The Data Protection Act 1998 (DPA) protects individuals personal data and sets the standards for the processing of this information. It does this by requiring those processing personal data to comply with the eight data protection principles. Processing has a wide definition and in-effect means any action involving data including collecting, storing, consulting, amending, disclosing and destroying data.
UCL expects all staff and students who are using personal data to comply with the provisions of the Act, including the eight principles that have to be applied by all those using personal data.
UCL Legal Services provides extensive guidance on the Act, the eight principles and the implications for researchers. This guidance can be found on the Data Protection & FOl page.
In addition, the Information Commissioner's Office (ICO) has a very helpful plain English guide (Guide to Data Protection) to the Data Protection Act 1998 that breaks down each principle and provides examples.
Data Protection Policy and Registration
UCL's Data Protection Policy forms part of UCL's commitment to the safeguarding of personal data processed by its staff and students. Its objectives are:
- To help staff and students recognise personal data
- To help them understand their rights and obligations with respect to personal data.
One such obligation is that all research
projects using personal data must be registered with Legal Services before the
data is collected. The procedure for registering research projects can be found on the Legal Services webpages.
US Safe Harbour Agreements
On 6 October the European Court of Justice ruled that US Safe Harbour Agreements were invalid. This means UCL cannot enter into any agreements that rely on Safe Harbour in order to transfer personal data to the US. Researchers with projects that require the transfer of personal data to the US, including via websites based within the US or transferring data to the US, should contact the Data Protection Team, email@example.com.
It is anticipated that Safe Harbour will be replaced by the EU-US Privacy Shield agreement in the coming months. Further information can be found on the Legal Service's Transfer of data overseas page.