Privacy and data protection FAQs

Version 1: Applicable from: 28 September 2021

 

Contents

What is data protection?

What are the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018)?

What is a Privacy Notice?

Is the Privacy Notice likely to change?

What is a Data Controller?

Who are the Data Controllers?

What is a Data Protection Officer (DPO)?

How can I contact the DPO?

What is the lawful basis for processing my data?

What data do you hold about me?

Do you collect information about me from other sources?

Why do you need to know about “Stable Contacts”?

Why do you ask questions about my partner and other members of my family?

How will my information be used?

Who receives my personal data?

How do I use my individual information rights?

How long will it take to receive copies of my information if I make a data subject access request?

How do I withdraw from the study?

What happens to my data if I withdraw from the study?

Is my personal data transferred to other countries?

How do you keep my data secure?

How long will you hold my data for?

How do I make a complaint?

What are cookies?

Which cookies does the study participant site use?

How do I change my cookie permissions?

Download as a PDF

 

What is data protection?

Data protection means treating information about people fairly and using it properly according to the law.  We are committed to handling your data lawfully, fairly and responsibly. We process your data with the GDPR data protection principles in mind:

  • Lawfulness, fairness and transparency
  • Purpose limitation (where exemptions do not apply)
  • Data minimisation
  • Accuracy
  • Storage limitation (where exemptions do not apply)
  • Integrity and confidentiality (security)
  • Accountability

 

What are the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018)?

The DPA 2018 and the UK GDPR are data protection laws in the UK. These laws include principles, rights and obligations which apply when we process your data. The EU GDPR (General Data Protection Regulation (EU) 2016/679) and the DPA 2018 came into force on 25 May 2018. The DPA 2018 replaces the Data Protection Act 1998. The DPA 2018 was changed on 01 January 2021 to reflect that the UK left the EU. The UK GDPR came into effect on 01 January 2021. The UK GDPR is based on the EU GDPR. Further information about the DPA 2018 and UK GDPR is available at: https://www.legislation.gov.uk/ukpga/2018/12/contents.

 

What is a Privacy Notice?

The UK GDPR and DPA give you rights over your personal data including the ‘right to be informed’. This right means that when you agree to be part of the study, we must provide you with the necessary information about how the information that you give to the study will be used. We do this in the study privacy notice: https://nextstepsstudy.org.uk/home/privacy/privacy-notice/.

 

Is the Privacy Notice likely to change?

Yes. We review the privacy notice and the FAQs when we do a new survey and update it if we change how, we process your data.

 

What is a Data Controller?

A Data Controller decides how and why to collect your data and what to do with the data when it’s collected. The data controller is responsible for ensuring that your data is processed lawfully.

 

Who are the Data Controllers?

UCL is normally the Data Controller of the data that you give to the study. For specific projects, which you agreed to take part in, other organisations may also be Data Controllers.

We will tell you who is the Data Controller in the information that we give you before you take part in a project or survey and in the FAQs about specific surveys.

 

What is a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is a position set out in the UK GDPR and DPA 2018. The DPO provides advice and monitors how we process your data to ensure that we process your data lawfully.

 

How can I contact the DPO?

You can contact the DPO with any concerns that you may have about the way that we process your study data. UCL’s DPO can be contacted at: data-protection@ucl.ac.uk or Data Protection Officer, UCL Gower Street, London WC1E 6BT.

 

What is the lawful basis for processing my data?

The DPA 2018 and UK GDPR say that we must have a reason as specified in law for processing your personal data.

As Data Controller, UCL decides the lawful basis for using your data.

The (GDPR Article 6(e)), lawful basis for processing your personal data is summarised as ‘public task’. This applies where the processing of personal data:

 ‘Is necessary in order to perform a task in the public interest, which is laid down by law, or in the exercise of official authority laid down by law’.

The (GDPR Article 9(j)), reason for processing your sensitive or ‘special categories of personal data’ in addition to the ‘public task’ is summarised as:’ archiving purposes in the public interest, scientific or historical research purposes or statistical purposes…’. This applies when:

‘Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’.

UCL’s ‘statement of tasks in the public interest’ explains more about the reason for using the public task lawful basis: https://www.ucl.ac.uk/legal-services/sites/legal-services/files/ucl_statement_of_tasks_in_the_public_interest_-_august_2018.pdf.

