What does this statement cover?

This statement explains how King’s College London collects, uses and protects your personal data when you take part in research. We handle your information in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What is personal data?

Personal data is any information that can identify you directly (such as your name) or indirectly when combined with other information (for example, your street address and your occupation could be linked together to identify you).  

Why does King’s use personal data for research?

As a university, King’s uses personal data for research in the public interest. Personal data may come directly from you (e.g. interviews, surveys) or from secondary sources (e.g. health records or public datasets). King’s uses this information to: 

• Carry out ethical research 
• Analyse and share findings
• Check research is conducted properly 
• Advance knowledge for public benefit

King’s may take on different roles in research projects when it comes to personal data. In studies we lead as the research Sponsor, King’s acts as the data controller, meaning we decide how and why personal data is used. In studies led by external organisations, we may act as a data processor, handling data on their behalf. In some cases, we share responsibility as joint data controllers, working together with partners to decide how data is used.

Who is responsible for my data?

King’s College London has a responsibility to keep information we collect, share or process about you safe and secure, and to handle your information fairly. Research teams will only collect and use information needed to conduct the research. Information will be shared confidentially and on a “need to know” basis. Where possible, your data is coded so your identity is protected.Your data is held in the most appropriate and secure way, taking into account any specific needs related to the research.  This may include storage of data with third-party storage providers, where they are assessed as the best data storage option.  These providers must follow strict confidentiality and data protection rules.

What is the legal basis for the processing of my data?

King’s uses personal data for research under UK data protection law based on the legal basis of public task — meaning the research is carried out in the public interest. If the research involves sensitive information, such as health or ethnicity, we also meet specific legal conditions that allow this data to be used for research purposes.

In nearly all cases, we will also seek your informed consent for the use of your personal data in research as an ethical standard, unless the data is publicly available and lawfully processed, or you have previously provided consent for future research use. This ensures you understand how your data will be used and have the opportunity to agree before taking part.

What are my legal rights as a research participant?

You have the right to know:

• What personal data we collect from you and how we protect it 
• How long we will keep your personal data for and who it may be shared with 

Under UK data protection law, you have rights over your personal data — including accessing it, requesting corrections or deletion, and objecting to how it is used. In some cases, these rights may be limited by law, for example, if deleting data would affect the integrity of the research or conflict with legal or funding requirements. Where limits apply, we’ll explain them clearly.

How long will my research data be kept?

Research data is stored for minimum periods set out in the King’s Retention Schedule. The specific timeframe depends on the type of research and will be provided in your study information sheet. Personal data is only kept for as long as necessary for its intended purpose, or where future use has been agreed.

What if my information is shared outside of the UK?

King’s College London leads and participates in global research. Global research may require transferring personal data outside of the UK. This only happens where appropriate legal safeguards are in place (e.g. data agreements.) You will be told about this during the consent process where relevant.

What about pseudonymised and anonymised data?

It is common practice in research for datasets to be pseudonymised. Pseudonymisation is where direct identifiers such as your name, full postcode or IP address are replaced by a pseudonym or code, to protect your identity. Pseudonymised data is personal data under UK data protection law, as the research dataset remains indirectly identifiable, for example, via a pseudonym break code held separately. Pseudonymised data differs from anonymised information. Where information is anonymised, all identifiers are removed, and the information cannot be linked back to you. Anonymised information falls outside UK data protection law but is still handled securely.

What If I have concerns about how my data is being handled?

For more information on how we handle your data and how to contact our Data Protection Officer, please see the King’s College London Core Privacy Notice. If you are unhappy with our response, you can contact the UK Information Commissioner’s Office (ICO).