Office of the Vice-President (Strategy)


Transparency, Security & Privacy


Our customers have told us that, in principle, all management information should be made open and transparent. This is because insight can be gained from comparative management information that allows users to learn from others. We recognise, however, that there may be exceptions. For example, we are legally required to restrict access to certain datasets, especially data concerning individuals (for example student and staff records).  


We are conscious of the need to restrict access to sensitive data to appropriate audiences. This means:

  • We will ask for confirmation of your job role and need when you request access to dashboards containing sensitive data.
  • We agree with data owners how the data is visualised for dashboards which include their data, and we agree with data owners which groups of staff are able to access those dashboards.
  • Dashboards are categorised as open access or restricted.  Access to individuals is managed by adding users to the appropriate AD group.
  • We carry out Data Protection Impact Assessments whenever we work with new personal data in Tableau or in our IDW.

Responsibilities in using Management Information

In requesting access to management information and the Tableau reports, you agree that you:

1. Are familiar with UCL's Data Protection Policy.

2. Have completed the Data Protection Training, accessed via the training site.

3. Have completed UCL Information Security Awareness training, accessed via the training site.

4. Will not download data from a dashboard unless it is required to perform your role.  Any downloaded data must be
    stored securely, not shared without permission from the data owner, and deleted when no longer needed.

5. Are familiar with any additional data retention policies which exist in your department.

The Data and Insight Service complies with all requirements with regards to data protection, freedom of information and privacy. A complete description of these legal requirements is available on the UCL Legal Services website.

As some data in the Tableau reports may be confidential and may include individualised staff or student information, you must ensure compliance with UCL's approaches to handling sensitive data as outlined in UCL's Information Security Policy (password protected).

General Data Protection Regulation (GDPR)

The General Data Protection Regulation legislation came into effect in May 2018. The GDPR has changed the way in which organisations, like UCL, collect, use and transfer personal data.

GDPR legislation has affected the provision of the Data & Insight service from May 2018. The service will consider the different types of processing it carries out as part of its activities, to ensure compliance.

Whilst the Data & Insight service can still rely on consent as a legal basis to process personal data, a data subject must be given an easy way to withdraw it. Consent must still be 'explicit' for the processing of sensitive data, renamed 'special category' data under GDPR. A data controller will need to demonstrate that such consent has been given.

More information concerning how GDPR legislation affects UCL is available on the UCL Legal Services website.


Contact the Data & Insight team