This statement says that public task is the lawful basis for processing your data because UCL is carrying out tasks in its capacity as a public authority when it carries out research. Research for the study is carried out in the public interest with the aim of contributing to public policy.

 

What data do you hold about me?

The data that we hold about you includes:

Information that you share with us during surveys:

  • Sensitive / special category personal data (e.g., sensitive data that you may have given us during surveys such as information about your health or a biological sample).
  • Biological samples: such as a saliva sample during the Age 32 Survey (if you agreed to give samples).
  • Digital copies of questionnaires and consent forms: completed by you and your family, including information collected by other organisations that managed the study before us.

Information from the data that you share with us during surveys:

  • Pseudonymised research data: This includes research data from all of the study surveys, sensitive data and linked data. The information that would identify you is removed from this data before it is deposited at data services (e.g., UK Data Service). This data is accessed by researchers under secure access and licence arrangements.
  • Research data from your survey answers: We hold sensitive research data and other research data that could potentially identify you. This data is separated from your contact details and held securely under restricted access arrangements.

Information about you received from other organisations:

  • Linked data: based on permissions that you gave in the Age 25 survey (to link health and education records to your survey data). We may also link other data to your survey data based on insights from your post code or about the school you attended. Your pseudonymised study data will be contributed to the UK Longitudinal Linkage Collaboration (UK LLC) if you have given permission for your health records to be linked and didn’t withdraw from the ZOE app.
  • Contact tracing: information from the records of government departments. These are used to update your record if we are told that you have moved to a new house or died.

Information received when you use our website (e.g., from cookies or similar technologies).

 

Do you collect information about me from other sources?

Yes. With your permission, we link data from the administrative records of Government Departments and agencies to the records that you and your family members have given to the study as part of our linked data programme. Administrative records are created when you interact with these agencies (e.g., receive a salary or benefits or pay taxes).

We may also link other data to your survey data based on insights from your post code or about the school you attended.

 

Why do you need to know about “Stable Contacts”?

We ask you to give us contact details for your partner (if you have one) and someone who you don’t live with (e.g., a relative, a neighbour, a friend) so that we can get in touch with them if we are unable to contact you directly e.g., if you’ve moved to a new house. We refer to these people as ‘Stable Contacts’ and we only hold the contact details of these other people for that purpose – and this is the only reason we would contact them.  You should tell your family members that you have provided us with their personal information, including contact details, with us. If they are not happy about this then either you or they can contact us, and we will delete this information.

 

Why do you ask questions about my partner and other members of my family?

Our surveys often include questions about your partner, parents, children and other people who you may live with. This is important because family circumstances have a huge impact on people’s lives.  We ask for some personal information relating to family members including names. This is so that in later surveys we can refer back to them and ask if their circumstances have changed.  We will not include any information that could allow your partner or other family members to be identified in the data made available to researchers.

 

How will my information be used?

Table 1 summarises the data that we hold about you and how it will be used:

 

Table 1: Summary of the data that we hold for the study and how it will be used

 

Summary of data that we hold about you

 

 

Summary of data use

 

 

Contact details and personal information:

Name, sex, date of birth, address, email address, telephone numbers National Insurance number (if known), NHS number/ID (if known) and study ID (study-specific pseudonymised
identifier).

  • To invite you to take part in surveys
  • To keep in touch with you and send you information about the study (sometimes, we do this via external service providers).
  • To keep a record of your participation in the study or of your withdrawal of consent
  • To keep a record of any comments, compliments, complaints or individual information rights requests that you make of us and how we acted on these
  • To keep your records accurate and up to date
  • To add information to your study record for research purposes
Survey answers and sensitive data from surveys. To research the areas that affect your life and your generation.
Biological samples (e.g., saliva from the Age 32 Survey). To process your samples to produce data and research into health and genetics.
Research data from the study/surveys including:

– Pseudonymised data from the data linkage programme (including data received from NHS organisations, government departments, Student Loans Company, research and statistics organisations, databanks,

– Legacy data

To produce data for research, statistical and archiving purposes with the aim of contributing to public policy and service planning.

 

To produce pseudonymised research data to share with the research community.

 

To communicate our research.

