Privacy

Data protection means treating information about people fairly and using it properly according to the law. The DPA 2018 and the UK GDPR are data protection laws in the UK. These laws include principles, rights and obligations which apply when we process personal data. These FAQs are for anyone whose data we use for the study. We use ‘you’ or ‘your’ in this document when referring to study cohort members.

What is a Privacy Notice?

The UK GDPR and DPA give people rights over their personal data including the ‘right to be informed’. We inform participants of how their data will be used in the study privacy notice.

Is the Privacy Notice likely to change?

Yes. We review the study privacy information when we do a new survey and update it if we change how we process study data.

What is a Data Controller?

A Data Controller decides how and why personal data are processed. The Data Controller is responsible for ensuring that this data is processed lawfully.

Who are the Data Controllers?

UCL is the Data Controller of the personal data given to the study. Further information on the history of the study is available here: : https://ncds.info/home/about/history/. The study FAQs provide further information about other Data Controllers: https://ncds.info/faqs/

What is a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is a position set out in the UK GDPR and DPA 2018. Further information about the services and support that the UCL Data Protection Team provides is available here: https://www.ucl.ac.uk/data-protection/reporting-breach-or-subject-access-request/contact-data-protection-team#our-services.

What is a lawful basis for processing data?

We have to have a valid reason in data protection law for processing study data. This is known as a ‘lawful basis’. The lawful basis for processing study data for research purposes at UCL is ‘public task’. UCL’s ‘statement of tasks in the public interest’ explains more about the reason for using the ‘public task’ lawful basis: https://www.ucl.ac.uk/legal services/sites/legal_services/files/ucl_statement_of_tasks_in_the_public_interest_-_august_2018.pdf This statement says that public task is the lawful basis for processing study data because UCL is carrying out tasks in its capacity as a public authority when it carries out research. Research for the study is carried out in the public interest with the aim of contributing to public policy.

What data do you hold about me?

Table 1 ‘who we share your data with’: https://ncds.info/privacy-notice-for-participants-in-the-national-child-development-study-ncds/#share in the study privacy notice summarises the data that we hold for the study.

Do you collect information about me from other sources?

Yes, we collect information from other sources including:

Information from the administrative records held by government departments and agencies: In the age 50 Survey in 2008, we asked you for your permission to add information from health records held by the NHS and economic records held by the Department for Work and Pensions (DWP) and His Majesty’s Revenue and Customs (HMRC) to the information you have given us in our surveys over the years. If you lived with a partner at the time, we also asked them for permission to add information from their records. As part of the Life in Your Early 60s Survey, if you had not previously given your permission to add this information, we will ask your permission again. If you live with a partner who has not previously given permission, we will also ask their permission to add information from their records. These departments and agencies are trusted to keep your personal details secure. More about adding information to your record from other sources is available at: https://ncds.info/faqs/do-you-add-any-other-information-to-my-data-2/.
Information for our contact tracing activities We use information from the records of government departments, NHS and contact tracing services to update your record to keep in touch with you. Further information about contact tracing is available at: https://ncds.info/faqs/#how-we-find-you.

Information from health records

Mortality information from the NHS: we have permission for the NHS to tell us the month and year that study members died. We also receive information about cause of death. We use this information, so we don’t contact those who have passed away and for important research into causes of death. We continue to receive mortality data if you withdraw from the study, unless you request that we stop making any of the data that you have provided during your participation in the study available for research.
Information from NHS records will be added to your study data (If you have given us permission to access your health records held by NHS). We will not send any of your survey responses to the NHS.
Information from the UK Longitudinal Linkage Collaboration: we are adding other information from your NHS health records to support research into COVID-19. This includes your COVID-19 test results, and your vaccination status. We are only doing this if you have given us permission to add information from your health records. If you took part in the COVID-19 web surveys and have used the COVID-19 symptom tracker app, the data collected by the app will be linked to your survey data unless you have opted out of this. See the FAQs, ‘COVID-19 Survey – COVID symptom tracker’.

Information from your health records will be made available to researchers via secure mechanisms such as the UK Data Service or similar organisations. Information that could identify you will be removed before it is shared via these organisations.

