Privacy and data protection FAQs

Version 5: Applicable from: 25 June 2024

Contents

What are the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018)?

What is a Privacy Notice?

Is the Privacy Notice likely to change?

What is a Data Controller?

Who are the Data Controllers?

What is a Data Protection Officer (DPO)?

What is a lawful basis for processing data?

What data do you hold about me?

Do you collect information about me from other sources?

Why do you need to know about “Stable Contacts”?

Why do you ask questions about my partner and other members of my family?

Who receives my personal data?

How do I withdraw from the study?

Who receives my personal data?

How do I use my individual information rights?

How long will it take to receive copies of my information if I make a data subject access request?

How do I withdraw from the study?

What happens to my data if I withdraw from the study?

Is my personal data transferred to other countries?

How do you keep my data secure?

What are cookies?

Which cookies does the study participant site use?

How do I change my cookie permissions?

Further information

How do I make a complaint?

Version Control

 

 

What are the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018)?

Data protection means treating information about people fairly and using it properly according to the law. The DPA 2018 and the UK GDPR are data protection laws in the UK. These laws include principles, rights and obligations which apply when we process personal data. These FAQs are for anyone whose data we use for the study. We use ‘you’ or ‘your’ in this document when referring to study cohort members.  

 

What is a Privacy Notice?

The UK GDPR and DPA give people rights over their personal data including the ‘right to be informed’. We inform participants of how their data will be used in the study privacy notice. 

 

Is the Privacy Notice likely to change?

Yes. We review the study privacy information when we do a new survey and update it if we change how we process study data.  

 

What is a Data Controller?

A Data Controller decides how and why personal data are processed. The Data Controller is responsible for ensuring that this data is processed lawfully.

 

Who are the Data Controllers?

UCL is the Data Controller of the personal data given to the study. Further information on the history of the study is available here: https://nextstepsstudy.org.uk/home/about/history/. The study FAQs provide further information about other Data Controllers: https://nextstepsstudy.org.uk/home/faqs/

 

What is a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is a position set out in the UK GDPR and DPA 2018. Further information about the services and support that the UCL Data Protection Team provides is available here: https://www.ucl.ac.uk/data-protection/reporting-breach-or-subject-access-request/contact-data-protection-team#our-services  

 

What is a lawful basis for processing data?

We have to have a valid reason in data protection law for processing study data. This is known as a ‘lawful basis’. The lawful basis for processing study data for research purposes at UCL is ‘public task’. UCL’s ‘statement of tasks in the public interest’ explains more about the reason for using the ‘public task’ lawful basis: https://www.ucl.ac.uk/legal-services/sites/legal_services/files/ucl_statement_of_tasks_in_the_public_interest_-_august_2018.pdf This statement says that public task is the lawful basis for processing study data because UCL is carrying out tasks in its capacity as a public authority when it carries out research. Research for the study is carried out in the public interest with the aim of contributing to public policy.  

We seek your informed consent to be part of the study so that you know what to expect when you take part. However, we do not use UK GDPR consent as the lawful basis for using your data. 

The ICO website provides further information about UK GDPR lawful bases. 

 

What data do you hold about me?

Table 1 ‘who we share your data with’: https://nextstepsstudy.org.uk/home/privacy/privacy-notice/#share in the study privacy notice summarises the data that we hold for the study. 

 

Do you collect information about me from other sources?

Yes, the study receives information from other sources including: 

Information from government departments and agencies 

  • Information from administrative records held by Government departments and agencies: When you first joined the study, your parents gave permission to add information from your school records to the survey data. Next Steps has collected information about cohort members’ education and employment, economic circumstances, family life, physical and emotional health, and wellbeing, social participation, and attitudes. The Next Steps data has also been linked to National Pupil Database (NPD) records, which include the cohort members’ individual scores at Key Stage 2, 3 and 4. As part of the Age 25 Survey, we asked for your permission to add information from a number of other administrative records. As part of the Age 32 Survey, if you had not previously given your permission to add this information, we will ask your permission again.? These departments and agencies are trusted to keep your personal details secure. More about adding information to your record from other sources is available at: https://nextstepsstudy.org.uk/home/faqs/adding-other-information/ 
  • Information for our contact tracing activities We use information from the records of government departments, NHS, and contact details validation services to update your record to keep in touch with you. Further information is available at: https://nextstepsstudy.org.uk/home/faqs/how-we-find-you/ 

