XClose

Office of the Vice-Provost (Strategy)

Menu

Working with data

If you are working with data there are policies and processes in place that you might need to consider

This guidance relates to UCL's business data.  For academic research data you should visit the Research Data Management site.

How do I find the data I need?

Business data is divided up into Data Domains and Data Sub-domains.  You should consult the accountability matrix to determine where the data you need sits.

If you are looking for data outside of your immediate business area your first point of contact should be the relevant Senior Data Steward.

They can advise on the data you need for your purpose, how to access the data, any policies that are in place for its use, and any known limitations of the data.

You should note that datasets can cross over more than one Data Domain/Sub-Domain (e.g. data on entry card access combined with data about the individual cardholders).

If you are unable to identify the data you need you should contact Data Governance who can advise.

Do I need approval to use data?

All business data has an assigned Data Owner.  They are accountable for its use.  You should seek their permission to use the data if this isn’t currently in place (Senior Data Stewards should be able to advise whether there is already permission for someone in your role to access the data).

If you are working with data about individuals (personal data) you need to consider whether you need a Data Protection Impact Assessment (DPIA).  You can use the DPIA screening questions provided by Data Protection.

If you need to complete a DPIA the Information Owner should be the senior person responsible for the use of the data.  The Data Owner will need to sign off any DPIAs.

If you are planning to ingest data from one system into another this will usually involve a Solution Architect creating a design document.  This will need to be reviewed to check it aligns with UCL’s data integration strategy.  Ingestion methods will need to be checked with Information Security Group who can test the security of the systems involved.  You can contact them by raising a ticket through MyServices.

How should we share and store data?

How data should be treated is determined by its classification.  Guidance on this can be found in the Information Management Policy.

Unless data is classified as ‘Public’ it will need security measures applied.  It is safest to share data through a method such as a restricted Teams site (email is not a secure way to send or receive data).  Such data can be kept in an area which requires single sign-on or is password protected, and not on personal devices.  Data may need to be restricted to a limited number of people as agreed with the Data Owner.

Data should not be kept for longer than it is needed.  You should have a plan in place for archiving or deleting data after a certain period of time.  UCL’s retention schedule gives information on when certain types of data should be deleted.  If you are unsure you should contact the Data Owner.

Can I publish reports that use the data?

You should seek permission from the Data Owner before sharing any reports or results of data analysis.  They may ask that the audience be restricted, or that statistical methods, such as suppressing small numbers, be applied.

What if I still have questions?

Please contact Data Governance who will be happy to advise.

Find out more about the Data Governance team.