Please note that the NHS national data opt-out does not apply where we have your consent to link your health records to your survey data ‘Do you add any other information to my data?’ in the study FAQs provides further information about the National Data Opt Out and how this applies for the consent for health linkages that you have given to the study: https://ncds.info/faqs/do-you-add-any-other-information-to-my-data-2/.

Health records, combined with the information you have given us during the surveys will allow researchers to look in greater detail at what affects your health, including the factors that prevent or contribute to poor health, and how your health can affect other aspects of your life. This research will be available to policymakers seeking to improve services for you and other generations.

Information about where you live

We use your address (and previous addresses) to add information about where you live. e.g., about the local environment, weather, pollution and the facilities available.

We have also sometimes asked you for the postcodes of other members your family (e.g., your parents, or children who do not live with you). We use these to add information about the local area in which they live and to calculate the distance between family members.

We do not ask your permission to add this information because the data is not individual level information about you. Usually, this information is publicly available and adding this information does not require us to share any of your personal information with any other organisations.

However, if you would prefer that we don’t add any information about your area to your study record then please let us know by contacting us at:

Email: ncds@ucl.ac.uk
Post: National Child Development Study, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

Other information

We also add other information, which is not about you individually, but is for example about the school or University that you went to.

Why do you need to know about “Stable Contacts”?

We ask you to give us contact details for your partner (if you have one) and someone who you don’t live with (e.g., a relative, a neighbour, a friend) so that we can get in touch with them if we are unable to contact you. We refer to these people as ‘Stable Contacts’. In rare circumstances we may contact your stable contacts if someone tells us that you are at risk of harm.

Why do you ask questions about my partner and other members of my family?

Our surveys often include questions about your partner, parents, children and other people who you may live with. This is important because family circumstances have a huge impact on people’s lives. We ask for some personal information relating to family members including names. This is so that in later surveys we can refer back to them and ask if their circumstances have changed.

We have also sometimes asked you for the postcodes of other members your family (e.g. your parents, or children who do not live with you). We use these to add information about the local area in which they live and to calculate the distance between family members.

We will not include any information that could allow your partner or other family members to be identified in the data made available to researchers.

Who receives my personal data?

Our service providers

Other organisations may receive your data when they provide us with services related to the study. We use Dot Digital and Qualtrics to contact you about the study. Nat Cen Social Research has been contracted to carry out the Life in Your Early 60s Survey (with Kantar carrying out some of the fieldwork for them) on our behalf. INUVI carry out some of the health visits in the Life in Your Early 60s Survey. Kantar conducted the COVID-19 Surveys.

Biological laboratories

With permission, we collect biological samples from you which are then sent to accredited laboratories that store and process these samples for research.

Providers of ‘administrative’ data

With permission, we share contact details and personal information with government agencies so that we can link data from their records to study data.

The research community via safe data sharing platforms

Pseudonymised study data is made available for research purposes to the research community from around the world under secure access arrangements. Research data include survey responses as well as other research data such as linked administrative data, information about your area, and are either securely deposited at UK data sharing repositories called “Trusted Research Environments” (TREs) such as the Secure Lab at the UK Data Service and the SeRP via the UKLLC or released directly to the researchers following substantive data de-identification.

Access to sensitive data or data that could identify you is managed by the DAC: https://cls.ucl.ac.uk/wp-content/uploads/2017/02/CLS_DAC_Terms_of_Reference.pdf. Information about how researchers access data from the study, is described on the CLS website at ‘Accessing data directly from CLS’: https://cls.ucl.ac.uk/data-access-training/data-access/accessing-data-directly-from-cls/.

Researchers can apply to CLS Data Access Committee (DAC):

For genetic data linked to survey data.
For biological samples and related data such as DNA: including for genotyping or for generation of new analytes (an analyte is a substance whose chemical parts are being identified and measured). The FAQ: https://ncds.info/faqs/#genetics-and-dna provides more information about how we process your DNA.
For CLS to do extra linkages of data from external sources to your survey data.
For data that has not been deposited at a TRE or which is held in non-digital formats.
For access to research data deposited in a UK Trusted Research Environment.

Organisations that we communicate our research to

Pseudonymised survey responses may be quoted in press communications about the research and study data. Other people will not be able to identify you through your responses unless you have agreed to reveal your name.