 

Information from health records 

  • Mortality information from the NHS: NHS England periodically informs us if study members have died, the date when they have died (month and year) and the cause of death. Receiving this information helps us ensure we do not try to contact people who have died. We also use it for important research. We do not ask your permission to use this information, even if you did not give us permission to access information from your NHS health records. However, in order to receive it we need to seek permission from the NHS Confidentiality Advisory Group (Section 251 of the NHS Act 2006) and from NHS England (Independent Group Advising on the Release of Data). We will also continue to receive the mortality information if you withdraw from the study, unless you request that the data you have provided to the study is deleted.
  • Information from NHS records will be added to your study data if you have given us permission to access your health records held by NHS. This NHS information covers a range of health records, such as outpatient, inpatient, emergency care and critical care data and mental health data. We will not send any of your survey responses to the NHS.
  • We are also adding information from your NHS health records to support research into COVID-19. This includes your COVID-19 test results, and your vaccination status. We are only doing this if you have given us permission to add information from your health records.
  • Information from your health records will be made available to researchers via secure mechanisms such as the UK Data Service or UK Longitudinal Linkage Collaboration (UK LLC) More information about UK LLC can be found via their website. Information that could identify you will be removed before it is shared via these organisations. 

We also link health data from Hospital Episodes Statistics (HES)/Emergency Care Data Set (ECDS) to the Next Steps survey data. Information from your health records will be made available to researchers via secure mechanisms such as the UK Data Service or similar organisations. Information that could identify you will be removed before it is shared via these organisations. 

Please note that the NHS national data opt-out does not apply where we have your consent to link your health records to your survey data. ‘Adding other information’ in the study FAQs provides further information about the National Data Opt Out and how this applies for the consent for health linkages that you have given to the study.

Health records, combined with the information you have given us during the surveys will allow researchers to look in greater detail at what affects your health, including the factors that prevent or contribute to poor health, and how your health can affect other aspects of your life. This research will be available to policymakers seeking to improve services for you and other generations. 

 

Information about where you live 

We use your address (and previous addresses) to add information about where you live e.g., about the local environment, weather, pollution, and the facilities available.  

We do not ask your permission to add this information because the data is not individual level information about you. Usually, this information is publicly available and adding this information does not require us to share any of your personal information with any other organisations. 

However, if you would prefer that we don’t add any information about your area to your study record then please let us know by contacting us at:  

Call: 0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL 

 

Other information 

We also add other information, which is not about you individually, but is for example about the school or University that you went to.

 

Why do you need to know about “Stable Contacts”?

We ask you to give us contact details for your partner (if you have one) and someone who you don’t live with (e.g., a relative, a neighbour, a friend) so that we can get in touch with them if we are unable to contact you. We refer to these people as ‘Stable Contacts.’ The ‘How we find you’ section (https://nextstepsstudy.org.uk/home/faqs/how-we-find-you/) of the study FAQs tells you the broad steps that we take to keep in touch with you and who we share your contact details with to update your record In rare circumstances we may contact your stable contacts if someone tells us that you are at risk of harm.

 

Why do you ask questions about my partner and other members of my family?

Our surveys often include questions about your partner, parents, children, and other people who you may live with. This is important because family circumstances have a huge impact on people’s lives. We ask for some personal information relating to family members including names. This is so that in later surveys we can refer back to them and ask if their circumstances have changed. We will not include any information that could allow your partner or other family members to be identified in the data made available to researchers. 

 

Who receives my personal data?

Our service providers 

Other organisations may receive your data when they provide us with services such as mailing and survey services 

 

Survey agencies 

Kantar conducted the COVID-19 Surveys. Ipsos conducted the Age 32 Survey.  

