UCL - DOC by Levone



                              UNIVERSITY COLLEGE LONDON
                               DATA PROTECTION POLICY

             Endorsed by the Information Strategy Committee, 27 November 2008

                                          21 October 2008

University College London is required by law to comply with the Data Protection Act, 1998. It is the
commitment of UCL to ensure that every current employee and registered student complies with this
Act to ensure the confidentiality of any personal data held by UCL, in whatever medium. This Act
came into force on 1st March 2000.

The Data Protection Act 1998, [the Act], covers all personal data held on electronic systems and on
all forms of media (including, but not limited to paper, microfilm and electronic media).

1. Introduction

In order to ensure that UCL continues to comply with the Act, this version of the Policy will become
effective from 28 November 2008, and will replace all previous versions of this policy including the
latest published version of November 2003.

UCL needs to keep certain information about its employees, students, and other users of UCL
facilities for business purposes, to allow it to monitor performance, achievements and health and
safety, for example. As a Research Institution, UCL also needs to keep information on individuals
who are the subjects of research projects. To comply with the law, information must be collected and
used fairly, stored safely and not disclosed to any other person unlawfully. To do this UCL must
comply with the 8 Data Protection Principles which are set out in the Act. In summary these state that
personal data shall be:

   1. Processed fairly and lawfully and shall not be processed unless certain conditions are met.
   2. Obtained for specified and lawful purposes and not further processed in a manner
      incompatible with these purposes
   3. Adequate, relevant and not excessive
   4. Accurate and where necessary kept up to date
   5. Kept for no longer than necessary
   6. Processed in accordance with data subjects‟ rights
   7. Protected by appropriate technical and organisational security, and
   8. Not transferred to a country or territory outside the European Economic Area, unless that
      country or territory ensures an adequate level of protection for the rights and freedoms of data
      subjects in relation to the processing of personal data.

UCL and all staff, students and others who process or use any personal information have a duty to
ensure that they follow these principles at all times. In order to ensure that this happens, UCL has
developed this Data Protection Policy. Any breach of the Data Protection Policy, whether deliberate
or through negligence, may lead to disciplinary action being taken, access to UCL facilities being
withdrawn, and even a criminal prosecution. Any questions or concerns about the interpretation or
operation of this policy should be taken up with the Data Protection Officer.

Staff and students also have obligations to inform UCL of changes to their personal information and
have rights to know about and to access information held on them by UCL.

2. Definitions and Roles

“Personal Data” is defined in the Act as data that relate to a living individual who can be identified
from those data; or from those data and other information which is in the possession of, or is likely to
come into the possession of, the data controller; and includes any expression of opinion about the
individual and any indications of the intentions of the data controller or any other person in respect of
the individual.

“Sensitive Personal Data” is defined in the Act as personal data consisting of information as to:
    The racial or ethnic origin of the data subject
    His/her political opinions
    His/her religious beliefs or other beliefs of a similar nature
    Whether he/she is a member of a trade union
    His/her physical or mental health or condition
    His/her sexual life
    The commission or alleged commission by him/her of any offence
    Any proceedings for any offence committed or alleged to have been committed by him/her, the
       disposal of such proceedings or the sentence of any court in such proceedings.

Note 1: the definition of health is considered broadly under the Act; it is not defined exhaustively but
includes preventative medicine, medical diagnosis, DNA sequences, medical research, provision of
care and treatment and the management of healthcare services.
Note 2: personal demographic data are also considered to be sensitive (e.g. home address, salary,
and bank financial details).

“Data Controller” is the person who (either alone or jointly or in common with other persons)
determines the purposes for which and the manner in which any personal data are, or are to be,
processed. University College London, as a corporate body, is the Data Controller under the Act, and
the College Council, as the governing body of UCL, is ultimately responsible for implementation.

“Data Protection Officer (DPO)” is the formal office for regulating and advising on the application of
the Data Protection Act. The Act covers the processing of personal data recognising that some data
is treated as „sensitive‟ data and is subject to special provisions surrounding the collection, storage
and access of such information. All personal information collected and stored in any form in an
organisation must be registered under the terms of the Act. The DPO has a policy remit in the
definition, management and dissemination of UCL personal data.

A “data holding” is a collection of one or more data sets that are being processed for permitted
purposes under the direction of a clearly identified member of UCL staff (the Data Owner).