Public authorities and your stable contacts

In exceptional circumstances, your personal data may be shared securely with public authorities/your stable contacts, if something you tell us indicates that someone is at risk of harm.

How do I use my individual information rights?

Individual rights requests (e.g., ‘can I have a copy of the survey data that I’ve given to the study’) can be sent to us at:

Phone: 0800 035 5761

Email: ncds@ucl.ac.uk

Post: National Child Development Study, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

How long will it take to receive copies of my information if I make a data subject access request?

We normally respond to data subject access requests within 1 month.

How do I withdraw from the study?

You have the right at any time to withdraw from the study. You can withdraw from the study as a whole, or from just a particular survey, or from having your biological samples collected or from the records linkage programme. If you send us a request to withdraw from the study, we would be grateful if you could specify what your withdraw request covers so that we know what to do with the data that we already hold. If you want to withdraw, you can contact us at:

Phone: 0800 035 5761

Email: ncds@ucl.ac.uk

Post: National Child Development Study, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

What happens to my data if I withdraw from the study?

If you withdraw from the study, information which the study has already collected about you before we received your request, will be kept and continue to be used for research purposes in pseudonymised form where the law allows us to do this.

Is my personal data transferred to other countries?

Pseudonymised research data are shared securely with researchers and research organisations from across the world. Biological samples are sent for analysis at laboratories outside of the UK under secure agreements.

How do you keep my data secure?

We respect that you have donated your data to the study. We are committed to treating study data confidentially and keeping it secure. We keep study data secure when working on it, sharing it with other organisations or linking data to study records. The following measures are in place to keep this data secure:

Research ethics committees

Research projects involving personal data are scrutinised and approved by a research ethics committee so that our research is carried out to ethical standards.

Independent registration and standards

As part of UCL, we:

Are included in UCL’s Data Protection Registration by the Information Commissioner’s Office (ICO)(registration number: Z6364106).
Meet the standards of the NHS Digital Data Security and Protection Toolkit (DSPT) when we process data in UCL’s secure Data Safe Haven (DSH). The DSH is covered by UCL’s active ISO27001

Governance and accountability

The following people, committee and group ensure that we process your data appropriately:

Information Asset Owner (IAO)

The CLS Managing Director is also Information Asset Owner (IAO) and is accountable to the UCL Senior Information Risk Owner (SIRO) for ensuring risks associated with processing personal data at CLS are properly managed. The IAO is assisted by other roles including CLS Information Asset Administrator, Records Manager and Archivist, and Information Governance and Data Protection Officer.

CLS Data Access Committee (DAC)

Access to CLS research data is controlled by the DAC. Further information about DAC is available here: https://cls.ucl.ac.uk/wp-content/uploads/2017/02/CLS_DAC_Terms_of_Reference.pdf.

CLS IG Steering Group (CLS IG SG)

CLS IG SG, is chaired by CLS’ Managing Director and attended by representatives from across CLS. This group meets regularly to oversee information governance and data protection issues at CLS.

CLS Information Asset Administrator (CLS IAA): The CLS IAA is responsible for the proper handling of information within CLS studies.

CLS Records Manager and Archivist: The CLS Records Manager and Archivist holds senior responsibility for records management, physical and digital archives, legacy data and bio-samples management.

CLS Information Governance and Data Protection Officer (CLS IG/DPO): The CLS IG/DPO monitors and evaluates CLS’ processing activities and supports teams to ensure CLS complies with formal laws and standards.

CLS research data governance: CLS research data is governed by the principles and procedures set out in the CLS Research Data Access Framework and CLS Data Classification Policy.