 

International email, marketing automation, and customer engagement service providers 

We use Dot Digital to send you emails about the study. In order to do this, we share your first name, email address, serial number with Dot Digital. Dot Digital will receive your IP address when you visit their site. Your survey responses are never sent to Dot Digital. You can unsubscribe from email newsletters at any time (information on how to do this is provided every time we send this information to you).  

We also use Qualtrics, an online survey platform, to contact you and to ask you to provide information. In order to do this, we share your contact details with Qualtrics.  

 

Biological laboratories

With permission, we collect biological samples from you which are then sent to accredited laboratories that store and process these samples for research.  

 

Providers of ‘administrative’ data  

With permission, we share contact details and personal information with government agencies so that we can link data from their records to study data.  

 

The research community via safe data sharing platforms 

Pseudonymised study data is made available for research purposes to the research community from around the world under secure access arrangements. Research data include survey responses as well as other research data such as linked administrative data, geographical information, and are either securely deposited at UK data sharing repositories called “Trusted Research Environments” (TREs) such as the Secure Lab at the UK Data Service, or the UK LLC, or released directly to the researchers following substantive data de-identification. Researchers based within UCL, where the study is run from, may be given access to the data via the highly secure UCL Data Safe Haven (DSH). 

Access to research data is overseen by the CLS Data Access Committee (DAC): see terms of reference. Information about how researchers access data from the study, is described on the CLS website. Researchers can apply to CLS Data Access Committee (DAC): 

  • For secure access to sensitive or potentially disclosive research data  
  • For genetic data linked to survey data. 
  • For biological and DNA samples and: including for genotyping or for generation of new analytes (an analyte is a substance whose chemical parts are being identified and measured). The FAQs about giving a saliva sample provide more information about how we process your DNA. 
  • For CLS to do extra linkages of data from external sources to your survey data.  
  • For data that has not been deposited at a TRE or which is held in non-digital formats.  
  • For access to research data deposited in a UK Trusted Research Environment.  

Further information about how we make data available for research is available in the study frequently asked questions

Organisations that we communicate our research to 

Pseudonymised survey responses may be quoted in press communications about the research and study data. Other people will not be able to identify you through your responses unless you have agreed to reveal your name. 

 

Public authorities and your stable contacts 

In exceptional circumstances, your personal data may be shared securely with public authorities/your stable contacts, if something you tell us indicates that someone is at risk of harm.  

 

How do I use my individual information rights?

Individual rights requests (e.g., ‘can I have a copy of the survey data that I’ve given to the study’) can be sent to us at: 

Call:  0800 977 4566 

Email: nextsteps@ucl.ac.uk 

Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

 

How long will it take to receive copies of my information if I make a data subject access request?

We normally respond to a request from you to access your personal information within 1 month.

 

How do I withdraw from the study?

You have the right at any time to withdraw from the study. You can withdraw from the study as a whole, or from just a particular survey, or from having your biological samples collected or from the records linkage programme. If you send us a request to withdraw from the study, we would be grateful if you could specify what your withdraw request covers so that we know what to do with the data that we already hold. If you want to withdraw, you can contact us at: 

Call: 0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL 

 

What happens to my data if I withdraw from the study?

Your contact details: 

Your contact details will be removed from our mailing lists as well as the mailing lists of the external organisations we contract to carry out the study. We will not contact you again to ask you to participate in Next Steps.  

We will, however, continue to securely store your contact details within the Centre for Longitudinal Studies (CLS) because this provides us with a record of your previous participation, along with your request to be permanently removed from the study. This will help us to ensure that we do not contact you againIf you have given us permission, then your contact details will also still be used by us to add information from administrative records held by government agencies (described below). 

 

Your survey data: 

The information you have given to the study over the years has been deposited in pseudonymised form at secure data sharing platforms including the UK Data Service and the UK Longitudinal Linkage Collaboration (UK LLC). Your pseudonymised data will continue to be made available to researchers via secure data sharing platforms unless you request for it not to be. 

We will continue to store your information securely within the Centre for Longitudinal Studies (CLS). The survey data that you have given to Next Steps is important research data collected in the interest of the public. Our research findings are widely used to shape policy and practice.  