“Data Owner” is the UCL member of staff with lead responsibility for permitting and managing the
retention and processing of a data holding for which UCL is the Data Controller. A Data Owner is
accountable for establishing and monitoring measures, in accordance with this policy and the
Information Security Policy, to protect any data holdings for which they are responsible, to ensure
that data holdings are registered and to ensure that any transfer to third parties is authorized, lawful
and uses appropriate, safe transport mechanisms (e.g. strong encryption).
“Data Custodian” is the individual unit or person identified by the data owner to be responsible for the
collection, creation, modification and deletion of the specified personal data element(s).

3. The Data Protection Officer and the Departmental Coordinators

3.1 The UCL Data Protection Officer is the named contact for the Data Protection Registrar (Email:
data-protection@ucl.ac.uk). The UCL DPO will ensure that the UCL Data Protection Registration is
kept up to date, based on information received from the Departmental Data Protection Coordinators.
The UCL DPO will inform the Data Protection Coordinators of any changes or amendments to the
Act, and advise them on the implementation of the Act. The UCL DPO shall investigate reported
losses of personal information, calling upon technical support as needed.

3.2 The Head of Department of each Institute, Department, and all other academic or administrative
units of UCL is responsible for their department‟s compliance with the Data Protection Act and for
ensuring that the personal data held by their department is kept securely and used properly, within
the terms of the Act.

3.3 Each Institute, Department, and all other academic or administrative units of UCL shall appoint a
Departmental Data Protection Coordinator, to whom, in the first instance, enquiries relating to the
holding of personal data should be referred.

3.4 Each Departmental Data Protection Coordinator is delegated the responsibility to take reasonable
steps to ensure that the personal data held by their department is kept securely and used properly,
within the terms of the Act. This includes:
     Informing the Data Protection Officer of the types of personal data held in their department,
        and any changes or new holdings.
     Ascertaining that appropriate technical and organisational measures are taken within their
        department to ensure against unauthorised or unlawful processing of personal data and
        against accidental loss or destruction of, or damage to, such data, in accordance with the UCL
        information security policy (http://ucl.ac.uk/cert/swg/policy.html).
     Keeping the Data Protection Officer informed of changes in the collection, use, and security of
        personal data within their department.
     Including in their regular returns, confirmation of compliance with the PCI Data Security
        Standard relating to the retention of any credit card payment records kept within their
        department (https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf)
     Reporting any loss of personal data to the Head of Department and the Data Protection

4. Staff and Student Responsibilities for Data Protection

4.1 All staff and students are responsible for ensuring that any personal data which they own,
manage, process or otherwise access, in whatever form (e.g. electronic, microfilm, paper, etc.), is
kept securely, in accordance with this policy, the UCL Information Security Policy
(http://ucl.ac.uk/cert/swg/policy.html) and the UCL Records Management Policy

Data owners must note the responsibilities listed in section 2, including the responsibility to ensure
that their personal data holdings are entered in UCL‟s registration either via the Annual Data
Holdings Survey or, for research projects, via the normal process for research registration; they
should contact the Departmental Data Protection Coordinator, in the first instance. This includes, but
is not limited to, personal data for such purposes as teaching, students, research, personnel records,
etc. Every Departmental Data Protection Coordinator has copies of the department‟s registration
details and should be consulted if a member of staff or student has any doubts about use of personal
data within the department. Staff and students have obligations as well as rights under the Act and
UCL‟s Data Protection Policy. Further advice may be obtained from the Data Protection Officer
(telephone ext. 32589; Email: data-protection@ucl.ac.uk).

4.2 Staff whose work includes responsibility for supervision of students have a duty to ensure that
students observe the eight principles of the Act.

4.3 Staff and students must ensure that they are familiar with the Data Protection Policy and must
comply with the requirements of section 10 (“Handling of personal data”). Any breach of the Data
Protection Policy, either deliberate or through negligence may lead to disciplinary action being taken,
or access to UCL facilities being withdrawn, and even a criminal prosecution.

4.4 All staff and students are responsible for ensuring that personal information is not disclosed orally
or in writing or otherwise, either accidentally or otherwise to any unauthorised third party.

