Version 5: Applicable from: 25 June 2024
What are the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018)?
Is the Privacy Notice likely to change?
What is a Data Protection Officer (DPO)?
What is a lawful basis for processing data?
What data do you hold about me?
Do you collect information about me from other sources?
Why do you need to know about “Stable Contacts”?
Why do you ask questions about my partner and other members of my family?
Who receives my personal data?
How do I withdraw from the study?
Who receives my personal data?
How do I use my individual information rights?
How long will it take to receive copies of my information if I make a data subject access request?
How do I withdraw from the study?
What happens to my data if I withdraw from the study?
Is my personal data transferred to other countries?
How do you keep my data secure?
Which cookies does the study participant site use?
How do I change my cookie permissions?
Data protection means treating information about people fairly and using it properly according to the law. The DPA 2018 and the UK GDPR are data protection laws in the UK. These laws include principles, rights and obligations which apply when we process personal data. These FAQs are for anyone whose data we use for the study. We use ‘you’ or ‘your’ in this document when referring to study cohort members.
The UK GDPR and DPA give people rights over their personal data including the ‘right to be informed’. We inform participants of how their data will be used in the study privacy notice.
Yes. We review the study privacy information when we do a new survey and update it if we change how we process study data.
A Data Controller decides how and why personal data are processed. The Data Controller is responsible for ensuring that this data is processed lawfully.
UCL is the Data Controller of the personal data given to the study. Further information on the history of the study is available here: https://nextstepsstudy.org.uk/home/about/history/. The study FAQs provide further information about other Data Controllers: https://nextstepsstudy.org.uk/home/faqs/.
A Data Protection Officer (DPO) is a position set out in the UK GDPR and DPA 2018. Further information about the services and support that the UCL Data Protection Team provides is available here: https://www.ucl.ac.uk/data-protection/reporting-breach-or-subject-access-request/contact-data-protection-team#our-services.
We have to have a valid reason in data protection law for processing study data. This is known as a ‘lawful basis’. The lawful basis for processing study data for research purposes at UCL is ‘public task’. UCL’s ‘statement of tasks in the public interest’ explains more about the reason for using the ‘public task’ lawful basis: https://www.ucl.ac.uk/legal-services/sites/legal_services/files/ucl_statement_of_tasks_in_the_public_interest_-_august_2018.pdf This statement says that public task is the lawful basis for processing study data because UCL is carrying out tasks in its capacity as a public authority when it carries out research. Research for the study is carried out in the public interest with the aim of contributing to public policy.
We seek your informed consent to be part of the study so that you know what to expect when you take part. However, we do not use UK GDPR consent as the lawful basis for using your data.
The ICO website provides further information about UK GDPR lawful bases.
Table 1 ‘who we share your data with’: https://nextstepsstudy.org.uk/home/privacy/privacy-notice/#share in the study privacy notice summarises the data that we hold for the study.
Yes, the study receives information from other sources including:
Information from government departments and agencies
Information from health records
We also link health data from Hospital Episodes Statistics (HES)/Emergency Care Data Set (ECDS) to the Next Steps survey data. Information from your health records will be made available to researchers via secure mechanisms such as the UK Data Service or similar organisations. Information that could identify you will be removed before it is shared via these organisations.
Please note that the NHS national data opt-out does not apply where we have your consent to link your health records to your survey data. ‘Adding other information’ in the study FAQs provides further information about the National Data Opt Out and how this applies for the consent for health linkages that you have given to the study.
Health records, combined with the information you have given us during the surveys will allow researchers to look in greater detail at what affects your health, including the factors that prevent or contribute to poor health, and how your health can affect other aspects of your life. This research will be available to policymakers seeking to improve services for you and other generations.
Information about where you live
We use your address (and previous addresses) to add information about where you live e.g., about the local environment, weather, pollution, and the facilities available.
We do not ask your permission to add this information because the data is not individual level information about you. Usually, this information is publicly available and adding this information does not require us to share any of your personal information with any other organisations.
However, if you would prefer that we don’t add any information about your area to your study record then please let us know by contacting us at:
Call: 0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL
Other information
We also add other information, which is not about you individually, but is for example about the school or University that you went to.
