Privacy and data protection FAQs

Version 6: Applicable from: 07 August 2023.

Contents

What are the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018)?

What is a Privacy Notice?

Is the Privacy Notice likely to change?

What is a Data Controller?

Who are the Data Controllers?

What is a Data Protection Officer (DPO)?

What is a lawful basis for processing data?

What data do you hold about me?

Do you collect information about me from other sources?

Why do you need to know about “Stable Contacts”?

Why do you ask questions about my partner and other members of my family?

Who receives my personal data?

How do I use my individual information rights?

How long will it take to receive copies of my information if I make a data subject access request?

How do I withdraw from the study?

What happens to my data if I withdraw from the study?

Is my personal data transferred to other countries?

How do you keep my data secure?

What are cookies?

Which cookies does the study participant site use?

How do I change my cookie permissions?

How do I make a complaint?

Further information

Version control

 

What are the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018)?

Data protection means treating information about people fairly and using it properly according to the law. The DPA 2018 and the UK GDPR are data protection laws in the UK. These laws include principles, rights and obligations which apply when we process personal data. These FAQs are for anyone whose data we use for the study. We use ‘you’ or ‘your’ in this document when referring to study cohort members.

 

What is a Privacy Notice?

The UK GDPR and DPA give people rights over their personal data including the ‘right to be informed’. We inform participants of how their data will be used in the study privacy notice.

 

Is the Privacy Notice likely to change?

Yes. We review the study privacy information when we do a new survey and update it if we change how we process study data.

 

What is a Data Controller?

A Data Controller decides how and why personal data are processed. The Data Controller is responsible for ensuring that this data is processed lawfully.

 

Who are the Data Controllers?

UCL is the Data Controller of the personal data given to the study. Further information on the history of the study is available here: : https://ncds.info/home/about/history/. The study FAQs provide further information about other Data Controllers: https://ncds.info/faqs/

 

What is a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is a position set out in the UK GDPR and DPA 2018. Further information about the services and support that the UCL Data Protection Team provides is available here: https://www.ucl.ac.uk/data-protection/reporting-breach-or-subject-access-request/contact-data-protection-team#our-services.

 

What is a lawful basis for processing data?

We have to have a valid reason in data protection law for processing study data. This is known as a ‘lawful basis’. The lawful basis for processing study data for research purposes at UCL is ‘public task’. UCL’s ‘statement of tasks in the public interest’ explains more about the reason for using the ‘public task’ lawful basis: https://www.ucl.ac.uk/legal services/sites/legal_services/files/ucl_statement_of_tasks_in_the_public_interest_-_august_2018.pdf This statement says that public task is the lawful basis for processing study data because UCL is carrying out tasks in its capacity as a public authority when it carries out research. Research for the study is carried out in the public interest with the aim of contributing to public policy.

We seek your informed consent to be part of the study so that you know what to expect when you take part. However, we do not use UK GDPR consent as the lawful basis for using your data. 

The ICO website provides further information about UK GDPR lawful bases. 

 

What data do you hold about me?

Table 1 ‘who we share your data with’: https://ncds.info/privacy-notice-for-participants-in-the-national-child-development-study-ncds/#share in the study privacy notice summarises the data that we hold for the study.

 

Do you collect information about me from other sources?

Yes, we collect information from other sources including:

  • Information from the administrative records held by government departments and agencies: In the age 50 Survey in 2008, we asked you for your permission to add information from health records held by the NHS and economic records held by the Department for Work and Pensions (DWP) and His Majesty’s Revenue and Customs (HMRC) to the information you have given us in our surveys over the years. If you lived with a partner at the time, we also asked them for permission to add information from their records. As part of the Life in Your Early 60s Survey, if you had not previously given your permission to add this information, we will ask your permission again. If you live with a partner who has not previously given permission, we will also ask their permission to add information from their records. These departments and agencies are trusted to keep your personal details secure. More about adding information to your record from other sources is available at: https://ncds.info/faqs/do-you-add-any-other-information-to-my-data-2/.
  • Information for our contact tracing activities We use information from the records of government departments, NHS, and contact details validation services to keep in touch with you. Further information about contact tracing is available at: https://ncds.info/faqs/#how-we-find-you.

