The new General Data Protection Regulation (GDPR) comes into effect in May 2018. It will replace the current Directive and apply to all EU member states without the need for national legislation. The implementation will require comprehensive changes to the way in which organisations, like UCL, collect, use and transfer personal data.

Please see the UCL Data Protection Office’s guidance on the impact of the GDPR on how researchers will seek consent, on privacy notices, data breaches and more.

Much research data about people – even sensitive data – can be shared ethically and legally if researchers employ strategies of informed consent, anonymisation and controlling access to data.  However, researchers obtaining data from people are expected to maintain high ethical standards and comply with relevant legislation and duties.

This guidance is generally provided by professional bodies, host institutions and funding organaisations. The laws that govern the use of data, in addition to the duties of confidentiality, include the following Acts:

• Data Protection Act (1998);
• Freedom of Information Act (2000);
• Human Rights Act (Article 8) (1998);
• Mental Capacity Act (2005); and
• Statistics and Registration Services Act (2007).

(more…)