Data protection

The General Data Protection Regulation (GDPR) is a new data protection law which comes into force on the 25 May 2018. The LSHTM will be updating this page and its data protection policy during the coming months to outline our compliance with this legislation.

This guide gives you an introduction to Data Protection and information on how to make a request for personal information relating to yourself or for someone that you are acting on behalf of.

For our updated position on data protection, please refer to our data protection policy (pdf).

For information management and security, including how to secure personal data appropriately, please refer to our information management and security policy page.

What is Data Protection?

The new law is contained in the GDPR and is expected to be transposed into UK law by a new Data Protection Act in the summer of 2018. The new law updates and supersedes the Data Protection Act 1998, and comes into force on 25 May 2018. It clarifies and in some areas strengthens individuals’ fundamental rights and freedoms, notably privacy rights, in respect of personal data processing.  In most cases, it will not take significantly greater effort to comply with the new law than the Data Protection Act 1998.

The new law continues to apply to paper and electronic records held in structured filing systems containing personal data. “Personal data” means data which could identify a living individual either on its own, or combined with information that the data owner could obtain, if motivated to do so. This includes any expression of opinion about an individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings. The School collects a large amount of personal data every year including: staff and student records, names and addresses of those requesting prospectuses, examination marks, references, fee collection as well as the many different types of research data used by the School.

The range of rights that data subject have over their data is expressly expanded by the new law and now includes:

  • The right to be informed about the collection and use of their personal data;
  • The right of access to their data;
  • The right to rectification of inaccurate or incomplete data;
  • The right to erasure;
  • The right to restrict processing;
  • The right to data portability;
  • The right to object to processing; and
  • Rights in relation to automated decision making and profiling.

To request to exercise these rights, please see our page on data subject rights.  Please note that some of these rights do not apply to the LSHTM’s operations, and that in some circumstances data controllers may refuse a data subject’s request exercise some of these rights.

What data is involved, and how is it used?

For more information about the data we collect, and how we use it, please see the School’s published Privacy Notices.


  • Personal data are data relating to a living individual who can be identified from that information or from that data and other information in the possession of the data controller or which are likely to come into his or her possession.
  • Data subject is a living individual who is subject of personal data.
  • Data subject access is the right of an individual to access personal data relating to im or her which is held by a data controller.
  • Data controller is a person who makes decisions with regard to particular personal data, including decisions about the purposes for which the personal data are processed and the way in which the personal data are processed.
  • Data processor is a person who processes the data on behalf of the data controller.
  • Processing of personal data means anything at all done to the data including collection, holding, organising, consulting, disclosure, and destruction.

How do I exercise my data subject rights?

Please see our page on data subject rights.

Data Protection Impact Assessments

LSHTM conducts Data Protection Impact Assessments (DPIAs) on major projects and new data processing activities which are likely to result in a high risk to individuals’ rights and freedoms. LSHTM is developing a number of institution-level DPIAs for routine activities, including research activities. Where new research studies involve non-routine activities, and/or they pose a high risk, they are identified as part of LSHTM’s ethics approval process and a DPIA will be conducted if necessary. Research activities underway prior to 25 May 2018 are not currently subject to this process.