Participant Privacy Notice
This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and who we may share your information with.
The NIHR BioResource for Translational Research also publishes a number of specific notices, including a shorter page on how we keep your information safe, and our research regulator's standard text on GDPR.
To read the official version of this Privacy Notice, please download the PDF document: this web version is provided for convenience, but has been derived from the official PDF document.
You can find out more about our Privacy Notice by following the links to these sections.
- Who are we?
- Why do we collect personal information about you?
- What is our legal basis for processing your personal information?
- What personal information do we need to collect about you and how do we obtain it?
- What do we do with your personal information and what we may do with your personal information
- Who do we share your personal information with and why?
- How we maintain your records?
- What are your rights?
- Who is the Data Protection Officer?
- How to contact the Information Commissioners Office?
The NIHR BioResource is a major project funded by the Department of Health and Social Care through the National Institute for Health Research. Funding is routed through the NIHR Cambridge Biomedical Research Centre (BRC), which is a long-term partnership between the Cambridge University Hospitals NHS Foundation Trust (CUH) and the University of Cambridge.
CUH oversees our handling of data and samples. It is one of the largest and most well-known hospitals in the UK and includes Addenbrooke's and the Rosie hospital. CUH offers general and specialist care with a proven reputation for its quality of care, information technology, clinical education and training and research.
CUH is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and its registration number is Z7637668.
The NIHR BioResource employs around 60 staff, all of whom have the authorisations to allow them to see confidential information, regardless whether they are employed directly by CUH, or by the University.
The NIHR BioResource exists to create and manage a large panel of participants who can be invited to take part in experimental medicine studies. Participants are recruited from patient groups (in early 2020, there were 4 common and 54 rare diseases represented), from blood donors, and from the general population. We have over 150,000 active participants currently, and the goal is to have an additional 160,000 fully consented participants in the panel by March 2022.
The experimental medicine studies we support are run by independent researchers, clinicians or industry partners, who require separate ethical approval before we approach participants on their behalf. Therefore, we sit between the researchers and the participants: we do not do the research, nor give clinical care, but instead broker study contributions and contacts.
In order to do that, we need to know who you are.
This personal information can be held in a variety of formats, including electronic information in our secure databases, in other computer systems, in video and audio files and in paper format.
Any personal information we hold about you is processed under Articles 6(1)(e) and 9(2)(j) of the Data Protection Act 2018, namely that we are processing data for “scientific or historical research purposes” and that this is “necessary for the performance of a task carried out in the public interest”.
The public interest test is managed by an independent NHS Health Research Authority (HRA) Research Ethics Committee. Our approved studies are recorded by the HRA under NIHR BioResource and NIHR Bioresource - Rare Diseases.
For further information on ethical approvals, see the HRA's webpage.
For further information on Data Protection legislation please visit: http://www.legislation.gov.uk/.
Personal information about you is collected in a number of ways. This is mostly directly from you or your authorised representative when consenting to join the NIHR BioResource, but may also be from your clinical team if you have been recruited to one of the disease groups in the BioResource.
We will likely hold the following basic personal information about you:
- your name, including your preferred name or maiden name
- address (including correspondence)
- telephone numbers including your mobile number
- date of birth
- your GP details, etc.
- your email address.
Your records are also identified by an NHS number, which can be used across the NHS to link patient details.
In addition to the above, we will hold genetic data derived from your DNA, and may hold sensitive personal information such as ethnic origin (as declared by you) and information from your healthcare records, which could include:
- Notes and reports about your health, treatment and care, including:
- your medical conditions
- results of investigations, such as x-rays and laboratory tests
- other personal information such as smoking status and any learning disabilities.
It is important for us to have this information, as this will assist staff with inviting the correct participants to each experimental medicine study according to the study inclusion/exclusion criteria.
What do we do with your personal information?
Our main use of your personal data is to contact you to invite you to participate in experimental medicine studies. However, for example, we also use your NHS number to request additional data from the NHS and other medical agencies that already hold it in central records: this is why we ask for your consent to access your medical and health related records.
