How do you keep my data secure?

We respect that you have voluntarily provided your data to the study. We are committed to treating study data confidentially and keeping it secure. We keep study data secure when working on it, sharing it with other organisations or linking data to study records. The following measures are in place to keep this data secure:

Research ethics committees

Research projects involving personal data are scrutinised and approved by a research ethics committee so that our research is carried out to ethical standards.

Independent registration and standards

As part of UCL, we:

  • Are included in UCL’s Data Protection Registration by the Information Commissioner’s Office (ICO) (registration number: Z6364106).
  • Meet the standards of the NHS Digital Data Security and Protection Toolkit (DSPT) when we process data in UCL’s secure Data Safe Haven (DSH). The DSH is covered by UCL’s active ISO27001 certification.

Governance and accountability

The following people, committee and group ensure that we process your data appropriately:

  • Information Asset Owner (IAO): The CLS Managing Director is also Information Asset Owner (IAO) and is accountable to the UCL Senior Information Risk Owner (SIRO) for ensuring risks associated with processing personal data at CLS are properly managed. The IAO is assisted by other roles including CLS Information Asset Administrator, Records Manager and Archivist, and Information Governance and Data Protection Officer.
  • CLS IG Steering Group (CLS IG SG): CLS IG SG, is chaired by CLS’ Managing Director and attended by representatives from across CLS. This group meets regularly to oversee information governance and data protection issues at CLS.
  • CLS Information Asset Administrator (CLS IAA): The CLS IAA is responsible for the proper handling of information within CLS studies.
  • CLS Information Governance and Data Protection Officer (CLS IG/DPO): The CLS IG/DPO monitors and evaluates CLS’ processing activities and supports teams to ensure CLS complies with formal laws and standards.
  • CLS research data governance: CLS research data is governed by the principles and procedures set out in the CLS Research Data Access Framework and CLS Data Classification Policy. 

Security measures

The following security measures help keep your data secure:

  • UCL Data Safe Haven: Contact details and personal information and survey data are held in this secure database and processed by separate teams.
  • Access restricted to specialist teams: Study data is managed by experienced teams who are all trained to keep your data confidential. We protect confidentiality by removing contact details from survey responses. Contact details and survey responses are managed by two separate teams. The Cohort Maintenance Team deals with identifiable information such as contact details. The Research Data Management Team manages information from survey responses. The CLS Records Manager holds secure scanned copies of original questionnaires and consent forms in our scanned and physical archives.
  • Data classification: Research data is classified according to sensitivity and deidentified if necessary before it is shared outside of CLS. Access to CLS research data is governed by the principles and procedures set out in our CLS Research Data Access Framework and CLS Data Classification Policy. The CLS Data Classification Policy is in place to enable CLS to manage any disclosure and sensitivity risks associated with sharing research data. We assess and classify our research data before sharing it with the research community. Data is classified, pseudonymised and de-identified before it is shared securely with researchers.  This ensures that you (or your family, household, or partner) are not identified in any of the research data that we share with researchers, data sharing repositories or trusted research environments. Further information is available at: https://cls.ucl.ac.uk/wp-content/uploads/2017/02/CLS_Data_Classification_Policy.pdf.
  • Technical measures: We pseudonymise and de-identify personal data before it is shared with data stores or TREs. This means that we remove the things that would identify you (your family, household, or partner) from our research data (such as name or address) from the survey responses provided and reduce risk of identification by combining or removing information. We also use security methods such as encryption when transferring personal data outside of UCL. 
  • Contracts with third parties: ensure that your data is treated lawfully when they provide services to us (e.g., mailing or surveys or records linkage). These organisations are also required to hold appropriate registrations and certifications.
  • Physical security: We process and store any physical documents containing identifiable data, securely in locked rooms.
  • Transfer of data outside of the UK: We put contracts in place and check that there are safeguards in place to keep your data safe before we send your data outside of the UK.

Policies, procedures, and training

All CLS staff are required to follow UCL’s data protection and Information Security Policies:

  • CLS Data Access Framework: CLS research data is governed by the principles and procedures set out in our CLS Data Access Framework.
  • Information Governance Training: All staff must complete approved information security and GDPR training which tells them how to protect your data.

Risk management

We ensure that any risks to your data are documented, assessed, and managed:

  • Data Protection Impact Assessments (DPIAs): We do DPIAs to ensure that data flows are recorded, individual rights are considered, and plans are put in place to minimise any risks to data.
  • Information Governance Risk Register: The CLS IG risk register is reviewed regularly, and risks are escalated to the UCL Senior Information Risk Owner (SIRO) as necessary.
  • Data breaches: Our data breach guidelines ensure that any data breaches are reported to UCL ISG immediately, in line with UCL policy.
Got a question?
Find the answer