Privacy Notice

This Privacy Notice explains what information we collect about you, how we store this information, how long we retain it and who we may share your information with.

The NIHR BioResource for Translational Research also publishes a number of specific notices, including a shorter page on how we keep your information safe, and our research regulator's standard text on GDPR.

To read the official version of this Privacy Notice, please download the PDF document: this web version is provided for convenience, but has been derived from the official PDF document.

You can find out more about our Privacy Notice by following the links to these sections.

Who are we?

The NIHR BioResource is a major project which is funded by the Department of Health and Social Care through the National Institute for Health and Care Research. Funding is routed through the NIHR Cambridge Biomedical Research Centre (BRC) which is a long-term partnership between the Cambridge University Hospitals NHS Foundation Trust (CUH) and the University of Cambridge.

CUH oversees our handling of data and samples. It is one of the largest and most well-known teaching hospitals in the UK.

CUH is registered with the Information Commissioner’s Office (ICO) to process personal data and special categories of information under the Data Protection Act 2018 and its registration number is Z7637668.

The NIHR BioResource employs around 90 staff, all of whom have the authorisations to allow them to see confidential information, regardless whether they are employed directly by CUH, or by the University of Cambridge.

Why do we collect personal information about you?

The NIHR BioResource manages a large panel of participants who can be invited to take part in research related to health, on the basis of the data we hold about them. Studies often require participants to be in a particular age range, or living near a particular hospital, or living with a particular condition. In each case, we search the databases for likely candidates, then our team of experts carefully check known preferences and availability before sending out invitations. Participants always have a right to decline these invitations, and have a right to see, correct or delete data we hold about them, as described below.

Participants are recruited from patient groups, from blood donor centres, in hospital clinics and from the general population, including via schools.

The studies we support are run by independent academic researchers, clinicians or industry partners.  If a study requires that we contact participants – for an additional sample, or to complete an online survey – separate ethical review is required before we approach participants on behalf of the researchers.  If a study can be performed without re-contact – for example, a new analysis of an existing sample, or research using existing data that has been de-personalised – we can report it to the ethics committee as part of our annual progress report. In either case, we sit between the researchers and the participants: we do not do the research, nor give clinical care, but instead broker study contributions and contacts.

A list of approved studies is available online, identifying for each study the lead researcher, the institution for which they work, a title and (for more recent studies) a plain language summary.

For the re-contact part of the BioResource to work, we need to know who you are.

Personal information can be held in a variety of formats, including electronically, in our secure databases, in other computer systems, in video and audio files and in paper format.

What personal information do we need to collect about you and how do we obtain it?

Personal information about you is collected in a number of ways. This is mostly directly from you or your authorised representative when consenting to join the NIHR BioResource, but may also be from your clinical team if you have been recruited to one of the patient groups in the BioResource.

We will likely hold the following basic personal information about you:

  • your name, including your preferred name or maiden name
  • address (including any correspondence with you)
  • telephone numbers including your mobile number
  • date of birth
  • your GP details
  • your email address

We also hold your NHS number, which can be used across the NHS to link patient details.

  • In addition to the above, we may hold genetic data derived from your sample/DNA, and may also hold sensitive personal information such as ethnic origin (as declared by you) and information from your healthcare records, which could include:
  • Notes and reports about your health, treatment and care, including:
    • your medical conditions and other information such as smoking status
    • results of investigations, such as x-rays and laboratory tests
    • other personal information such as any learning disabilities

It is important for us to have a complete picture of you as this will assist staff to invite the correct participants to each study according to the specific inclusion/exclusion criteria.

What is our legal basis for processing your personal information?

Any personal information we hold about you is processed under Articles 6(1)(e) and 9(2)(j)  of the Data Protection Act 2018, namely that we are processing data for “scientific or historical research purposes” and that this is “necessary for the performance of a task carried out in the public interest”

The public interest test is managed by an independent NHS Health Research Authority Research Ethics Committee. Our approved studies are recorded at and

For further information on Data Protection legislation please visit:


What we do with your personal information and what we may do with your personal information

What do we do with your personal information?

Our main use of your personal data is to contact you to invite you to participate in studies. However, we also use your NHS number and other personal details to request additional data from the NHS and other medical agencies that already hold it in central records: this is why we ask for your consent to access your medical and health-related records, including social care.

Your identifiable personal information (e.g. name, date of birth, NHS number, contact details) will only be passed to others, for instance to invite you to further research studies, with your explicit consent.

What we may do with your personal information

The personal information we collect about you may also be used to:

  • remind you about your appointments in relation to the BioResource and research studies, and send you relevant correspondence
  • prepare statistics on our performance
  • report and investigate any complaints, claims and untoward incidents
  • report events to the appropriate authorities, e.g. when we are required to do so by law
  • contact you for feedback on your experiences as a participant in BioResource studies
  • create a profile for you on the BioResource Portal to give you the opportunity to activate your account.

The BioResource would also like to inform you of our activities, and how your de-personalised data and samples have contributed to medical research, and may send you correspondence from time to time that you may find of interest. You may opt-out of this type of correspondence if you wish.

Where possible, we will always look to de-personalise your personal information to protect confidentiality.

Who do we share your personal information with and why?

Personal information you provide to the NIHR BioResource in confidence will only be used for the purposes explained to you and to which you have consented. However, there may be exceptional circumstances as listed below, where we may be obliged to share data with other official bodies.

