- IOE staff
- IOE postgraduate research students
- Data protection requirements checklist
- General Data Protection Regulation (GDPR)
IOE staff
The Research Ethics Officer submits the ethics applications to the data protection office to obtain the mandatory data protection number for their research.Ìý
PleaseÌýensure that you complete the data protection checklist before submitting your application.
IOE postgraduate research students
Postgraduate research students are required to submit their IOE Ethics Application Form to data-protection@ucl.ac.uk in order to obtain a mandatory data protection number for their research, before the ethics review. Please follow the links below for more detailed information.Ìý
Details on and forms for the student reviewing process for all postgraduate research students can be found here:Ìý
Data Protection Impact Assessment (DPIA) - IOE students require a DPIA if the project includes sensitive personal data and/or is likely to be high risk, which will be determined by their supervisory team. In the context of a student research project, the supervisor is responsible for ensuring the completion of a DPIA.Ìý
Process for IOE Doctoral student data protection registration and ethics applications reviewÌý
For questions about information sheets:Ìý
Ïã¸ÛÁùºÏ²Ê Data Protection team: data-protection@ucl.ac.uk
Data protection requirements checklist
Please use this adapted template to certify that all data protection requirements have been addressed prior to submitting your ethics application form and supporting documents for review.
- Check to see if project is an extension of previous research and if so provide the research reference number
- Consent Form and Participant Information Sheet completed and provided including privacy notice
- Local project privacy notice is in place and contains the criteria set out in Articles 13/14 of GDPR - see "Where can I check that I have completed my Privacy Notice correctly?"
- Local project privacy notice links to one of the main Ïã¸ÛÁùºÏ²Ê general research participant privacy notice
- Lawful basis for processing personal data is stated as 'performance of a task in the public interest' and special category or criminal convictions data is stated as 'research purposes
4. Appropriate safeguards are in place as per this guidance:
- Collect only the minimum amount of personal data required to carry out the research.
- Use pseudonymised personal data.
- Anonymise data where possible.
- Safeguards against accidental disclosure and loss or corruption of data.
- Ensure that the processing will not cause substantial damage or distress to individuals.
- Ensure that the processing will not be used to support measures or decisions with respect to a particular individual.
- Confirm evidence of the information security measures in place, e.g. encryption
5. Ensure the terms anonymisation and pseudonymisation are used correctly in form
6. The location of the data is specified, i.e.
- on Ïã¸ÛÁùºÏ²Ê servers
- in the UK
- in the EEA
- outside the EEA.
7. If personal data is stored outside the EEA, ensure that measures are in place to comply with data protection legislation.
8. Indicate whether third parties, such as other universities or processors, are involved with processing or storage of data:
- If so, confirm data sharing/processing arrangements in place?
- If not, refer them to research services/contracts or procurement or solicitor in Legal Services.
9. DPIA screening questions have been completed by staff if research deemed high risk.ÌýIf so, the DPIA has been provided.
10. If the research involves children, the Research with Children GuidanceÌýhas beenÌýfollowed.
11. The information compliance training been undertaken within the last two years:
- Freedom of Information.
- Data protection.
- Information security.
12. Provisions are in place around confidentiality, e.g. wording in participant information sheet.
13.ÌýData Protection Coordinator has been notified.
General Data Protection Regulation (GDPR)
The GDPR affirms data protection's fundamental right and should be applied in a legitimate, effective, and consistent manner.Ìý
While the GDPR does not sufficiently specify ethical standards, it is important that researchers understand what this means for the personal data that’s processed during your research projects.
Ìý
The Data Protection Office (DPO) have issued .
Ìý
The DPO has also produced an extensiveÌýFrequently Asked QuestionsÌýpage for answers to the most common data protection queries.
Ìý
For further details, including guidance for research with children on data protection issues, and examples of consent forms and information sheets with privacy notice links, please visit your relevant section (staffÌýorÌýstudents).
Ìý
See further information and up-to-date .
Note:Ìýfor ethics applications sent to the IOE REC for review, the IOE REC office will register the research with the Data protection office (DPO) and provide the researcher with a Ïã¸ÛÁùºÏ²Ê data protection number. The DPO will then advise on any next steps if required.
GDPR-compliant exemplarsÌýfor guidance
The consent forms and participant information sheets should be used as exemplars only. Researchers are expected to develop their own forms and information sheets as appropriate for their research and not reproduce or copy the examples as templates.
All information sheets developed for research must also include a link to theÌýÏã¸ÛÁùºÏ²Ê general research participant privacy notice.
- ÌýExample IOE interview consent form (DOCX)
- ÌýÏã¸ÛÁùºÏ²Ê consent form template (DOCX)
- ÌýExample IOE information sheet (PDF)
- ÌýExample information sheet for children #1 (PDF)
- ÌýExample information sheet for children #2 (PDF)
- ÌýExample information sheet for children #3 (PDF)
- ÌýData protection checklist for researchers (PDF)
For questions about information sheets:
- Ïã¸ÛÁùºÏ²Ê Data Protection team: data-protection@ucl.ac.uk