We ask you to give us contact details for your partner (if you have one) and someone who you don’t live with (e.g., a relative, a neighbour, a friend) so that we can get in touch with them if we are unable to contact you. We refer to these people as ‘Stable Contacts.’ The ‘How we find you’ section (https://nextstepsstudy.org.uk/home/faqs/how-we-find-you/) of the study FAQs tells you the broad steps that we take to keep in touch with you and who we share your contact details with to update your record. In rare circumstances we may contact your stable contacts if someone tells us that you are at risk of harm.
Our surveys often include questions about your partner, parents, children, and other people who you may live with. This is important because family circumstances have a huge impact on people’s lives. We ask for some personal information relating to family members including names. This is so that in later surveys we can refer back to them and ask if their circumstances have changed. We will not include any information that could allow your partner or other family members to be identified in the data made available to researchers.
Our service providers
Other organisations may receive your data when they provide us with services such as mailing and survey services.
Survey agencies
Kantar conducted the COVID-19 Surveys. Ipsos conducted the Age 32 Survey.
International email, marketing automation, and customer engagement service providers
We use Dot Digital to send you emails about the study. In order to do this, we share your first name, email address, serial number with Dot Digital. Dot Digital will receive your IP address when you visit their site. Your survey responses are never sent to Dot Digital. You can unsubscribe from email newsletters at any time (information on how to do this is provided every time we send this information to you).
We also use Qualtrics, an online survey platform, to contact you and to ask you to provide information. In order to do this, we share your contact details with Qualtrics.
Biological laboratories
With permission, we collect biological samples from you which are then sent to accredited laboratories that store and process these samples for research.
Providers of ‘administrative’ data
With permission, we share contact details and personal information with government agencies so that we can link data from their records to study data.
The research community via safe data sharing platforms
Pseudonymised study data is made available for research purposes to the research community from around the world under secure access arrangements. Research data include survey responses as well as other research data such as linked administrative data, geographical information, and are either securely deposited at UK data sharing repositories called “Trusted Research Environments” (TREs) such as the Secure Lab at the UK Data Service, or the UK LLC, or released directly to the researchers following substantive data de-identification. Researchers based within UCL, where the study is run from, may be given access to the data via the highly secure UCL Data Safe Haven (DSH).
Access to research data is overseen by the CLS Data Access Committee (DAC): see terms of reference. Information about how researchers access data from the study, is described on the CLS website. Researchers can apply to CLS Data Access Committee (DAC):
Further information about how we make data available for research is available in the study frequently asked questions.
Organisations that we communicate our research to
Pseudonymised survey responses may be quoted in press communications about the research and study data. Other people will not be able to identify you through your responses unless you have agreed to reveal your name.
Public authorities and your stable contacts
In exceptional circumstances, your personal data may be shared securely with public authorities/your stable contacts, if something you tell us indicates that someone is at risk of harm.
Individual rights requests (e.g., ‘can I have a copy of the survey data that I’ve given to the study’) can be sent to us at:
Call: 0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL
We normally respond to a request from you to access your personal information within 1 month.
You have the right at any time to withdraw from the study. You can withdraw from the study as a whole, or from just a particular survey, or from having your biological samples collected or from the records linkage programme. If you send us a request to withdraw from the study, we would be grateful if you could specify what your withdraw request covers so that we know what to do with the data that we already hold. If you want to withdraw, you can contact us at:
Call: 0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL
Your contact details:
Your contact details will be removed from our mailing lists as well as the mailing lists of the external organisations we contract to carry out the study. We will not contact you again to ask you to participate in Next Steps.
We will, however, continue to securely store your contact details within the Centre for Longitudinal Studies (CLS) because this provides us with a record of your previous participation, along with your request to be permanently removed from the study. This will help us to ensure that we do not contact you again. If you have given us permission, then your contact details will also still be used by us to add information from administrative records held by government agencies (described below).
Your survey data:
The information you have given to the study over the years has been deposited in pseudonymised form at secure data sharing platforms including the UK Data Service and the UK Longitudinal Linkage Collaboration (UK LLC). Your pseudonymised data will continue to be made available to researchers via secure data sharing platforms unless you request for it not to be.
We will continue to store your information securely within the Centre for Longitudinal Studies (CLS). The survey data that you have given to Next Steps is important research data collected in the interest of the public. Our research findings are widely used to shape policy and practice.