  • There are occasions where the BioResource is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, e.g. in order to prevent and detect fraud.
  • There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Health & Safety Executive if you are involved in a reportable accident whilst taking part in one of our studies, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds).

The BioResource is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared.

UK National Research Ethics Committees can allow health researchers, including from universities, the NHS or companies to use clinical information including samples, images or data (with identifiable personal information removed) for medical research where this does not require any additional contact with participants. All such cases of approved research on de-personalised samples or data from BioResource participants is listed on our website. Annual checks are performed to confirm whether continued data retention is required. If your identifiable personal information (the information that identifies you) is to be used in research you will be asked for your consent, and separate review by a Research Ethics Committee will be sought.

Your name and contact details may be shared with a limited number of staff at Sano Genetics, when needed, for resolving technical issues with the BioResource Portal. Sano Genetics will not have access to your genetic information. Sano Genetics is the technology company managing the BioResource Portal under contract to the BioResource. See BioResource Portal section for further details.

BioResource Portal

The BioResource Portal allows volunteers to view their data on our database. Using the BioResource Portal is completely optional. Your role as a BioResource volunteer will not be affected if you do not wish to use the BioResource Portal.

The BioResource Portal is designed and built with security as its guiding principle and benchmarked to standards set by the Government's National Cyber Security Centre. The BioResource Portal has been tested by an external security company to check for weaknesses and confirm the strength of the BioResource Portal against unauthorised access, a process known as penetration testing. The NIHR BioResource is compliant with the NHS Data Security and Protection Toolkit , which is how organisations handling NHS patient data are judged competent to hold such data.

Sano Genetics will administer the BioResource Portal, and the data within it, under the management and oversight of the BioResource. Sano Genetics is a Cambridge-based technology company who run their own platform to engage participants in precision medicine research. The BioResource Portal is wholly owned by NIHR BioResource.

Sano Genetics cannot access personal data from participants within the Bioresource Portal as standard. Temporary access to personal data is only granted to Sano Genetics by Bioresource under a strict set of circumstances to investigate outages and other issues affecting the service of the BioResource Portal.

If you would prefer not to use the BioResource Portal or be contacted about it again, or if you have any questions, then please contact our support team on or call us on 0800 090 2233.

You can change your mind about using the BioResource Portal at any time.

How do we maintain our records about you?

Your personal information is held in both paper and electronic forms. The NIHR BioResource will hold data for 10 years beyond the end of our funding, which currently runs until November 2024, subject to renewal.

We hold and process your information in accordance with the Data Protection Act 2018 as amended by the General Data Protection Regulation (GDPR) 2016, as explained above. In addition, everyone working for the BioResource must comply with the Common Law Duty of Confidentiality and take appropriate training in data protection and cyber security.

We have a duty to:

  • maintain full and accurate records
  • keep records about you confidential and secure
  • provide information in a format that is accessible to you

The following staff groups at the BioResource may have access to the personal information we hold about you:

  • study coordinators
  • research nurses
  • IT staff who support these staff members
  • medical legal staff
  • senior management team

Use of Email - Some services in the BioResource provide the option to communicate with participants via email.  This could include invitations to research studies or BioResource-related events, as well as emailing BioResource newsletters. Please be aware that we cannot guarantee the security of this information whilst in transit, and by accepting this service you are accepting this risk.

What are your rights?

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

  • Request access to the data we hold about you. This is described below.
  • Request the correction of inaccurate or incomplete information recorded in our records. This is also explained on our website.
  • Refuse/withdraw consent to the sharing of your records, or to the BioResource as a whole. The process is explained on the “Leave Us” page of our website:
    • Please note that the BioResource is not part of the NHS opt-out provisions, and exercising your right to opt-out of NHS data sharing, will not impact your membership of the BioResource.
  • Request that we delete your personal data, subject to certain safeguards. This is also explained further on our website.

If you wish to discuss how we handle your personal data, you can contact us:

Telephone: 0800 090 22 33


To request a copy of the data we hold on you, please email us as above, or write to:

NIHR BioResource

Box 299
University of Cambridge and Cambridge University Hospitals NHS Foundation Trust
Cambridge Biomedical Campus
Hills Road
Cambridge CB2 0QQ

We will confirm receipt of your request as soon as possible. We may need to ask you whether you can narrow down your request to help us collate the information.  However, the data we hold should be with you within 30 days.

If you wish to raise a complaint on how we have handled your personal data, you can raise this with us, as above, or you can contact the Trust’s Data Protection Officer who will investigate the matter.

Who is the Data Protection Officer?

The Data Protection Officer is the Information Governance Lead at Cambridge University Hospitals NHS Foundation Trust:

Michelle Ellerbeck
Information governance lead/Data Protection Officer
Cambridge University Hospitals NHS Foundation Trust
Box 153
Hills Road

Or email

How to contact the Information Commissioners Office?

The Information Commissioner’s Office (ICO) is the body that regulates CUH under Data Protection and Freedom of Information legislation. .  If you are not satisfied with the response from CUH’s Data Protection Office or believe we are processing your personal data not in accordance with the law you can complain to the ICO at:

Information Commissioner's Office

Wycliffe House

Water Lane




Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Fax: 01625 524 510

Written correspondence with the ICO can be initiated from:

This version, v2, 16th March 2023

Related pages

You might want to read these pages in this section:

Our GDPR notice;

Our Confidentiality Notice: How we keep your information safe;

Our Governance and ethics page.