 

Information from health records

  • Mortality information from the NHS: we have permission for the NHS to tell us the month and year that study members died. We also receive information about cause of death. We use this information, so we don’t contact those who have passed away and for important research into causes of death. We continue to receive mortality data if you withdraw from the study, unless you request that we stop making any of the data that you have provided during your participation in the study available for research.
  • Information from NHS records will be added to your study data (If you have given us permission to access your health records held by NHS). We will not send any of your survey responses to the NHS.
  • We are also adding other information from your NHS health records to support research into COVID-19. This includes your COVID-19 test results, and your vaccination status. We are only doing this if you have given us permission to add information from your health records. If you took part in the COVID-19 web surveys and have used the COVID-19 symptom tracker app, the data collected by the app will be linked to your survey data unless you have opted out of this. See the FAQs, ‘COVID-19 Survey – COVID symptom tracker’.

Information from your health records will be made available to researchers via secure mechanisms such as the UK Data Service or UK Longitudinal Linkage Collaboration (UKLLC). More information about the UKLLC can be found via their website: https://ukllc.ac.uk/ Information that could identify you will be removed before it is shared via these organisations.

Please note that the NHS national data opt-out does not apply where we have your consent to link your health records to your survey data ‘Do you add any other information to my data?’ in the study FAQs provides further information about the National Data Opt Out and how this applies for the consent for health linkages that you have given to the study: https://ncds.info/faqs/do-you-add-any-other-information-to-my-data-2/.

Health records, combined with the information you have given us during the surveys will allow researchers to look in greater detail at what affects your health, including the factors that prevent or contribute to poor health, and how your health can affect other aspects of your life. This research will be available to policymakers seeking to improve services for you and other generations.

 

Information about where you live

We use your address (and previous addresses) to add information about where you live. e.g., about the local environment, weather, pollution, and the facilities available.

We have also sometimes asked you for the postcodes of other members your family (e.g., your parents, or children who do not live with you).   We use these to add information about the local area in which they live and to calculate the distance between family members.

We do not ask your permission to add this information because the data is not individual level information about you. Usually, this information is publicly available and adding this information does not require us to share any of your personal information with any other organisations.

However, if you would prefer that we don’t add any information about your area to your study record then please let us know by contacting us at:

Email: ncds@ucl.ac.uk
Post: National Child Development Study, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

 

Other information

We also add other information, which is not about you individually, but is for example about the school or University that you went to.

 

Why do you need to know about “Stable Contacts”?

We ask you to give us contact details for your partner (if you have one) and someone who you don’t live with (e.g., a relative, a neighbour, a friend) so that we can get in touch with them if we are unable to contact you. We refer to these people as ‘Stable Contacts’.  In rare circumstances we may contact your stable contacts if someone tells us that you are at risk of harm.

 

Why do you ask questions about my partner and other members of my family?

Our surveys often include questions about your partner, parents, children, and other people who you may live with.  This is important because family circumstances have a huge impact on people’s lives.  We ask for some personal information relating to family members including names.  This is so that in later surveys we can refer back to them and ask if their circumstances have changed.

We have also sometimes asked you for the postcodes of other members your family (e.g., your parents, or children who do not live with you).   We use these to add information about the local area in which they live and to calculate the distance between family members.

We will not include any information that could allow your partner or other family members to be identified in the data made available to researchers.

 

Who receives my personal data?

Our service providers

Other organisations may receive your data when they provide us with services related to the study.

 

Survey agencies 

Nat Cen Social Research has been contracted to carry out the Life in Your Early 60s Survey (with Kantar carrying out some of the fieldwork for them) on our behalf. INUVI carry out some of the health visits in the Life in Your Early 60s Survey. Kantar conducted the COVID-19 Surveys. 

 

International email, marketing automation, and customer engagement service providers 

We use Dot Digital and Qualtrics to contact you about the study. We use Dot Digital to send you emails about the study. In order to do this, we share your first name, email address, serial number with Dot Digital. Dot Digital will receive your IP address when you visit their site. Your survey responses are never sent to Dot Digital. You can unsubscribe from email newsletters at any time (information on how to do this is provided every time we send this information to you).  

We also use Qualtrics, an online survey platform, to contact you and to ask you to provide information.  In order to do this, we share your contact details with Qualtrics.   

 

Biological laboratories

With permission, we collect biological samples from you which are then sent to accredited laboratories that store and process these samples for research.

 

Providers of ‘administrative’ data

With permission, we share contact details and personal information with government agencies so that we can link data from their records to study data.

 

The research community via safe data sharing platforms

Pseudonymised study data is made available for research purposes to the research community from around the world under secure access arrangements. Research data include survey responses as well as other research data such as linked administrative data, geographical information, and are either securely deposited at UK data sharing repositories called “Trusted Research Environments” (TREs) such as the Secure Lab at the UK Data Service or the UKLLC or released directly to the researchers following substantive data de-identification.

