (data breach)
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
- Transfers of personal data outside the EEA
This note explains the restrictions applicable to transfers outside the EEA and the steps that UCL staff must take in order to ensure that any transfers comply with data protection law. It is designed to be read in conjunction with the other data protection guidance available on our website.
- Guidance for Supervisors on data protection where students are processing personal data
Where students at UCL process personal data as part of their studies (whether they are undergraduates or post-graduates), UCL will be the controller of that personal data. UCL therefore has obligations in respect of that data under data protection legislation, i.e. the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).
- Guidance for Researchers on Appropriate Safeguards under GDPR (2016) and DPA (2018)
This guidance note, designed to be read in conjunction with UCL’s ‘ ’ (Original Guidance), provides further information on the ‘appropriate safeguards’ that must be put in place where either:
- personal data;
- special categories of personal data; or
- personal data relating to criminal convictions or offences
are processed at UCL in a research context.
- Transparency and privacy notices for clinical research - compliance with data protection legislation
This is advice is for Heads of Divisions, all Chief Investigators, Principal Investigators and Departmental Managers. It applies to Clinical Research projects in which UCL is sponsor and controller. You can read the full guidance here.
- Data protection by design
This document provides guidance to staff and students on the requirements imposed by data protection legislation in respect of ‘data protection by design and default’ (often referred to as ‘privacy by design and default’). You can read the full guidance here.