Privacy notice

  1. Introduction

The Division of Medicine (“we” “us”, or “our”) respects your privacy and is committed to protecting your personal data.

Please read this Privacy Notice carefully – it describes why and how we collect and use personal data and provides information about your rights.  It applies to personal data provided to us, both by individuals themselves or by third parties and supplements the following wider UCL privacy notice(s):

We keep this Privacy Notice under regular review. It was last updated on 25/6/2021.

  1. About us

The Division of Medicine is part of the Faculty of Medical Sciences at University College London (UCL).

UCL, a company incorporated by Royal Charter (number RC 000631), is the entity that determines how and why your personal data is processed. This means that UCL is the ‘controller’ of your personal data for the purposes of data protection law.

  1. Personal data that we collect about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you. This may include:

  1. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • To manage our relationship with you.
  • To help you with your situation. Depending on the circumstances, this may include special category personal data.

Where the processing is based on your consent, you have the right to withdraw your consent at any time by contacting us using the details set out below. Please note that this will not affect the lawfulness of processing based on consent before its withdrawal.

We may also use anonymised data, meaning data from which you cannot be identified, for the purposes of:

  • Service evaluation;
  • Understanding issues in the Division.

Anonymised data may also be used in published reports.

  1. Who we share your personal data with

Your personal data will be collected and processed primarily by our staff and UCL (Access to your personal information is limited to staff who have a legitimate need to see it for the purpose of carrying out their job at UCL.). We may have to share your personal data with the parties set out below for the purposes outlined in section 4:

The police/social care services/local authorities/other similar bodies

There are certain circumstances in which UCL may provide information about the matters raised in a report, including personal data, to third parties such as the police and social care services. This may include providing personal data about you without your consent. Our duty of care guidance sets out how personal data may be shared in the following circumstances:

  • An allegation about behaviour by a staff member or student towards a student who is under the age of 18;
  • An allegation about behaviour by a staff member or student towards an adult at risk; or
  • An allegation about behaviour by a staff member or student towards another staff member or student over the age of 18.

UCL's consultants and professional advisors

Depending on the circumstances, UCL may need to share details of reports made with its consultants and other professional advisors, such as solicitors.
 
Courts and tribunals

In the event that a report results in legal proceedings being issued, UCL may share personal data with the relevant courts and tribunals

  1. Lawful basis for processing

Data Protection Legislation requires that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a "lawful basis" for the processing. The basis for processing will be as follows:

  • Consent. You have given us your consent for processing your personal data.
  • Contract. The processing is necessary for the performance of a contract or in order to take steps prior to entering into a contract
  • Public task. The processing of your personal data may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us [Note: read UCL’s Statement on Public Tasks to ensure that your processing falls within scope of this condition]
  • Legitimate interests. The processing of your personal data may be necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or by fundamental rights and freedoms which require protection of personal data [Note: read UCL’s guidance on legitimate interests]

For special category personal data, the following lawful bases for processing will be used:

Employment law obligations  We may also process certain special category data where this is necessary so that we can meet our obligations in the field of employment law.  Statutory and government purposes  We may process special category data in order to fulfil our duties under the Equality Act 2010.  Safeguarding of children and of individuals at risk  We may process special category data in order to safeguard children or individuals at risk.  Preventing or detecting unlawful acts  We may process special category data in order to prevent or detect an unlawful act.  Establishment, exercise or defence of legal claims  It may be necessary to process your special category personal data in relation to establishing, exercising or defending legal claims.  Consent  Where you have made a report and we cannot rely upon any other appropriate legal basis, we will generally seek to obtain your consent to the processing of your special category personal data.

  1. International transfers

We do not transfer your personal data outside the European Economic Area (EEA).

  1. Information security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have established procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

  1. Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We will keep your personal data according to the Records Retention Schedule.

  1. Your rights

Under certain circumstances, you may have the following rights under data protection legislation in relation to your personal data:

  • Right to request access to your personal data;
  • Right to request correction of your personal data;
  • Right to request erasure of your personal data;
  • Right to object to processing of your personal data;
  • Right to request restriction of the processing your personal data;
  • Right to request the transfer of your personal data; and
  • Right to withdraw consent.

If you wish to exercise any of these rights, please contact the Data Protection Officer.

Contacting us

You can contact UCL by telephoning +44 (0)20 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT.

Please note that UCL has appointed a Data Protection Officer. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our Data Protection Officer using the details set out below:

Data Protection & Freedom of Information Officer

data-protection@ucl.ac.uk

  1. Complaints

If you wish to complain about our use of personal data, please send an email with the details of your complaint to the Data Protection Officer so that we can look into the issue and respond to you.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) (the UK data protection regulator).  For further information on your rights and how to complain to the ICO, please refer to the ICO website.