Security measures

The following security measures help keep your data secure:

UCL Data Safe Haven: Contact details and personal information and survey data are held in this secure database and processed by separate teams.
Access restricted to specialist teams: Study data is managed by experienced teams who are all trained to keep your data confidential. We protect confidentiality by removing contact details from survey responses. Contact details and survey responses are managed by two separate teams. The Cohort Maintenance Team deals with identifiable information such as contact details. The Research Data Management Team manages information from survey responses. The CLS Records Manager holds secure scanned copies of original questionnaires and consent forms in our scanned and physical archives.
Data classification: Research data is classified according to sensitivity and de-identified if necessary, before it is shared outside of CLS. Access to CLS research data is governed by the principles and procedures set out in our CLS Research Data Access Frameworkand CLS Data Classification Policy. The CLS Data Classification Policy is in place to enable CLS to manage any disclosure and sensitivity risks associated with sharing research data. We assess and classify our research data before sharing it with the research community. Data is classified, pseudonymised and de-identified before it is shared securely with researchers. This ensures that you (or your family, household or partner) are not identified in any of the research data that we share with researchers, data sharing repositories or trusted research environments. Further information is available at: https://cls.ucl.ac.uk/wp-content/uploads/2017/02/CLS_Data_Classification_Policy.pdf.
Technical measures: We pseudonymise and de-identify personal data before it is shared with data stores or TREs. This means that we remove the things that would identify you (your family, household or partner) from our research data (such as name or address) from the survey responses provided and reduce risk of identification by combining or removing information. We also use security methods such as encryption when transferring personal data outside of UCL.
Contracts with third parties: ensure that your data is treated lawfully when they provide services to us (e.g., mailing or surveys or records linkage). These organisations are also required to hold appropriate registrations and certifications.
Physical security:We process and store any physical documents containing identifiable data, securely in locked rooms.

Transfer of data outside of the EEA: We put contracts in place and check that there are safeguards in place to keep your data safe before we send your data outside of the UK.

Policies, procedures and training

All CLS staff are required to follow UCL’s data protection and Information Security Policies.

CLS Data Access Framework: CLS research data is governed by the principles and procedures set out in our CLS Data Access Framework.
Information Governance Training:All staff must complete approved information security and GDPR training which tells them how to protect your data.

Risk management

We ensure that any risks to your data are documented, assessed and managed:

Data Protection Impact Assessments (DPIAs): DPIAs ensure that data flows are recorded, individual rights are considered, and plans are put in place to minimise any risks to data.
Information Governance Risk Register: The CLS IG risk register is reviewed regularly, and risks are escalated to the UCL Senior Information Risk Owner (SIRO) as necessary.
Data breaches: Our data breach guidelines ensure that any data breaches are reported to UCL ISG immediately, in line with UCL policy.

What are cookies?

CLS and our third-party service providers use cookies and similar technologies. When the study page is visited, it sends a cookie to the device used to visit the page. Cookies are small text files of information which are placed on devices when our sites are used. Cookies are used to:

recognise those who use the site
improve site users’ experience
analyse how study pages are used
collect web-behaviour
gather information about site users (such as internet protocol address) and
provide security.

Which cookies does the study participant site use?

Google Analytics: Our site places cookies associated with Google Analytics: https://support.google.com/analytics/answer/6004245 (which enables us to see how many people visit the study pages and how long they are spending on them).
YouTube: YouTube places a cookie when you access video content on the study website.

How do I change my cookie permissions?

Cookie preferences can be manged on personal devices. This is usually done by selecting the options available in the ‘cookies and site permissions’ option in the settings menu.

Find out how to manage cookies on popular browsers:

Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en
Microsoft Edge: https://support.microsoft.com/en-us/topic/delete-and-manage-cookies-168dab11-0753-043d-7c16-ede5947fc64d
Mozilla Firefox: https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop?redirectslug=Enabling+and+disabling+cookies&redirectlocale=en-US
Apple Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac

How do I make a complaint?

We can be contacted at:

Phone: 0800 035 5761
Email: ncds@ucl.ac.uk
Post: National Child Development Study, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

If after contacting us, there are still concerns about how personal data is being processed, the UCL Data Protection Office can be contacted at: data-protection@ucl.ac.uk or Private and Confidential, Data Protection Officer, UCL Gower Street, London WC1E 6BT.

We hope that we will be able to resolve any complaints that there may be about the study.

Study members have the right to complain to the ICO – the independent regulator which upholds information rights in the UK. Further information about making complaints to the ICO is available at: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/.

Further information

Further information about the study is available in the study Frequently Asked Questions (FAQs): https://ncds.info/faqs/.

Version control

This webpage was last updated on: 01 February 2023