Access to data that is overseen by the CLS Data Access Committee (DAC):  https://cls.ucl.ac.uk/wp-content/uploads/2017/02/CLS_DAC_Terms_of_Reference.pdf. Information about how researchers access data from the study, is described on the CLS website at ‘Accessing data directly from CLS’: https://cls.ucl.ac.uk/data-access-training/data-access/accessing-data-directly-from-cls/.

Researchers can apply to CLS Data Access Committee (DAC):

  • For secure access to sensitive or potentially disclosive research data
  • For genetic data linked to survey data.
  • For biological and DNA samples: including for genotyping or for generation of new analytes (an analyte is a substance whose chemical parts are being identified and measured). The FAQ: https://ncds.info/faqs/#genetics-and-dna provides more information about how we process your DNA.
  • For CLS to do extra linkages of data from external sources to your survey data.
  • For data that has not been deposited at a TRE or which is held in non-digital formats.
  • For access to research data deposited in a UK Trusted Research Environment.

Further information about how we make data available for research is available here:  https://ncds.info/faqs/#making-the-data-available-for-research  

 

Organisations that we communicate our research to

Pseudonymised survey responses may be quoted in press communications about the research and study data. Other people will not be able to identify you through your responses unless you have agreed to reveal your name.

 

Public authorities and your stable contacts

In exceptional circumstances, your personal data may be shared securely with public authorities/your stable contacts, if something you tell us indicates that someone is at risk of harm.

 

How do I use my individual information rights?

Individual rights requests (e.g., ‘can I have a copy of the survey data that I’ve given to the study’) can be sent to us at:

Phone: 0800 035 5761

Email: ncds@ucl.ac.uk

Post: National Child Development Study, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

 

How long will it take to receive copies of my information if I make a data subject access request?

We normally respond to data subject access requests within 1 month.

 

How do I withdraw from the study?

You have the right at any time to withdraw from the study. You can withdraw from the study as a whole, or from just a particular survey, or from having your biological samples collected or from the records linkage programme. If you send us a request to withdraw from the study, we would be grateful if you could specify what your withdraw request covers so that we know what to do with the data that we already hold. If you want to withdraw, you can contact us at:

Phone: 0800 035 5761

Email: ncds@ucl.ac.uk

Post: National Child Development Study, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

 

What happens to my data if I withdraw from the study?

Your contact details:

Your contact details will be removed from our mailing lists as well as the mailing lists of the external organisations we contract to carry out the study. We will not contact you again to ask you to participate in NCDS.

We will, however, continue to securely store your contact details within the Centre for Longitudinal Studies (CLS) because this provides us with a record of your previous participation, along with your request to be permanently removed from the study.  This will help us to ensure that we do not contact you again.  If you have given us permission, then your contact details will also still be used by us to add information from administrative records held by government agencies (described below).

Your survey data:

The information you have given to the study over the years has been deposited in pseudonymised form at secure data sharing platforms including the UK Data Service and the UK Longitudinal Linkage Collaboration (UK LLC).  Your pseudonymised data will continue to be made available to researchers via secure data sharing platforms unless you request for it not to be.

We will continue to store your information securely within the Centre for Longitudinal Studies (CLS). The survey data that you have given to NCDS is important research data collected in the interest of the public. Our research findings are widely used to shape policy and practice.

Your biological samples:

If you have given us consent to store any biological samples you have provided for future analysis, these will continue to be stored.  The samples and data deriving from them will continue to be used for research unless you request for this to stop.

Information from administrative records held by Government departments and agencies:

If you have previously given consent for us to add information from administrative records held by government agencies such as the Department for Work and Pensions (DWP), HM Revenue and Customs (HMRC) and the National Health Service (NHS) to the data you have provided us during the surveys, we will continue to add information from these records unless you request us not to.  Any data from these records which has already been obtained and deposited in pseudonymised form at data sharing platforms will continue to be made available for research purposes.

Mortality information from the NHS:

NHS England periodically informs us if study members have died. The files we receive from NHS England tell us when study members have died (month and year) and the cause of death.

Receiving this information helps us ensure we do not try to contact people who have died. We also use it for important research.

We will continue to receive this information if you withdraw from the study, unless you request that the data you have provided to the study is deleted.

Information about where you live:

We use your address (and previous addresses) to add information about where you live such as the local environment, weather, pollution, and the facilities available (e.g., shops and green spaces). The information that we add may be about your local area as a whole, your street or sometimes your specific address. We will continue to do this, using the information we hold about where you lived up to the point at which you stopped taking part in the study. More details about how we add information about where you live is available here: https://ncds.info/faqs/#about-adding-other-information. ?? 

What happens to my data if the study loses touch with me? 