Publicly available information from social media (where we have your social media handle), internet searches, directories and databases. To try to get in touch with you where have lost touch. The social media tracing we are doing involves us searching for participants on social media to see if we can find other contact details which we will then use to try and get in touch.  Social media is only one way we will do this – we’ll also use Google searches, directories and databases.
Questionnaires and consent forms. For archiving purposes – to keep a record of you as a study member. For research purposes.
Cognitive test result For research, statistical and archiving purposes.
Information from cookies and similar technologies To understand how you engage with the study site and improve your experience of the site.

 

Who receives my personal data?

 Our service providers such as survey services

Other organisations may receive your data when they provide us with services such as mailing and survey services.  Kantar conducted the COVID-19 Surveys. Ipsos MORI are conducting the Age 32 Survey.

Trusted Research Environments

If you agree, we send your biological samples to accredited laboratories that store and process your samples for genetic research.

Other Data Controllers for research purposes

If you agree, we share your contact details and personal information with government agencies so that we can link data from their records to your study data.

 The research community

Many researchers from around the world analyse data from the study under secure arrangements.

Your pseudonymised study data is shared securely with researchers and organisations that we collaborate with for research purposes. Researchers can apply to CLS Data Access Committee (DAC) for:

  • CLS to do extra linkages of data from external sources to your survey data.
  • data that has not been deposited at a data store or which is held in non-digital formats.
  • special licence data deposited at a data store.

 Data stores

 Pseudonymised survey responses (including responses to sensitive survey questions) are put together with other research data (e.g., linked data) and securely deposited at data stores. This research data is made available to the research community under secure access arrangements.

Organisations that we communicate our research to

Pseudonymised survey responses may be used in communications about the research and study data. Other people will not be able to identify you through your responses.

 

How do I use my individual information rights?

In certain circumstances, The DPA 2018 and UK GDPR give you rights over your study data:

  1. The right to withdraw consent
  2. The right to be informed
  3. The right of access (known as a ‘subject access request’)
  4. The right to rectification
  5. The right to erasure
  6. The right to restrict processing
  7. The right to data portability
  8. The right to object
  9. Rights in relation to automated decision making and profiling.

You can contact us to make an individual rights request (e.g., to ask for a copy of the survey data that you have given to the study) at any time:

Call:  0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

 

How long will it take to receive copies of my information if I make a data subject access request?

We normally respond to a request from you to access your personal information within 1 month. Please note that like many organisations, we have had to change our working arrangements during the COVID-19 pandemic. Please bear in mind that there may be a delay in responding to any postal requests that you make. We thank you for your patience and continued cooperation at this time.

 

How do I withdraw from the study?

You have the right at any time to withdraw from the study. You can withdraw from the study as a whole, or from just a particular survey, or from having your biological samples processed or from the records linkage programme. If you send us a request to withdraw from the study, we would be grateful if you could specify what your withdraw request covers so that we know what to do with the data that we already hold.

If you want to withdraw from the study, you can contact us at:

Call:  0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

 

What happens to my data if I withdraw from the study?

If you withdraw from the study, information which the study has already collected about you before we received your request, will be kept and continue to be used for research purposes where the law allows us to do this.

Is my personal data transferred to other countries?

Your contact details are only shared outside of the European Economic Area (EEA) where appropriate contractual arrangements are in place. Pseudonymised research data are shared with researchers and research organisations from across the world.

 

How do you keep my data secure?

We respect that you have donated your data to the study. We are committed to treating your data confidentially and keeping it secure. The following measures are in place to keep your data secure:

Research Ethics Committees

All research projects involving personal data are scrutinised and approved by a research ethics committee to ensure that our research is carried out to ethical standards.

Independent registration and standards

As part of UCL, we are:

  • Included in UCL’s Data Protection Registration by the Information Commissioner’s Office (ICO). Our registration number is:
  • Meet the standards of the NHS Digital Data Security and Protection Toolkit (DSPT) when we process your data in UCL’s secure Data Safe Haven.
  • processing of your digitally held data within UCL’s Data Safe Haven which is covered by UCL’s active ISO27001

Governance and accountability

The following people, committee and group ensure that we process your data appropriately:

Information Asset Owner (IAO)

The CLS Managing Director is also Information Asset Owner (IAO) and is accountable to the UCL Senior Information Risk Owner (SIRO) for ensuring risks associated with processing personal data at CLS are properly managed. The IAO is supported by other roles across CLS who help ensure that participant data are processed according to relevant laws and standards.

