UCL needs to show that confidential information is handled responsibly and safely. This guide gives UCL research staff and students details on how you deal with data during, and after, your research.
UCL's research is among the best in the world, with a total number of full-time equivalent staff rated of world-leading quality third overall in the UK after Oxford and Cambridge. Competitively won research grants and contracts account for more than a third of UCL's income.
In order to maintain this success, continue attracting a high level of research funding and maintain the trust of research participants and the organisations which provide us with vital data, UCL needs to show that its research staff and students handle confidential information responsibly and safely.
All research staff and students should follow the all-staff guidance in handling personal and other sensitive information. This guide is addressed more specifically to you and how you deal with data during - and after - your research. If you have any comments or concerns, you are invited in the first instance to contact Colin Penman, UCL Records Manager.
All research using personal data needs ethical approval to ensure that the research conforms to general ethical principles and standards. There are two main routes for ethical approval at UCL:
- The UCL Research Ethics Committee approves research involving healthy volunteers, vulnerable groups and certain other categories.
- The UCL / UCLH / Royal Free Joint Research Unit (JRO) is responsible for the clinical research portfolio: research involving NHS patients and those who do not have capacity to consent to participate in research, clinical trials of drugs and medical devices, and human tissue. The JRO's Standard Operating Procedures (SOPs) should be followed.
Regardless of who is responsible for ethical approval, all research using personal data must be registered with the UCL Data Protection Officer before any collection of data begins. The DP Officer's pages also provide important guidance on compliance with the Data Protection Principles.
Creating and organising research data
You will need to make a great many decisions about your data before you start to create or obtain it. The UCL Research Data Policy provides a framework to help researchers manage their data to facilitate data quality, access and legal and ethical compliance. Many funding bodies also require recipients to comply with their own data management requirements. These are summarised by the Digital Curation Centre. You should also follow UCL guidance on Open Access.
You should consider what file formats you will use for your data, bearing in mind sharing and long-term preservation needs: you may need to convert your formats for future access. Formats that are more likely to be accessible in the longer term will use standard representation (ASCII, Unicode) and be open / non-proprietary. They will not be encrypted or compressed. Examples of preferred formats for more popular proprietary standards include PDF/A, ASCII and TIFF over, respectively, MS Word, MS Excel and GIF or JPG. The UK Data Archive provides further information about formats.
Retention and disposal of records
The UCL Retention Schedule prescribes how long records should be held (this is currently in draft form, but will shortly be issued as UCL policy). Section 1.4 deals specifically with research records, including clinical trials and studies funded by the MRC.
When research has ended, hard copy records which must be retained should be sent to the UCL Records Office. This is the only approved place of deposit for UCL's administrative and research records. Where clinical trial records are concerned, the Records Office accepts only:
- UCL Trial Master Files
- UCL Site Files
- Site Files from UCLH NHS Foundation Trust, Royal Free London NHS Foundation Trust or Whittington Hospital NHS Trust where the Chief Investigator holds a substantive or honorary contract with UCL.
JRO SOPs for the content of trial files and archiving should be followed where applicable. Sponsors' requirements for retention take precedence over UCL's rules, in which case archiving costs should be included in the full economic costing early in the approval process.
For records which need to be destroyed, hard copy confidential waste, CDs and DVDs, must be disposed of via UCL Estates. For hard drives, and destruction of electronic media in general, consult the Computer Security Team's guidance.
Protecting NHS data
If you use identifiable patient information for your research, you should use anonymised or pseudonymised data wherever possible. However, identifiable data is absolutely required, you must take care to follow your Trust's information governance policies and procedures, especially those concerned with ICT security and information risk, as well as the JRO's SOPs. Section 10 of the UCL Data Protection Policy deals specifically with research.
Identifiable data held by NHS Trusts may not be:
- Held outside Trust systems without the specific approval of your Trust's Information Governance Manager and / or Caldicott Guardian
- Copied to portable devices, unless approved or supplied by the Trust's IM&T / information governance function, using approved encryption software
- Stored on PC hard drives (the 'C' drive)
- Transmitted by email except within nhsmail.
Remote access to NHS systems must always be via equipment owned and controlled by the relevant Trust, enabled by a virtual private network.
You must not attempt to circumvent NHS institutional firewalls by using remote desktop software such as GoToMyPC, and you must not connect or download data to your own mobile device, including smartphones.
No identifiable data should be stored with 'cloud' providers.
Losses of personal and other sensitive data must be reported to your Departmental Data Protection Coordinator and the UCL Data Protection Officer. Security-related incidents should also be reported to the Computer Security Team. If NHS equipment and / or data are involved, you should use the local incident reporting and investigation procedure and report to the local risk team. Loss or unauthorised disclosure of information, or failure to report it, or to follow the above guidance, may be treated as a disciplinary matter, up to and including gross misconduct.