NIHR Leicester Biomedical Research Centre (BRC) Privacy statement
Who are we?
The NIHR Leicester BRC is part of the NIHR and hosted by the University Hospitals of Leicester NHS Trust in partnership with the University of Leicester, Loughborough University and the University Hospitals of Northamptonshire NHS Group. Its remit is to enable pioneering research into medical advancements.
Contact details:
Dr Aarti Parmar – BRC Manager
aarti.parmar@uhl-tr.nhs.uk 0116 258 8128
NIHR Leicester Biomedical Research Centre
Leicester General Hospital
Gwendolen Road
Leicester
LE5 4PW
The Name & Contact details of our Data Protection Officer:
University Hospitals of Leicester Data Protection Officer (DPO):
Mr Saiful Choudhury – Head of Privacy
saiful.choudhury@uhl-tr.nhs.uk 0116 258 6053
Why are we processing your data?
We will use participant’s data to research the causes of disease, identify biomarkers and find better treatments to improve patient outcomes. Our aims are to:
- Drive innovation in the prevention, diagnosis and treatment of ill-health
- Translate advances in biomedical research into benefits for patients
The source of the personal data
We may collect your data from many sources which may include:
- Research questionnaires or surveys
- Hospital & GP based medical records
- NHS National datasets
The data we collect will be dependent on the study. Please refer to the study specific information held on the NIHR Leicester BRC website – https://www.leicesterbrc.nihr.ac.uk/
What will we do with the information we gather?
- Research and statistical analysis using anonymised data.
- Sharing information – including personal identifiers – with authorised external services that collect and collate further information on research outputs.
- Some of the data we will gather will help to identify suitable candidates for invitation to our studies.
What is the lawful basis for the processing?
For processing to be lawful under the General Data Protection Regulation (GDPR) we need to identify a legal basis before we can process personal data. This is often referred to as the ‘lawful basis for processing’. The identified legal basis for the NIHR Leicester BRC to process healthcare data is:
‘6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’
The type of personal data we process for research is ‘special category data’ as defined by GDPR. The identified legal basis for the NIHR Leicester BRC to process this data is:
‘9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject’.
What categories of the personal data may be obtained?
The actual data collected will depend on the specific study. Each study will only collect enough information to answer the research question and may include any of the following:
- Demographic detail eg. Name, Address, Date of birth, Sex
- Personal contact details, eg. Telephone number(s), Email
- Identifiers eg. NHS number and hospital number
- Family, social and lifestyle factors
- Race, Ethnicity or Religious Belief
- Health and Medical History including interventions, medication and diagnoses
- Medical Records eg. Clinical Images, test results etc.
- Genetic and Biomedical samples
Who will have access to my data?
Access to identifiable data (e.g. names, addresses etc.) will be limited to selected members of the research team and to regulatory authorities, the host organisation (where you take part in the study), the Sponsor (who is legally responsible for the study) for auditing and monitoring purposes.
Access to data may also extend to the contracted third parties as listed above to provide study related activities.
Who will we share your data with?
NIHR Leicester BRC may communicate your information to third parties who are authorised and contracted to provide services. Any such third parties musthandle your information in compliance with this privacy policy and GDPR Regulations. The security and integrity of NIHR Leicester BRC systems are of paramount importance to us. Where systems have the potential to transfer data outside of the European Economic Area, the NIHR Leicester BRC ensures that any such transfers are covered by relevant supplementary controls in line with advice from the Information Commissioner’s Office. All information about you will be handled in confidence unless you disclose that you, or someone else, is in immediate danger of serious harm.
Data may be shared with but not limited to:
- Contracted third parties
- National and international collaborators
What are the security arrangements for my data?
All data which is used for the purpose of your participation in the research is held securely on NHS or university network servers. Wherever possible your data will be anonymised. Identifiable data will only be stored and used for the purpose of contacting you or your GP for clinically significant findings. Research study specific data handling arrangements can be found on the following the NIHR Leicester BRC website – https://www.leicesterbrc.nihr.ac.uk/
How long will we keep your data?
We will keep your data for varying amounts of time depending on nature of research and UK regulatory requirements.
- We only store data that is necessary for the specific purpose of the research.
- We will not store your data for longer than is necessary for the purpose for which it was collected, unless we are legally obligated to do so by contract or other legal requirement as a public body.
- Your data will be securely deleted when no longer needed for the purpose(s) for which it was collected and/or the NIHR Leicester BRC are no longer obligated to keep it.
What are your rights as a participant?
Under GPDR you have the following rights as a participant for research data related activities:
- You have the right to request erasure and restriction of processing of your personal data held by the NIHR Leicester BRC.
- You have the right to object to processing.
- You have the right to object to processing for direct marketing. For the purpose of research this may include invitations to studies, newsletters and participant and public involvement (PPI) activities.
- You also have the right to object to profiling taking place to support those activities.
- You have the right to lodge a complaint with the Information Commissioner’s Office, if you think there is a problem with the way we are handling your personal identifiable information.
Your rights are not absolute. If we are not able to meet your request, we will explain the reason. Restrictions to these rights may apply due to the nature of the research you are participating in.
If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.
Your right to withdraw consent.
- You have the right to withdraw from a study at any time without your healthcare being affected. The process of withdrawal will be dependent on the nature of the study you have consented to.
- You can also be withdraw consent to be contacted for further research.
- Your contact preferences will be recorded accordingly.
Your right to lodge a complaint with a supervisory authority.
You have the right to lodge a complaint with the Information Commissioner’s Office, if you think there is a problem with the way we are handling your personal identifiable information
Changes to this Statement
From time to time this policy may require changes, we reserve the right to change this Privacy Policy to ensure that it remains compliant with legislation and regulations. If we change it, we will post the new one on our web page. If we make any material change to this Privacy Policy, we will notify you by prominently posting notice of the changes on our Website. Any material changes to this Privacy Policy will be effective upon thirty (30) calendar days following our posting of notice of the changes on our Website. These changes will be effective immediately for new users of our Service.
Date 03/03/2023
Version: v4.0