Information governance (IG) at CLS

CLS houses several national longitudinal cohort studies: 1958 Child Development Study; 1970 British Cohort Study; Next Steps; and Millennium Cohort Study. Information governance (IG) ensures we have governance, systems and processes in place so that study participants’ personal information can be processed in line with their expectations, relevant laws, standards and UCL policy.

Data collection is funded from a number of sources, including the Economic and Social Research Council (ESRC), the Medical Research Council (MRC), charitable trusts and government departments and agencies. Data are collected during regular surveys of all study participants and follow up studies of particular sub-groups. The information that we hold also includes linked administrative records, geographical linked data and data extracted from biological samples.

Registrations and certifications

CLS is committed to keeping study participants’ data secure. The following registration, self-certification, and assessment is in place to support this commitment:

Data Protection Registration by the Information Commissioner’s Office (ICO): CLS is included in UCL’s registration (number: Z6364106; registered: 29 January 2002; expiry: 28 January 2022). Further information can be found on the ICO Public Register.
NHS Digital Data Security and Protection Toolkit (DSPT): CLS’s processing of personal data within the UCL Data Safe Haven (DSH) is covered by UCL’s NHS DSPT which was published as ‘standards met’ for 20/21 (organisation code: EE133902-SLMS). Further information about UCL’s registration can be found on NHS Digital’s website.
ISO27001: CLS’s data processing within UCL’s (DSH) is covered by UCL’s active ISO27001 certification (ISO/IEC 27001:2013 certification number: IS 612909). Further information about UCL’s ISO certification can be found on BSI’s register.

Lawful basis

We are committed to processing study participants’ data safely in line with the UK General Data Protection Regulation (UK GDPR) / Data Protection Act 2018. Study participants are made aware of our privacy information and study frequently asked questions (FAQs) which contain full details of our lawful basis for processing their data. Further details are included on each of the study participant websites:

1958 National Child Development study
1970 British Cohort Study
Next Steps
Millennium Cohort Study (Child of the New Century)

Ethics and consent

A consent process is in place to meet our ethical obligation to ensure that after receiving full information about each study data collection and how their data will be used, study participants are able to make a voluntary decision about whether to take part and, if applicable, whether to consent to administrative records being linked to their data.

All study participants are given information about each study data collection and asked to give their consent to take part. All study participants are also given information about how to withdraw from the study and data linkage.

We ensure that study withdrawals, or objections, are processed properly and contact details are suppressed effectively. All research involving personal data is scrutinised and approved by a research ethics committee and registered with UCL’s Data Protection Office. Further details are included on each of the study participant websites:

1958 National Child Development study
1970 British Cohort Study
Next Steps
Millennium Cohort Study (Child of the New Century)

Data protection principles

We process study participant data with the GDPR principles in mind:

Lawfulness, fairness and transparency
Purpose limitation (unless an exemption applies)
Data minimisation
Accuracy
Storage limitation (unless an exemption applies)
Integrity and confidentiality (security)
Accountability

Risk management

CLS completes Data Protection Impact Assessments (DPIAs) in line with UCL policy to ensure that data flows are recorded, individual rights are respected and controls are put in place to minimise any risks to study participants’ privacy. The CLS IG risk register is reviewed at each CLS IG Steering Group meeting, and risks are escalated to the UCL Senior Information Risk Owner (SIRO) as necessary.

Records management and records retention schedule

We only retain personal information when we have a lawful basis or reason for doing so. We keep records of original signed consent forms, any destruction of records and our data sharing and processing activities as well as individual rights requests.

Accountability

We have roles and governance structures in place to facilitate accountability and assurance for our processing activities including:

Information Asset Owner (IAO)
The CLS Managing Director and member of CLS Senior Leadership Team (SLT) and Chair of CLS Information Governance Steering Group (CLS IG SG) is IAO and is accountable to the UCL Senior Information Risk Owner (SIRO) for ensuring risks associated with processing personal data at CLS are properly managed. The IAO is assisted by other roles (including an Information Asset Administrator) across CLS who help ensure that participant data are processed according to relevant laws and standards.

CLS Data Access Committee (DAC)
Access to CLS research data is controlled by the DAC. Further information is available at DAC Terms of Reference; CLS Research Data Access webpage; CLS Research Data Access Framework.

CLS IG Steering Group (CLS IG SG)
CLS IG SG, which is chaired by CLS’s Managing Director and attended by representatives from across CLS, facilitates the IG agenda at the Centre and is accountable to the CLS Senior Leadership Team. Information rights requests, comments, compliments and complaints are reported in summary to the CLS IG SG.

Confidentiality and security

Technical and physical security arrangements are in place at CLS to prevent unauthorised access to study participants’ data. Our data breach guidelines ensure that any data breaches are identified to the CLS Information Governance and Data Protection Officer and reported to UCL ISG immediately, in line with UCL policy.