Data protection top image

The new General Data Protection Regulation (GDPR) came in to force on Friday 25 May 2018.

These regulations will apply to you and your work

If you access, use, or store personal information about living people - (GDPR calls this ‘processing personal information') - you will need to understand the GDPR and how to comply with it. 

If any staff you line manage (or students you teach) process this kind of data, you will all need to understand the GDPR. The regulations will also apply to mailing lists that you use to send information about College activities to individuals.

What do you mean by personal data?

  • Information about or relating to a living person
  • Identifiable (on its own or in combination with other information)
  • Please see FoM GDPR definitions for more information.


Examples of data categories

Examples of data categories

Research data

  • Clinical observation cohorts
  • Population cohorts for epidemiology studies
  • Tissue donors
  • Clinical trial datasets
  • Consent to participate in research (either electronic or hard copy)
  • Participants’ personal details used for reimbursement
  • Questionnaires, surveys and tests

Admin or HR data

  • CVs of job applicants (could be held on laptops, PCs, emails, shared drives, paper copies, etc.)
  • Information about staff performance, reviews, disciplinary hearings
  • Finance FTE reports
  • Expense forms

Student data

  • Names and contact details used for course marketing purposes
  • Students' data that could be used to help with their welfare, occupational health (eg. GP letters)
  • Students' data used for examination assessment
  • Supervisory reviews of students' activities
  • Student CVs

Patient data (non-research)

  • Emails, patient notes, records regarding Trust clinical activities
  • Data stored about Trust patients on your Imperial machine (PC, iPad, laptop, Mac)
  • Remember that processing of data for patient management purposes is not permitted on the College network and equipment

Line break

Key questions around GDPR

What is the Faculty of Medicine doing about GDPR?


A FoM GDPR working group, chaired by Professor Richard Reynolds, has been established to create an implementation action plan for the Faculty. The group is working closely with College legal services and ICT to align the College policies and the Faculty’s practical guidance.

View a timeline of priority actions that the Faculty is working on - FoM GDPR timeline of activities (pdf)

What can I do now?


Who can help me if I have questions?


The Faculty is working on a Faculty Code of Practice, which will detail roles and responsibilities within FoM. 

In the interim, for any questions around GDPR in the Faculty, please contact fom.gdpr@imperial.ac.uk.