Frequently Asked Questions

When will my form to be registered by the Research Governance Office?

New submissions and modifications are generally considered within 3 working days from submission. However, sometimes clarification may be required following the changes that have been made and this will reset the clock. Busy periods may also cause delays to this 3 working day timeline. Applicants are advised to take this into consideration when timetabling changes.

How do I access the system?

KDPR uses the same credentials as your KCL email address, and the multifactor authentication process is the same. Press log in at the top of the screen and follow the given instructions. If you experience any issues logging in, please contact rgo@kcl.ac.uk

Do I need to register my project in KDPR?

On January 4th, 2021 the Research Ethics Management Application System (REMAS) was updated to incorporate the King’s Data Protection Register (KDPR) process. The merging of these two processes means that King’s researchers obtaining ethical clearance through REMAS can now complete their data protection registration within their ethical clearance requirements. For many researchers, registration of their project will now occur in REMAS, and additional registration in KDPR will no longer be required. However, KDPR remains functional and will is a requirement for researchers working with personal data that does not require ethical clearance to be sought through REMAS. Instances when KDPR registration is required: • Research that received ethical clearance through REMAS prior to January 2021 • Secondary data analysis of information that contains personal data (where ethical clearance was not required) • Research that in receipt of a favourable opinion from a HRA Research Ethics Committee (REC) • Research that was reviewed through an external, non-HRA REC such as the Ministry of Defence Research Ethics Committee (MoDREC) • Data set(s) that contain personal data that were created and or analysed at another institution and are now stored at King’s College London • Research registers – e.g. registers of individuals who have consented to be contacted for research More information on this can be found on the Research Governance webpages: https://internal.kcl.ac.uk/innovation/governance-ethics-integrity/research-governance-office/kdpr/kdpr-intro

What if I am conducting secondary data analysis on a pre-existing data set?

The GDPR does not make a distinction between primary data collection and secondary data analysis. If your data set is truly anonymous and has been completely stripped of all personal identifiers when you receive it, registration on KDPR does not need to be completed.

What if my project is not research?

If your project would be considered an audit or a service evaluation, this should still be registered in KDPR. If you are unsure if your project is a service evaluation or an audit, please see the Research Ethics Office's guidance on 'Is my project Research, Service Evaluation or Audit?': https://internal.kcl.ac.uk/innovation/governance-ethics-integrity/research-ethics/stored-documents/3applications/2briefing/research-or-service-evaluation-version-1-june-2016.pdf

My data is anonymous, do I need to complete a KDPR form?

The UK GDPR does not apply to data that is truly anonymous. For data to be considered anonymous under UK GDPR, it would have to be stripped of all possible personal identifiers (information that could identify an individual) as this would no longer be considered as personal data. It is important to ensure that researchers have correctly identified when a data set is truly anonymous. More information on this can be found on the Research Governance webpages: https://internal.kcl.ac.uk/innovation-old/research/Research-Governance/data-protection-law-and-research/Is-data-identifiable

Research conducted before May 2018

Any research projects which took place before May 2018, or where personal identifiable data is continuing to be stored after May 2018, must be registered within KDPR, and researchers must be compliant with UK GDPR and the Data Protection Act 2018 moving forward.

Why are the question numbers formatted as they are?

Some sections might not be available to you as filter questions within the form will have determined that you do not need these sections.

KDPR user guide

The KDPR user guide can be found at the following webpage address: https://internal.kcl.ac.uk/innovation/governance-ethics-integrity/research-governance-office/kdpr-user-guide-v.3-29-01-2021.pdf Please copy and paste the above URL into your web browser.

Am I a Data Controller or Data Processor?