CLS Data Access Committee (DAC)

Access to CLS research data is controlled by the DAC. Further information about DAC is available here: https://cls.ucl.ac.uk/wp-content/uploads/2017/02/CLS_DAC_Terms_of_Reference.pdf.

CLS IG Steering Group (CLS IG SG)

CLS IG SG, is chaired by CLS’ Managing Director and attended by representatives from across CLS. This group meets regularly to oversee information governance and data protection issues at CLS.

Security measures

The following security measures help keep your data secure:

  • UCL Data Safe Haven: Your contact details and personal information and your survey data are held in this secure database and processed by separate teams.
  • Access restricted to specialist teams: Your data is managed by experienced teams who are all trained to keep your data confidential. The Cohort Maintenance Team deals with your identifiable information such as contact details. The Research Data Management Team manages information from survey responses. The CLS Records Manager holds secure scanned copies of your original questionnaires and consent forms in our scanned and physical archives.
  • Data classification: We assess and classify our research data before sharing it with the research community. This ensures that you are not identified in any of the research data that we share with researchers or data stores. Further information is available at: https://cls.ucl.ac.uk/wp-content/uploads/2017/02/CLS_Data_Classification_Policy.pdf
  • Aggregation, encryption and pseudonymisation: Survey responses and linked data are grouped together with data about other participants. We do this so that your responses cannot be identified to you individually when we deposit this information at data stores. We also use security methods such as encryption when transferring your data outside of UCL. We pseudonymise your data before it is shared for research purposes. This means that we remove the things that would identify you from our research data (such as your name or address) from the survey responses that you provide.
  • Contracts with third parties: ensure that your data is treated lawfully when they provide services to us (e.g., mailing or surveys or records linkage). These organisations are also required to hold appropriate registrations and certifications.
  • Physical security: We process and store any physical documents containing data that would identify you, securely in locked rooms.
  • Transfer of data outside of the EEA: We put contracts in place and check that there are safeguards in place to keep your data safe before we send your data outside of the UK. 

Policies, procedures and training

All CLS staff are required to follow UCL’s data protection and Information Security Policies.

  • Training: All staff must complete approved information security and GDPR training which tells them how to protect your data.

Risk management

We ensure that any risks to your data are documented, assessed and managed:

  • Data Protection Impact Assessments: CLS completes Data Protection Impact Assessments (DPIAs) in line with UCL policy. We do DPIAs to ensure that data flows are recorded, your individual rights are considered, and plans are put in place to minimise any risks to your data.
  • Information Governance Risk Register: The CLS IG risk register is reviewed regularly, and risks are escalated to the UCL Senior Information Risk Owner (SIRO) as necessary.
  • Data breaches: Our data breach guidelines ensure that any data breaches are identified to the CLS Information Governance and Data Protection Officer and reported to UCL ISG immediately, in line with UCL policy.

How long will you hold my data for?

The study seeks to understand your life journey and your generation. Therefore, we’ve not set a time limit for how long we will keep all your study data. We plan to keep the data for as long as the study exists, provided the law allows us to. We will review the data that we hold whenever we receive an individual rights request from you. Further information on how long we keep records for is included in the UCL records retention schedule: https://www.ucl.ac.uk/library/about-us/records-office/records-retention.

 

How do I make a complaint?

If you wish to raise a complaint, you can contact us at:

Call:  0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

If after contacting us, you are still concerned about how your personal data is being processed, you can contact the UCL Data Protection Officer at: data-protection@ucl.ac.uk. We hope that we will be able to resolve any complaints that you may have. You have the right to complain to the ICO – the independent regulator which upholds information rights in the UK. Further information about making complaints to the ICO is available at: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/.

 

What are cookies?

CLS and our third-party service providers use cookies and similar technologies. When you visit the study page, it sends a cookie to your device. Cookies are small text files of information which are placed on your device when you use our sites. Cookies are used to:

  • recognise you when you use the site;
  • improve your experience
  • analyse how you use the study pages
  • collect web-behaviour
  • gather information about site users (such as internet protocol address) and
  • provide security.

 

Which cookies does the study participant site use?

 

How do I change my cookie permissions?

You can also manage your cookie preferences on your device. This is usually done by selecting the options available in the ‘cookies and site permissions’ option in the settings menu.

Find out how to manage cookies on popular browsers:

 

This document was last updated on:  28 September 2021.



Related downloads

Download these privacy and data protection FAQs as a PDF.