In May 2018 a new General Data Protection Regulation (GDPR) came into force which is designed to give you more control over how we will use your data. Ensuring that personal data are collected, stored, used and shared securely is an essential part of good research practice. GDPR also defines specific roles with duties and responsibilities to protect the rights of subjects whose data are collected. The two most important roles are: the Data Controller and the Data Custodian.
The SABRE Study is part of University College London (UCL). For the purposes of data protection law, UCL is the entity that determines how and why your personal data is processed and so is the Data Controller. The Director of the SABRE Study is responsible for overseeing the way in which the study team looks after your data on a day-to-day basis and acts as the Data Custodian.
Our commitment to you
- We will ensure that your personal data are processed lawfully, fairly, transparently, and for a specific purpose.
- We are interested in long term changes to health. If you gave us permission to link to your health records, we will continue to collect new data from NHS Digital (and other regulatory authorities) on your health until the end of 2024. As we wish to understand how health changes over time, we will also use and keep your pseudonymised data until the funding runs out or the study ends. However, identifiable information about you from this study will be deleted in 2049 in line with UCL guidance. Future follow-up would be subject to the necessary regulatory and ethical approvals.
- We do not conduct research with the aim of commercial gain – all our research aims to benefit society and is not for profit.
- Taking part in our studies is voluntary and you are free to withdraw at any time without giving a reason.
- Confidentiality is very important to us. Internal and external researchers do not see your name or any other personally identifiable information, they only see an ID number. Before having access to your data they also sign confidentiality agreements and as a precondition they must complete annual data training.
Personal data that we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified, such as your name, date of birth and contact details (address, phone number, email address). We also hold ‘special category’ data about you, which may include details about your ethnicity, religious or philosophical beliefs and information about your health.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To manage our relationship with you
- To help you with enquiries. Depending on the circumstances, this may include special category personal data.
- To invite you to take part in data collections (home visit, clinic visit or for postal questionnaires).
- To collect data from you (online questionnaires, postal questionnaires, home visits).
Your personal data will be collected and processed primarily by our staff. Access to your personal information is limited to staff who have a legitimate need to see it for the purpose of carrying out their job within the SABRE study.
We may have to share your personal data with third parties for the purposes of:
- Data processing – Abacus Data and Mailing Ltd have been contacted to create digital versions of consent forms, letters or address labels
- Linking to your health records – NHS Digital, National Records of Scotland, and NHS Wales Informatics Service (NWIS) provide access to your health records.
- Linking to geographical data – Addresses will be provided to the University of Leicester in order to link this to precise location and then map information about this place (such as air pollution, noise data, services and the amount of greenspace around the property)
- Sending out mail – Abacus Data and Mailing Ltd have been contracted to send out letters and questionnaires.
- Data collection – Between major surveys, we may carry out short online surveys using Qualtrics, an online survey platform. Qualtrics is accredited to data security standards and is compliant with data protection legislation.
We will only share your personal details with these third parties under strict conditions set out in a legally binding data processing contract. This offers assurances about the use, access and security of any personal data provided to the third party and prevents them passing on or selling your personal data. We also use Royal Mail for posting questionnaires, sending invitations to take part in other face-to-face data collections (e.g. home visits, clinics or focus groups) and other correspondence associated with keeping in touch with you.
How we use your research data
We will only ever collect your data with permission, for example by asking you to attend a clinic or complete a questionnaire. Once we have collected it, it will be processed for research use, all personal information (name, address, date of birth, etc.) is removed and will be stored securely and confidentially using a unique ID. We will then provide this information to researchers on request and only under strict conditions. We will also place research data onto secure data platforms (such as UK LLC) but only researchers who have approval by the SABRE data sharing committee will be given access.
Some research projects will require access to some of the sensitive information that has been collected with your consent:
- Mortality, cancers and rare diseases – Subject to data sharing approval, researchers may be allowed to use grouped or ‘aggregated’ data, which minimises the risk of re-identification. Data can only be accessed at the SABRE offices.
- Location – We use addresses and postcodes to produce new information about your location (geographic data). Any potentially identifiable geographic data is only made available at the SABRE offices.
Participants may withdraw from the study and, if you do so, you may decide to allow us to keep information which we already hold about you or you may ask us to remove identifiable data or samples held for long-term storage. To safeguard your rights, we will use the minimum personally identifiable information possible.
Lawful basis for Processing
Data protection legislation requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you.
In the context of research, the lawful basis upon which we will process your personal information is usually where “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6 of GDPR):
Where we also collect and use sensitive personal information (special category personal data) we only do so where “the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes… which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”. (Article 9 of GDPR).
Under data protection legislation you have individual rights in relation to the personal information we hold about you. For the purposes of research where such individual rights would seriously impair research outcomes, such rights are limited. However, under certain circumstances, these include the right to:
- access your personal information
- correct any inaccurate information
- erase any personal information
- restrict or object to our processing of your information
- move your information (portability)
If it is considered necessary to refuse to comply with any of your individual rights, you will be informed of the decision within one month and you also have the right to complain about our decision to the Information Commissioner.
Queries or complaints
The SABRE study aims to meet the highest standards when collecting and using personally identifiable information. We encourage people to tell us if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving the way we handle your personal details.
If you have any questions about how your personal information is used, or wish to exercise any of your rights, please get in contact with us. You can also contact the University’s Data Protection Officer by telephoning: 020 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT or by email: firstname.lastname@example.org.
When was this notice updated?
We keep this Privacy Notice under regular review. It was last updated on 12th May 2022.