If we lose touch with you, we will try and find new contact details for you (see the ‘How we find you’ section of the study FAQs) so that we can ask you if you’d like to continue taking part.  However, if we cannot find you then we will take the following steps with your data: 

 

Your contact details: 

Your contact details will be removed from our mailing lists as well as the mailing lists of the external organisations we contract to carry out the study. We will not contact you again to ask you to participate in NCDS, unless we find new contact details for you. 

We will, however, continue to securely store your contact details within the Centre for Longitudinal Studies (CLS) because this provides us with a record of your previous participation and could help us find new contact details for you.  If you have given us permission, then your contact details will also still be used by us to add information from administrative records held by government agencies (described below). 

Your survey data: 

The information you have given to the study over the years has been deposited in pseudonymised form at secure data sharing platforms including the UK Data Service and the UK Longitudinal Linkage Collaboration.  Your pseudonymised data will continue to be made available to researchers via secure data sharing platforms. 

We will continue to store this information securely within the Centre for Longitudinal Studies (CLS). The survey data that you have given to NCDS is important research data collected in the interest of the public. Our research findings are widely used to shape policy and practice.  

Your biological samples: 

If you have given us consent to store any biological samples you have provided for future analysis, these will continue to be stored.  The samples and data deriving from them will continue to be used for research.  

Information from administrative records held by Government departments and agencies: 

If you have previously given consent for us to add information from administrative records held by government agencies such as the Department for Work and Pensions (DWP), HM Revenue and Customs (HMRC) and the National Health Service (NHS) to the data you have provided us during the surveys, we will continue to add information from these records.  Any data from these records which has already been obtained and deposited in pseudonymised form at data sharing platforms will continue to be made available for research purposes. 

 

Mortality information from the NHS: 

NHS England periodically informs us if study members have died. The files we receive from NHS England tell us when study members have died (month and year) and the cause of death.?  

Receiving this information helps us ensure we do not try to contact people who have died. We also use it for important research. ? 

We will continue to receive this information if we lose touch with you, and you stop taking part. 

 

Information about where you live 

We use your address (and previous addresses) to add information about where you live such as the local environment, weather, pollution, and the facilities available (e.g., shops and green spaces). The information that we add may be about your local area as a whole, your street or sometimes your specific address. We will continue to do this, using the information we hold about where you lived up to the point at which you stopped taking part in the study. More details about how we add information abou

Is my personal data transferred to other countries?

Pseudonymised research data are shared securely with researchers and research organisations from across the world. Biological samples are sent for analysis at laboratories outside of the UK under secure agreements.

 

How do you keep my data secure?

We respect that you have donated your data to the study. We are committed to treating study data confidentially and keeping it secure. We keep study data secure when working on it, sharing it with other organisations or linking data to study records. The following measures are in place to keep this data secure:

Research ethics committees

Research projects involving personal data are scrutinised and approved by a research ethics committee so that our research is carried out to ethical standards.

Independent registration and standards

As part of UCL, we:

  • Are included in UCL’s Data Protection Registration by the Information Commissioner’s Office (ICO) (registration number: Z6364106).
  • Meet the standards of the NHS Digital Data Security and Protection Toolkit (DSPT) when we process data in UCL’s secure Data Safe Haven (DSH). The DSH is covered by UCL’s active ISO27001

Governance and accountability

The following people, committee and group ensure that we process your data appropriately:

Information Asset Owner (IAO)

The CLS Managing Director is also Information Asset Owner (IAO) and is accountable to the UCL Senior Information Risk Owner (SIRO) for ensuring risks associated with processing personal data at CLS are properly managed. The IAO is assisted by other roles including CLS Information Asset Administrator, Records Manager and Archivist, and Information Governance and Data Protection Officer.

CLS Data Access Committee (DAC)

Access to CLS research data is controlled by the DAC. Further information about DAC is available here: https://cls.ucl.ac.uk/wp-content/uploads/2017/02/CLS_DAC_Terms_of_Reference.pdf.

CLS IG Steering Group (CLS IG SG)

CLS IG SG, is chaired by CLS’ Managing Director and attended by representatives from across CLS. This group meets regularly to oversee information governance and data protection issues at CLS.

CLS Information Asset Administrator (CLS IAA): The CLS IAA is responsible for the day-to-day management of data and proper handling of information within CLS studies.

CLS Records Manager and Archivist: The CLS Records Manager and Archivist holds senior responsibility for records management, physical and digital archives, legacy data, and bio-samples management.

CLS Information Governance and Data Protection Officer (CLS IG/DPO): The CLS IG/DPO monitors and evaluates CLS’s processing activities and supports teams to ensure CLS complies with laws and standards.