A 'Data Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by UK law, the Controller or the specific criteria for its nomination may be provided for by UK law. I.e; the person (either alone or jointly or in common with other persons) who determines the purposes for which and the manner in which any personal data are, or are to be processed. In other words, this is someone who has come up with the idea for a research project, and has determined which personal data will be collected for this purpose. This may be an Undergraduate/ Postgraduate/ PhD student performing completing their research dissertation/thesis, the Principle Investigator of a research project, Chief Innvestigator of a clinical trial or external institution who has employed a KCL researcher as a Data Processor. *Please note that the Data Controller is the equivalent to the data custodian as detailed on the IRAS form.* Please note: It is the responsibility of the Data Controller to keep accurate and up-to-date records of all Data Processors who are authorised to process the data set for the duration of the research project. Only Data Processors who have express permission of the Data Controller may process the data. A 'Data Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. In other words, this is someone who is processing the data (e.g. collecting, analysing, storing the data) for the purposes defined by the Data Controller, e.g. a PhD student/ Research assistant who is performing research as part of a project defined by a Principle Investigator. If you are registering a data set which has been shared with you for use other than the original project for which it was collected, then you are a Data Controller for that data for the use in your project, therefore you should register as the Data Controller and not a Data Processor. If you are a Processor, the UK GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach. However, if you are a Controller, you are not relieved of your obligations where a processor is involved – the UK GDPR places further obligations on you to ensure your contracts with processors comply with the UK GDPR. You may find that you fit the category of both a Data Controller and a Data Processor. If this is the case, you should register as the Data Controller within KDPR. For further guidance on the roles of Data Controllers and Data Processors, please refer to ICO Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/controllers-and-processors/ If you need any further help ascertaining whether you are a Data Controller or a Data Processor, please contact the Research Governance Office.

I am registering a project on behalf of a Data Controller/ Data Processor - what do I do?

If you are a member of a research team registering a data set for a specific project for which the PI is the Data Controller, then you should select ‘I am registering on behalf of the Data Controller’. If you a registering a data set for which the Controller is from an external organisation and they still have full ownership for the dataset, then you should select ‘I am registering on behalf of the Data Controller’ and then register yourself as a Data Processor. Where this information is necessary, the option for ‘I am registering on behalf of the Data Processor’ will be available in KDPR.

Why is there an error when I try and send a signature request?

The system can only send emails to those who are registered users of the KDPR system, with a valid KCL email address. The signatory may need to log into KDPR for the first time using their KCL credentials before a signature request can be sent. For further advice, the Research Governance Office can be contacted at rgo@kcl.ac.uk

What happens after I have sent a signature request?

Once you have sent a signature request the signatory will receive a notification asking them to review your registration and sign. Once all the required signatures are received, your registration form will be automatically submitted. You will receive a notification to alert you when a signature has been received.

How do I submit a response to the amendments requested from the RGO?

To respond to any requested amendments, please resubmit an amended version of your registration, ensuring that you have addressed all the concerns raised by the Research Governance Office before resubmitting your amended registration.

Elements of my project have changed. Do I need to modify my KDPR registration or re-register my project?

Should there be any changes to the conduct of your study or your study timelines which will impact on how you collect, manage or otherwise use your data, then you must submit a modification request in KDPR, indicating what has changed. Modification requests will be required in instances such as (this is not an exhaustive list): Change of storage repository Change to data retention period Change of data controller if that person should leave the College Change to the nature of the identifiers in the data you collect Change of anticipated start date of data collection You will find the modification request form within the project you have created. You can access this by selected ‘Create sub-form’ in the left hand tiles on the screen and selecting ‘Modification Request Form.’ For detailed guidance on how to do this, please refer see the KDPR Modifications webpage, or alternatively instructions can be found within the KDPR User Guide: https://internal.kcl.ac.uk/innovation/governance-ethics-integrity/research-governance-office/kdpr-user-guide-v.3-29-01-2021.pdf

Why can’t I see the ‘Create a Sub-form’ button?

The KDPR system is updated from time to time, just like other software and apps. If this happens, users will need to click the yellow “Update form” banner at the top of the screen after log in.

My KDPR form is Locked for Review. How do I unlock this?

Once you have submitted your registration for review, your document will be locked. However, you can still make changes. In order to update your registration, you should click on the 'Create a Sub-form' Action on the left-hand side of the project homepage. Further details of how to update your registration can be found in the KDPR User Guide: https://internal.kcl.ac.uk/innovation/governance-ethics-integrity/research-governance-office/kdpr-user-guide-v.3-29-01-2021.pdf

How can I download a copy of my completed registration form for my records?

Please login to your account, and click on the project you wish to download. Projects will appear as green folders in your Work Area. Clicking on the relevant project will bring you the navigation page for the form. On the left hand side of the screen, there will be option to ‘Print’ under the ‘Actions’ drop down. This will open a PDF version of your registration in a new window, and you can then choose to either download the form or print a copy by clicking on the icons found on the top right hand corner of the PDF document.