5. Subject Consent to Processing Sensitive Information

5.1 In many cases UCL can only process personal data with the consent of the individual. In some
cases, if the data is sensitive, explicit consent must be obtained. Agreement to UCL processing some
specified classes of personal data is a condition of acceptance of a student onto any course, and a
condition of employment for staff.

5.2 UCL may ask for information about a person‟s health or disability in relation to their work or
standing. UCL may also ask for information such as a person‟s criminal convictions, ethnicity, sex,
and family details. This is to ensure that UCL is a safe place for everyone, or to operate other UCL
policies (such as the sick pay policy or equal opportunities policy) or to comply with legal obligations,
e.g. under the Children Act 2004.

5.3 Where information is considered sensitive, all prospective staff and students will be asked to give
a signed Consent to Process particular types of information when an offer of employment or a course
place is made. Offers of employment or course places may be withdrawn if an individual refuses to
consent to this, without good reason. (See form 3, Changes to personal information at

5.4 UCL policy relating to monitoring of computer and network usage and how it relates to UCL data
protection policy can be found at http://www.ucl.ac.uk/cert/swg/public/Monitoring.html

6. Publication of UCL Information

6.1 Information that is already in the public domain is exempt from the 1998 Act. It is the policy of
University College London to make public as much information about UCL as possible (see

6.2 Personal names, UCL telephone numbers, and Email addresses will be published in the public
directory on the UCL World Wide Web, unless the individual concerned registers with the Data
Protection Officer that they do not wish their personal details to be disseminated in this way. In that
case only post titles and UCL telephone numbers will be published. (See form 4, removal from
WebPages at http://www.ucl.ac.uk/efd/recordsoffice/data-protection/.)
Individuals finding their personal information on public UCL World Wide Web pages in contravention
of their registration should bring this to the attention of the Data Protection Officer in writing who will
arrange where applicable for the page(s) to be corrected.

6.3 Those responsible for producing pages on the World Wide Web for public access, whether for
general UCL information or for specific departments, are responsible for complying with instructions
from the Data Protection Officer, and will make all reasonable effort to ensure that any UCL individual
named on that page has not refused permission to publish their name and Email address.

7. Rights to Access Information

7.1 Notification to staff and students of data held and processed:
All data subjects including staff, students, and other users of UCL facilities are entitled to know:
 what personal information UCL holds and processes about them and why.
 how to gain access to it.
 how to keep it up to date.
 what UCL is doing to comply with its obligations under the 1998 Act.

A list of the types of personal information held about students by UCL will be given in the Student
Handbook. A list of the types of personal information held about staff by the Human Resources
Division will be given, on request, by that Division.

7.2 All data subjects including staff, students, and other users of UCL facilities have the right to
access any personal data that is being kept about them. Any person who wishes to exercise this right
should make their request in writing, using the UCL “Request for Access to Personal Data” form and
forward it to the Data Protection Officer. The form must be accompanied by the fee of £10:00, which
is the UCL administration charge for this. UCL has discretion to waive the administration charge.
(See form 6, Request for personal information at http://www.ucl.ac.uk/efd/recordsoffice/data-

7.3 UCL aims to comply with requests for access to personal information as quickly as possible, but
will ensure that it is provided within 40 days unless there is a good reason for delay. In such cases,
the reason for delay will be explained in writing to the data subject making the request.

8. UCL Records Management Policy and Retention of Data

8.1 The Records Management Policy (http://www.ucl.ac.uk/efd/recordsoffice/policy/), which was
confirmed as an UCL Policy in 1999, applies to all administrative records and any research data,
whatever their format. All Institutes, Departments and Schools within UCL are expected to consult the
Records Manager before disposing of non-current records.

8.2 UCL keeps some forms of information for longer than others, in line with Financial, Legal, or
Archival requirements. A full list of retention periods is available from the Records Manager (email:

9. Obligations to keep UCL’s Information up to date

9.1 All staff are responsible for:
 Ensuring that any information that they provide in connection with their employment is accurate
   and up to date.
 Using systems provided by UCL to update personal data.
 Informing the Human Resources Division and their department of any changes to information
  which they have provided, e.g. changes of address.
 Informing the Human Resources Division of any known errors or changes.

9.2 All students are responsible for:
 Ensuring that any information that they provide in connection with their study is accurate and up to
 Using systems provided by UCL to update personal data.
 Informing the Registrar‟s Division and their department of any changes to information which they
   have provided, e.g. changes of address.
 Informing the Registrar‟s Division of any known errors or changes.