CLS research data governance: CLS research data is governed by the principles and procedures set out in the CLS Research Data Access Framework and CLS Data Classification Policy.

 

Security measures

The following security measures help keep your data secure:

  • UCL Data Safe Haven: Contact details and personal information and survey data are held in this secure database and processed by separate teams.
  • Access restricted to specialist teams: Study data is managed by experienced teams who are all trained to keep your data confidential. We protect confidentiality by removing contact details from survey responses. Contact details and survey responses are managed by two separate teams. The Cohort Maintenance Team deals with identifiable information such as contact details. The Research Data Management Team manages information from survey responses. The CLS Records Manager holds secure scanned copies of original questionnaires and consent forms in our scanned and physical archives.
  • Data classification: Research data is classified according to sensitivity and de-identified if necessary, before it is shared outside of CLS. Access to CLS research data is governed by the principles and procedures set out in our CLS Research Data Access Frameworkand CLS Data Classification Policy. The CLS Data Classification Policy is in place to enable CLS to manage any disclosure and sensitivity risks associated with sharing research data. We assess and classify our research data before sharing it with the research community. Data is classified, pseudonymised and de-identified before it is shared securely with researchers.  This ensures that you (or your family, household, or partner) are not identified in any of the research data that we share with researchers, data sharing repositories or trusted research environments. Further information is available at: https://cls.ucl.ac.uk/wp-content/uploads/2017/02/CLS_Data_Classification_Policy.pdf.
  • Technical measures: We pseudonymise and de-identify personal data before it is shared with data stores or Trusted Research Environment (secure data sharing platforms). This means that we remove the information that would identify you (your family, household, or partner) from our research data (such as name or address) from the survey responses provided and reduce risk of identification by combining or removing information. We also use security methods such as encryption when transferring personal data outside of UCL.
  • Contracts with third parties: ensure that your data is treated lawfully when they provide services to us (e.g., mailing or surveys or records linkage). These organisations are also required to hold appropriate registrations and certifications.
  • Physical security:We process and store any physical documents containing identifiable data, securely in locked rooms.
  • Transfer of data outside of the EEA: We put contracts in place and check that there are safeguards in place to keep your data safe before we send your data outside of the UK.

 

Policies, procedures, and training

All CLS staff are required to follow UCL’s data protection and Information Security Policies.

  • CLS Data Access Framework: CLS research data is governed by the principles and procedures set out in our CLS Data Access Framework.
  • Information Governance Training: All staff must complete approved information security and GDPR training which tells them how to protect your data.

 

Risk management

We ensure that any risks to your data are documented, assessed, and managed:

  • Data Protection Impact Assessments (DPIAs): DPIAs ensure that data flows are recorded, individual rights are considered, and plans are put in place to minimise any risks to data.
  • Information Governance Risk Register: The CLS IG risk register is reviewed regularly, and risks are escalated to the UCL Senior Information Risk Owner (SIRO) as necessary.
  • Data breaches: Our data breach guidelines ensure that any data breaches are reported to UCL ISG immediately, in line with UCL policy.

 

What are cookies?

CLS and our third-party service providers use cookies and similar technologies. When the study page is visited, it sends a cookie to the device used to visit the page. Cookies are small text files of information which are placed on devices when our sites are used. Cookies are used to:

  • recognise those who use the site
  • improve site users’ experience
  • analyse how study pages are used
  • collect web-behaviour
  • gather information about site users (such as internet protocol address) and
  • provide security.

 

Which cookies does the study participant site use?

 

How do I change my cookie permissions?

Cookie preferences can be manged on personal devices. This is usually done by selecting the options available in the ‘cookies and site permissions’ option in the settings menu.

Find out how to manage cookies on popular browsers:

 

How do I make a complaint?

We can be contacted at:

Phone: 0800 035 5761
Email: ncds@ucl.ac.uk
Post: National Child Development Study, Centre for Longitudinal Studies, UCL Social Research Institute, 20 Bedford Way, London WC1H 0AL

If after contacting us, there are still concerns about how personal data is being processed, the UCL Data Protection Office can be contacted at: data-protection@ucl.ac.uk or Private and Confidential, Data Protection Officer, UCL Gower Street, London WC1E 6BT.

We hope that we will be able to resolve any complaints that there may be about the study.

Study members have the right to complain to the ICO – the independent regulator which upholds information rights in the UK. Further information about making complaints to the ICO is available at: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/.

 

Further information

Further information about the study is available in the study Frequently Asked Questions (FAQs): https://ncds.info/faqs/.

 

Version control

This webpage was last updated on: 07 August 2023