 

Your biological samples: 

If you have given us consent to store any biological samples you have provided for future analysis, these will continue to be stored. The samples and data deriving from them will continue to be used for research unless you request for this to stop. 

Information from administrative records held by Government departments and agencies: 

If you have previously given consent for us to add information from administrative records held by government agencies such as the Department for Work and Pensions (DWP), HM Revenue and Customs (HMRC) and the National Health Service (NHS) to the data you have provided us during the surveys, we will continue to add information from these records unless you request us not to.  Any data from these records which has already been obtained and deposited in pseudonymised form at data sharing platforms will continue to be made available for research purposes. 

 

Mortality information from the NHS: 

NHS England periodically informs us if study members have died. The files we receive from NHS England tell us when study members have died (month and year) and the cause of death.

Receiving this information helps us ensure we do not try to contact people who have died. We also use it for important research.  

We will continue to receive this information if you withdraw from the study, unless you request that the data you have provided to the study is deleted 

 

Information about where you live 

We use your address (and previous addresses) to add information about where you live such as the local environment, weather, pollution, and the facilities available (e.g., shops and green spaces). The information that we add may be about your local area as a whole, your street or sometimes your specific address. We will continue to do this, using the information we hold about where you lived up to the point at which you stopped taking part in the study. More details about how we add information about where you live is available in the study frequently asked questions.

Is my personal data transferred to other countries?

Pseudonymised research data are shared securely with researchers and research organisations from across the world. Biological samples are sent for analysis at laboratories outside of the UK under secure agreements.  

 

How do you keep my data secure?

We respect that you have donated your data to the study. We are committed to treating study data confidentially and keeping it secure. We keep study data secure when working on it, sharing it with other organisations or linking data to study records. The following measures are in place to keep this data secure: 

 

Research ethics committees 

Research projects involving personal data are scrutinised and approved by a research ethics committee so that our research is carried out to ethical standards.  

 

Independent registration and standards 

As part of UCL, we: 

  • Are included in UCL’s Data Protection Registration by the Information Commissioner’s Office (ICO) (registration number: Z6364106). 
  • Meet the standards of the NHS Enlgand Data Security and Protection Toolkit (DSPT) when we process data in UCL’s secure Data Safe Haven (DSH). The DSH is covered by UCL’s active ISO27001 certification.  

 

Governance and accountability  

The following people, committee and group ensure that we process your data appropriately: 

  • Information Asset Owner (IAO): 

The CLS Managing Director is also Information Asset Owner (IAO) and is accountable to the UCL Senior Information Risk Owner (SIRO) for ensuring risks associated with processing personal data at CLS are properly managed. The IAO is assisted by other roles including CLS Information Asset Administrator, Records Manager and Archivist, and Information Governance and Data Protection Officer. 

  • CLS Data Access Committee (DAC): 

Access to CLS research data is controlled by the DAC. Further information about DAC is available in its terms of reference.

  • CLS IG Steering Group (CLS IG SG): 

CLS IG SG, is chaired by CLS’ Managing Director and attended by representatives from across CLS. This group meets regularly to oversee information governance and data protection issues at CLS.

  • CLS Information Asset Administrator (CLS IAA): The CLS IAA is responsible for the day-to-day management of data and proper handling of information within CLS studies.  
  • CLS Records Manager and Archivist: The CLS Records Manager and Archivist holds senior responsibility for records management, physical and digital archives, legacy data, and bio-samples management. 
  • CLS Information Governance and Data Protection Officer (CLS IG/DPO): The CLS IG/DPO monitors and evaluates CLS’s processing activities and supports teams to ensure CLS complies with laws and standards.  
  • CLS research data governance: CLS research data is governed by the principles and procedures set out in the CLS Research Data Access Framework and CLS Data Classification Policy.  