10. Handling of Personal Data

10.1 All staff and students involved in the use of personal data are strongly recommended to visit the
UCL Data Protection website (http://www.ucl.ac.uk/efd/efm_www/recordsoffice/dataprotection/) to
ensure they manage, process and use personal data to the required standards of UCL, and direct
any queries to their Departmental Data Protection Coordinator or contact the Data Protection Officer
at data-protection@ucl.ac.uk. Personal data holdings must be registered each year via the Annual
Data Holdings Survey.

10.2 Transfer of personal data to third parties must be authorized by the data owner, comply with the
data protection registration and must use safe transport mechanisms (e.g. strong encryption).

10.3 Downloading of any personal data onto mobile devices (such as laptops, mobile phones and
iPods), removable devices (such as USB drives, CDs, and DVDs), or any computer not owned by
UCL must be authorized by the data owner in writing. The data owner must confirm that the volume
and sensitivity of the data are proportionate to the business need. Downloaded data and any non-
anonymised data products must be strongly encrypted. The Computer Security Team will issue and
keep under review guidance on what constitutes an acceptable standard of encryption.

10.4 To avoid loss of encrypted data, an unencrypted copy of the data must be held in a secure

10.5 Data owners should consider whether remote access to UCL servers(s) using secure
connections offers a lower risk solution than downloading personal data.

10.6 All losses of personal data must be reported to the Departmental Data Coordinator and the UCL
Data Protection Officer.

10.7 Staff and students who are undertaking research projects using personal data must ensure that:
 Each research subject is informed of the nature of the research and consents to their personal
  information being used.
 Their departmental coordinator is informed of the proposed research before it begins, and ensures
  that UCL is licensed to undertake this kind of research.
 All information is kept securely in accordance with the UCL information security policy.

10.8 All research involving the use of personal data where the Principal Investigator, as the Data
Owner, is employed by UCL or involving any personal data held within UCL must be registered with
the UCL Data Protection Office.

It is the responsibility of the Principal Investigator to ensure that:
   The Data must be collected, stored and used in accordance with the Principles of the Act.
   Individuals must be asked for a signed consent to their data being processed for research. This
    consent should also cover the scope of the processing and any possible future distribution outside
   Data received from third party organisations should be anonymised before receipt or should be
    accompanied by a signed declaration from the Head of the organisation that it has been collected
    in accordance with the Act.
   Data to be shared with a third party organisation should, if possible, by anonymised before
   Un-anonymised Data should not be shared with a third party organisation unless the Head of the
    organisation provides a signed declaration undertaking to use the Data in accordance with the
   The Data Protection Officer must be informed of all agreements regarding the transfer of personal
    data, to ensure that they comply with the Act and the UCL Data Protection requirements.

Personal data used for research Projects must be stored and disposed of in accordance with the Act
and the UCL Records Management Policy (http://www.ucl.ac.uk/efd/recordsoffice/policy/).

10.9 Research Purposes Exemption:
Data collected fairly and lawfully for the purpose of one piece of research can be used for other
research, providing that the data used for the research does not identify the individual, or fresh
approval has been obtained from all participants in the research. Such data must not be processed to
support measures or decisions with direct consequences for the individuals concerned, or in a way
which is likely to cause substantial damage or distress to any data subject. Records of questionnaires
and contacts may be kept, in line with UCL Records Management Policy, in order that the data can
be revisited and/or reanalysed. This exemption is only applicable to academic research, and cannot
be used to provide information about a particular individual.

10.10 Incoming and Internal Post:
Items which are marked “Personal” or “Private and Confidential”, or which appear to be of a personal
nature, should be opened by the addressee only, or by that person‟s nominated representative.
Unless postal items are marked in this way they will be presumed not to contain confidential
information, as designated by the Data Protection Act (1998). Staff and students are discouraged
from using their UCL address for non-UCL matters.

10.11 Any member of UCL staff receiving a request for information from a representative of a law
enforcement agency (including requests supported by a warrant) should refer the request
immediately to the UCL Data Protection Officer. The DPO is best placed to check the validity of
warrants. Staff disclosing personal data may not be protected by an invalid warrant.

To top