Data protection legislation protects individuals personal data by setting standards for the processing of this information and requiring those processing personal data to comply with these standards. Processing has a wide definition and in-effect means any action involving data including collecting, storing, consulting, amending, disclosing and destroying data.
UCL expects all staff and students who are using personal data to comply with the provisions of the data protection legislation. UCL Legal Services provides extensive guidance on the data protection legislation, the principles and the implications for researchers guidance can be found on the Legal Service website.
UCL Data Protection Policy and Registration
UCL's Data Protection Policy forms part of UCL's commitment to the safeguarding of personal data processed by its staff and students. Its objectives are:
- To help staff and students recognise personal data
- To help them understand their rights and obligations with respect to personal data.
One such obligation is that all research projects using personal data must be registered with Legal Services before the data is collected. The procedure for registering research projects can be found on the Data Protection Overview webpage.
Sharing data with third parties
During research, you may need to share data with third parties as part of your research project. To support researchers, the UCL Data Protection Team has written a guidance note to support researchers in identifying the key issues researchers need to consider where they are part of a research project that involves the sharing of data. It also sets out a standard approach which should be followed by all UCL departments when sharing data (including personal data) in the context of a research project.
Transfers of personal data outside the EEA
Data protection legislation prohibits the transfer of personal data to countries outside the European Economic Area (EEA) unless:
- The country in question has been deemed by the European Commission to provide an adequate level of protection for personal data; or
- One of the mechanisms set out in the legislation has been put in place applies, e.g. where one of the 'appropriate safeguards' listed in data protection legislation has been put in place or a specific exception applies.
These restrictions are in place because countries outside the EEA are deemed not to provide an adequate level of protection for personal data, and these restrictions and conditions are to ensure that appropriate protections are in place for that data. All staff and students who intend to transfer data outside of the EEA must comply with these conditions and read and follow the UCL Guidance on Transferring Personal Data outside the European Economic Area guidance document.