 

Security measures 

The following security measures help keep your data secure: 

  • UCL Data Safe Haven: Contact details and personal information and survey data are held in this secure database and processed by separate teams.  
  • Access restricted to specialist teams: Study data is managed by experienced teams who are all trained to keep your data confidential. We protect confidentiality by removing contact details from survey responses. Contact details and survey responses are managed by two separate teams. The Cohort Maintenance Team deals with identifiable information such as contact details. The Research Data Management Team manages information from survey responses. The CLS Records Manager holds secure scanned copies of original questionnaires and consent forms in our scanned and physical archives.
  • Data classification: Research data is classified according to sensitivity and de-identified, if necessary, before it is shared outside of CLS. Access to CLS research data is governed by the principles and procedures set out in our CLS Research Data Access Framework and CLS Data Classification Policy. The CLS Data Classification Policy is in place to enable CLS to manage any disclosure and sensitivity risks associated with sharing research data. We assess and classify our research data before sharing it with the research community. Data is classified, pseudonymised and de-identified before it is shared securely with researchers.  This ensures that you (or your family, household, or partner) are not identified in any of the research data that we share with researchers, data sharing repositories or trusted research environments. Further information is available in the CLS Data Classification Policy
  • Technical measures: We pseudonymise and de-identify personal data before it is shared with data stores or Trusted Research Environment (secure data sharing platforms). This means that we remove the information that would identify you (your family, household, or partner) from our research data (such as name or address) from the survey responses provided and reduce risk of identification by combining or removing information. We also use security methods such as encryption when transferring personal data outside of UCL.
  • Contracts with third parties: ensure that your data is treated lawfully when they provide services to us (e.g., mailing or surveys or records linkage). These organisations are also required to hold appropriate registrations and certifications.  
  • Physical security: We process and store any physical documents containing identifiable data, securely in locked rooms.  
  • Transfer of data outside of the EEA: We put contracts in place and check that there are safeguards in place to keep your data safe before we send your data outside of the UK.  

 

Policies, procedures, and training  

All CLS staff are required to follow UCL’s data protection and Information Security Policies.  

  • CLS Data Access Framework: CLS research data is governed by the principles and procedures set out in our CLS Data Access Framework 
  • Information Governance Training: All staff must complete approved information security and GDPR training which tells them how to protect your data.  

 

Risk management  

We ensure that any risks to your data are documented, assessed, and managed:  

Data Protection Impact Assessments (DPIAs): DPIAs ensure that data flows are recorded, individual rights are considered, and plans are put in place to minimise any risks to data.  

Information Governance Risk Register: The CLS IG risk register is reviewed regularly, and risks are escalated to the UCL Senior Information Risk Owner (SIRO) as necessary. 

Data breaches: Our data breach guidelines ensure that any data breaches are reported to UCL ISG immediately, in line with UCL policy. 

 

What are cookies?

CLS and our third-party service providers use cookies and similar technologies. When the study page is visited, it sends a cookie to the device used to visit the page. Cookies are small text files of information which are placed on devices when our sites are used. Cookies are used to:  

  • recognise those who use the site 
  • improve site users’ experience 
  • analyse how study pages are used 
  • collect web-behaviour  
  • gather information about site users (such as internet protocol address) and  
  • provide security

 

Which cookies does the study participant site use?

Find out more on our Cookies page.

 

How do I change my cookie permissions?

Cookie preferences can be managed on personal devices. This is usually done by selecting the options available in the ‘cookies and site permissions’ option in the settings menu.  

Find out more on our Cookies page.

 

Further Information

Further information about the study is available in the study Frequently Asked Questions (FAQs).

How do I make a complaint?

We can be contacted at: 

Call: 0800 977 4566
Email: nextsteps@ucl.ac.uk
Post: Next Steps, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL 

If after contacting us, there are still concerns about how personal data is being processed, the UCL Data Protection Office can be contacted at: data-protection@ucl.ac.uk or Private and Confidential, Data Protection Officer, UCL Gower Street, London WC1E 6BT.  

We hope that we will be able to resolve any complaints that there may be about the study.  

Study members have the right to complain to the ICO – the independent regulator which upholds information rights in the UK. Further information about making complaints to the ICO is available at: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/ 

 

Version Control

This document was last updated on:  25 June 2024