Your identifiable personal information (e.g. name, date of birth, NHS number, contact details) will only be passed to others with your explicit consent, for example to invite you to further research studies..
What we may do with your personal information
The personal information we collect about you may also be used to:
- invite or remind you about your appointments in relation to the BioResource and research studies, and send you relevant correspondence
- prepare statistics on our performance
- report and investigate any complaints, claims and untoward incidents
- report events to the appropriate authorities when we are required to do so by law
- contact you for feedback on your experiences as a participant in BioResource studies.
The BioResource would also like to inform you of our activities, and how your data and samples have contributed to medical research, and may send you correspondence from time to time that you may find of interest.
Where possible, we will always look to de-identify your personal information so as to protect participant confidentiality, unless there is a legal basis that permits us to use it and we will only use/ share the minimum information necessary.
Personal information you provide to the NIHR BioResource in confidence will only be used for the purposes explained to you and to which you have consented. However, there may be exceptional circumstances as listed below, where we may be obliged to share data with other official bodies.
- There are occasions where the BioResource is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
- There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Health & Safety Executive if you are involved in a reportable accident whilst taking part in one of our studies the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).
The BioResource is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared.
UK National Research Ethics Committees can allow health researchers to use clinical information (with identifiable personal information removed) for medical research where this does not require any additional contact with participants. All such cases of approved research on de-identified samples or data from BioResource participants will be listed on our website. If your identifiable personal information (the information that identifies you) is to be used in research you will be asked for your consent, and separate approval from a Research Ethics Committee will be sought.
Your personal information is held in both paper and electronic forms. The NIHR BioResource will hold data for 10 years beyond the end of our funding, which currently runs until March 2022.
We hold and process your information in accordance with the Data Protection Act 2018 as amended by the General Data Protection Regulation (GDPR) 2016, as explained above. In addition, everyone working for the BioResource must comply with the Common Law Duty of Confidentiality and take appropriate training in data protection and cyber security.
We have a duty to:
- maintain full and accurate records;
- keep records about you confidential and secure;
- provide information in a format that is accessible to you.
The following staff groups at the BioResource may have access to the personal information we hold about you:
- study coordinators
- research nurses
- IT staff who support these staff members
- medical legal staff
- senior management team.
Use of Email - Some services in the BioResource provide the option to communicate with participants via email. This could include invitations to research studies or BioResource-related events, as well as emailing BioResource newsletters. Please be aware that we cannot guarantee the security of this information whilst in transit, and by accepting this service you are accepting this risk.
If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:
- Request access to the data we hold about you. This is described below.
- Request the correction of inaccurate or incomplete information recorded in our records. This is also explained on our website.
- Refuse/withdraw consent to the sharing of your records, or to the BioResource as a whole. The process is explained on the Leave us page of our website
- Request that we delete your personal data, subject to certain safeguards. This is also explained further on our website.
If you wish to discuss how we handle your personal data, you can contact us:
Telephone 0800 090 22 33
To request a copy of the data we hold on you, please email us as above, or write to:
F49, Department of Haematology
University of Cambridge & NHS Blood and Transplant
We will confirm receipt of your request as soon as possible. We have a lot of data, and may need to ask you whether you can narrow down your request. However, the data we hold should be with you within 30 days.
If you wish to raise a complaint on how we have handled your personal data, you can raise this with us, as above, or you can contact the Trust’s Data Protection Officer who will investigate the matter.
The Data Protection Officer is the Information Governance Lead at Cambridge University Hospitals NHS Foundation Trust:
Information governance lead/Data Protection Officer
Cambridge University Hospitals NHS Foundation Trust
Or email firstname.lastname@example.org
The Information Commissioner’s Office (ICO) is the body that regulates CUH under Data Protection and Freedom of Information legislation. https://ico.org.uk/ . If you are not satisfied with the response from CUH’s Data Protection Office or believe we are processing your personal data not in accordance with the law you can complain to the ICO at:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number Fax: 01625 524 510
This version, v1.5.2, 10th February 2020
You might want to read these pages in this section:
Our GDPR notice;
Our Confidentiality Notice: How we keep your information safe;