Student and Registry Services


General Data Protection Regulations (GDPR)

12 April 2019

GDPR has been a hot topic for around a year now, and while I’m sure you’ve all completed the online training I thought that it may be useful to use the SRS newsletter to run through some basics that we all need to be aware of as part of our day to day work.

This month, I’ll be covering personal data and what to do in the event of a breach. If you have any questions, comments or if there is anything in particular that you would like me to cover, please let me know by emailing srs-compliance@ucl.ac.uk.

What is personal data?

Personal data is any information that identifies a living person. This applies to data that directly identifies a person (such as a name), and data that can indirectly identify a person (such as a National Insurance number).

Special category data is considered to be more sensitive than ‘standard’ data. It is information relating to one or more of the following:

  • racial or ethnic origin
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data;
  • health; or
  • a person's sex life or sexual orientation. 

What is a data breach?

A data breach affects the confidentiality, integrity or availability of personal data. This can include unauthorised disclosure or access to personal data, unauthorised alteration, destruction or loss of data. Not all breaches are the result of malicious or unlawful activity; they can be a mistake. Examples of data breaches include:

  • loss or theft of data or equipment on which data is stored, such as memory sticks and laptops;
  • inappropriate access controls allowing unauthorised use, i.e. giving staff members access to all data;
  • equipment failure;
  • human error;
  • hacking attacks; and
  • inadvertent disclosure. 

What do I do if I discover a breach?

If you discover a breach, this needs to be reported to the UCL Information Security Group (ISG) as soon as possible. To do this, you should fill in the Breach Reporting Form and send it to isg@ucl.ac.uk (please put [GDPR] in the subject line). You should also report any near misses even if a breach did not occur. 

If you are not sure if you should report an issue, speak to your line manager in the first instance. You can find more information on reporting a data protection breach on the Reporting a loss of personal data webpage.