Your biological samples:
If you have given us consent to store any biological samples you have provided for future analysis, these will continue to be stored. . The samples and data deriving from them will continue to be used for research unless you request for this to stop.
Information from administrative records held by Government departments and agencies:
If you have previously given consent for us to add information from administrative records held by government agencies such as the Department for Work and Pensions (DWP), HM Revenue and Customs (HMRC) and the National Health Service (NHS) to the data you have provided us during the surveys, we will continue to add information from these records unless you request us not to. Any data from these records which has already been obtained and deposited in pseudonymised form at data sharing platforms will continue to be made available for research purposes.
Mortality information from the NHS:
NHS England periodically informs us if study members have died. The files we receive from NHS England tell us when study members have died (month and year) and the cause of death.
Receiving this information helps us ensure we do not try to contact people who have died. We also use it for important research.
We will continue to receive this information if you withdraw from the study, unless you request that the data you have provided to the study is deleted. .
Information about where you live
We use your address (and previous addresses) to add information about where you live such as the local environment, weather, pollution, and the facilities available (e.g., shops and green spaces). The information that we add may be about your local area as a whole, your street or sometimes your specific address. We will continue to do this, using the information we hold about where you lived up to the point at which you stopped taking part in the study. More details about how we add information about where you live is available in the study frequently asked questions.
Pseudonymised research data are shared securely with researchers and research organisations from across the world. Biological samples are sent for analysis at laboratories outside of the UK under secure agreements.
We respect that you have donated your data to the study. We are committed to treating study data confidentially and keeping it secure. We keep study data secure when working on it, sharing it with other organisations or linking data to study records. The following measures are in place to keep this data secure:
Research ethics committees
Research projects involving personal data are scrutinised and approved by a research ethics committee so that our research is carried out to ethical standards.
Independent registration and standards
As part of UCL, we:
Governance and accountability
The following people, committee and group ensure that we process your data appropriately:
The CLS Managing Director is also Information Asset Owner (IAO) and is accountable to the UCL Senior Information Risk Owner (SIRO) for ensuring risks associated with processing personal data at CLS are properly managed. The IAO is assisted by other roles including CLS Information Asset Administrator, Records Manager and Archivist, and Information Governance and Data Protection Officer.
Access to CLS research data is controlled by the DAC. Further information about DAC is available in its terms of reference.
CLS IG SG, is chaired by CLS’ Managing Director and attended by representatives from across CLS. This group meets regularly to oversee information governance and data protection issues at CLS.
Security measures
The following security measures help keep your data secure:
Policies, procedures, and training
All CLS staff are required to follow UCL’s data protection and Information Security Policies.
Risk management
We ensure that any risks to your data are documented, assessed, and managed:
Data Protection Impact Assessments (DPIAs): DPIAs ensure that data flows are recorded, individual rights are considered, and plans are put in place to minimise any risks to data.
Information Governance Risk Register: The CLS IG risk register is reviewed regularly, and risks are escalated to the UCL Senior Information Risk Owner (SIRO) as necessary.
Data breaches: Our data breach guidelines ensure that any data breaches are reported to UCL ISG immediately, in line with UCL policy.
CLS and our third-party service providers use cookies and similar technologies. When the study page is visited, it sends a cookie to the device used to visit the page. Cookies are small text files of information which are placed on devices when our sites are used. Cookies are used to:
Find out more on our Cookies page.
Cookie preferences can be managed on personal devices. This is usually done by selecting the options available in the ‘cookies and site permissions’ option in the settings menu.
Find out more on our Cookies page.
Further information about the study is available in the study Frequently Asked Questions (FAQs).
We can be contacted at:
Call: 0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL
If after contacting us, there are still concerns about how personal data is being processed, the UCL Data Protection Office can be contacted at: data-protection@ucl.ac.uk or Private and Confidential, Data Protection Officer, UCL Gower Street, London WC1E 6BT.
We hope that we will be able to resolve any complaints that there may be about the study.
Study members have the right to complain to the ICO – the independent regulator which upholds information rights in the UK. Further information about making complaints to the ICO is available at: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/.
This document was last updated on: 25 June 2024