Skip to main content

Privacy notice (INSIGHT)

INSIGHT is a research database affiliated with the Health Data Research UK Alliance of leading health, care and research organisations to establish best practice and ensure the ethical use of UK health data for research.

Who we are

INSIGHT is a collaboration between six partners:

  • University Hospitals Birmingham NHS Foundation Trust (lead institution)
  • Moorfields Eye Hospital NHS Foundation Trust
  • University of Birmingham
  • Roche
  • Google Health
  • Action Against Age-related Macular Degeneration (AAAMD)

The aim of INSIGHT is to allow researchers to develop new insights in eye disease detection, diagnosis and treatments using advanced analytics such as artificial intelligence.

The lead institution, University Hospitals Birmingham NHS Foundation Trust (UHB) is recognised as one of the leading research hospital trusts in Europe. 

UHB employs more than 20,000 staff and runs the largest single-site hospital in the country, Queen Elizabeth Hospital Birmingham.

As a leading research hospital trust, we are committed to protecting the privacy and security of your personal information. We are registered with the Information Commissioner’s Office (ICO) to process personal and special category information under the registration number Z5568104. UHB and our NHS partner Moorfields Eye Hospital NHS Foundation Trust are joint "data controllers" for the INSIGHT research database.


Anonymisation/anonymised data

"Anonymisation" means the treatment of personal data such that you can no longer be identified, transforming the data into "anonymised data". Anonymised data is not covered by the General Data Protection Regulation (2016/679).


"Controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.


"GDPR" means the General Data Protection Regulation (2016/679) (as transposed into the UK's national law by operation of section 3 of the EU (Withdrawal) Act 2018).

Personal data

"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

  • name
  • identification number
  • social media posts
  • location data
  • online identifier

Special category of personal data

"Special category of personal data" means information which is thought to be "extra sensitive", such as:

  • ethnicity
  • data concerning health
  • biometric data
  • sexual orientation
  • religious or philosophical belief


"Processing" means anything that is done to the personal data we hold.


"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information (key).

Information Commissioner's Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation. If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the ICO.

Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF
Fax: 01625 524 510

Why we collect personal information about you

We use your personal information to carry out health and social care research in the public interest. This means that we have to demonstrate that our research serves the society as a whole, for example by improving eye disease detection, diagnosis and treatments or improving existing services.

Our legal basis for processing personal information about you

The way in which we use your information is governed by law. The principal legislation that applies is the EU General Data Protection Regulation (EU GDPR) 2016/679, which came into force on 25 May 2018, and which is supplemented by the Data Protection Act 2018. The UK Government has confirmed that the key provisions of the EU GDPR will continue to apply even though the UK has formally exited the EU on 31 December 2020 and they are currently amending the Data Protection Act 2018.

When we use your information for research, we rely on Article 6(1)e (“processing is necessary for the performance of a task carried out in the public interest”) and Article 9(2)j (“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes”) of the General Data Protection Regulation (GDPR) in combination with Schedule 1, Part 1, Art 4 Data Protection Act (DPA) 2018.

In addition, confidential information which you have shared with our staff, to enable them to provide your care is governed by the common law duty of confidentiality, as described by NHS Digital.

Patient recruitment to research studies is usually carried out by an "informed consent" process, where you are advised about the benefits and risks associated with a particular research study. Where you have formally consented to take part in research, this process also satisfies the common law duty of confidentially.

Since INSIGHT only processes data that has been routinely collected as part of usual care, and where anonymisation is undertaken within the NHS prior to research activities, it is not considered to require specific patient consent. However, patients may opt out if they do not wish their data to be used for these kinds of purposes. The INSIGHT research database has also been approved by the Health Research Authority’s West of Scotland REC 4 Research Ethics Committee (reference: 20/WS/0087). This committee is an independent group which ensures that our research is ethical.

What personal information we need to collect about you and how we collect it

We will not be collecting any information directly from you. The personal information that we collect is information that we already hold about you due to the healthcare that we have provided to you. This includes information from your clinical care records including imaging/graphical data. For information we are likely to already hold about you, due to the care we provide, please refer to the UHB privacy notice for patients.

Can I opt out of having my data used for research purposes?

Should you not wish information about you to be used for research and planning you can opt-out by accessing the National Data Opt-Out Programme.

You will need to be aged 13 or older, have access to your email or mobile phone and have your NHS number or your postcode (as registered with your GP surgery). Alternatively, you can contact the NHS Digital Contact Centre on 0300 303 5678 to make your choice by phone or post.

What we may do with your personal information

For research purposes, we may use your information anonymously in reports or presentations, or share such information with other NHS bodies. Publicly available information will always be presented in such a way that it will be impossible to identify you from this information.

As part of delivering effective research, it may sometimes be helpful to use information collected as part of one research project for further research. Please be assured that when identifiable information is required for future projects, we will seek your consent before including your information in those studies.

We would like to stress that we will not:

  • share your identifiable data with third parties for marketing purposes
  • sell your identifiable data

Additional information on the nature of the research project and specifics of what research it may have been used in is available on the INSIGHT website.

For more information about the general use of patient data in research in the health service please see the Health Research Authority and Understanding Patient Data websites.

Who do we share your information with and why?

As a patient in our hospitals your health data is held securely and confidentially. We use this data mainly to provide healthcare for you and to improve the NHS care to you and other patients in the future (research and planning). To help with this improvement, the information about your health and care may be provided to researchers running research studies here at UHB and other third party research organisations, mainly universities and health institutions.

Your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research.

If you are also a patient at UHB, please refer to the UHB privacy notice for patients, which explains when we might have to share information about you with the Care Quality Commission, the police or other regulatory/law enforcement authorities.

How we retain and re-use your information

Your personal information is held in electronic format, as required.

Within the INSIGHT database, this is held in a depersonalised form. This means that personal information has been removed from it. This data is held for the purposes of research under the ethical approval granted to INSIGHT and therefore will only be kept for the duration of the INSIGHT programme.

Each application to INSIGHT is considered on an individual basis and is evaluated by both the INSIGHT Research Database Team and an independent Data Trust Advisory Board before providing a recommendation to the data controllers (University Hospitals Birmingham NHS Foundation Trust and Moorfields Eye Hospital NHS Foundation Trust) as to whether the project should be approved. It is, however, the data controllers who make the final decision whether to approve the research application and the terms of any data analysis, data access or data release.

Anonymised datasets, created in response to approved user applications, will be time stamped and made available under contractual agreement for a specified period in accordance with the approved project.

Following the expiry of the relevant retention period, your personal information will be archived, for the period specified in each individual project and then destroyed. Where information is to be destroyed, this will be done in a confidential manner and in accordance with the Trust’s Record Management Policy. Anonymised archived data may be re-used for scientific or historical research purposes.

Your rights

Under current data protection legislation (Art 13 to 18 GDPR), you have certain rights to manage your data as you see fit. However, for the purpose of research your rights to access, object, change, transfer and/or delete your information are limited. This is because we need to manage the data in specific ways to ensure the research we conduct is reliable and accurate, and that we are accountable to those organisations which fund and monitor our research.

You have a right to opt out. The national data opt-out right comes from the Caldicott principles (these principles outline how people's data may be used and shared). This right allows you to object to be contacted about new research for which it was not possible to obtain your consent, unless this right has been waived by the Secretary of State for Health and Social Care or the Health Research Authority. Further information about the national data opt-out can be found on the NHS Digital website.

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.

Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF

Your duty to inform us of changes

For the purposes of your individual care, it is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes.

Changes to this privacy notice

This page is reviewed when necessary and at least annually. Any changes will be published here.

Last reviewed: 23 June 2021