Under data protection law we are legally required to provide information about how we use your information in a way that is:
- easy to understand
- easily accessible
- written in clear, plain language, particularly if addressed to a child
- free of charge
Data protection law says the personal information we hold about you must be:
- used lawfully, fairly and in a transparent way
- collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- relevant to the purposes we have told you about and limited only to those purposes
- accurate and kept up to date
- kept only as long as necessary for the purposes we have told you about
- kept securely
This privacy notice describes what we do with your personal information for the purposes of health and care research. It tells you what information we collect about you, how we store it, how long we retain it and with whom we might share it.
By health and care research we mean research which serves the interests of society as a whole. We do this by following the UK policy framework for health and social care research.
It is important that you read this notice, together with any other privacy notice or specific information you may already have been given (for example, in participant information booklet/leaflets or any consent forms), so that you are aware of how and why we are using information about you.
Who we are
University Hospitals Birmingham NHS Foundation Trust (UHB) is recognised as home of one of the leading research hospitals in Europe. We employ more than 20,000 staff and run the largest single-site hospital in the country, Queen Elizabeth Hospital Birmingham.
Our researchers, many of which are among the world’s best in their field, are engaged in broad areas of research activity, often crossing between different specialties.
We are committed to protecting the privacy and security of your personal information. We are registered with the Information Commissioner’s Office (ICO) to process personal and special category information under registration number Z5568104.
"GDPR" means the General Data Protection Regulation (2016/679).
"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:
- identification number
- social media posts
- location data
- online identifier
Special category of personal data
"Special category of personal data" means information which is thought to be "extra sensitive", such as:
- data concerning health
- biometric data
- sexual orientation
- religious or philosophical belief
"Data controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.
"Processing" means anything that is done to the personal data we hold.
"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information (key).
Information Commissioner's Office
The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.
Why we collect personal information about you
We use your personal information to carry out health and social care research in the public interest. This means we have to demonstrate that our research serves the society as a whole, for example by improving existing services or introducing new treatments.
Our legal basis for processing personal information about you
The way in which we use your information is governed by law. The principal legislation that applies is the EU General Data Protection Regulation (GDPR) 2016/679, which came into force on 25 May 2018, and which is supplemented by the Data Protection Act 2018. When we use your information for research, we rely on Article 6(1)e (“processing is necessary for the performance of a task carried out in the public interest”) and Article 9(2)j (“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes”) of the General Data Protection Regulation (GDPR) in combination with Schedule 1, Part 1, Art 4 Data Protection Act (DPA) 2018.
In addition, confidential information which you have shared with our staff to enable them to provide your care is governed by the common law duty of confidentiality, as described by NHS Digital.
Patient recruitment to research studies is carried out by an "informed consent" process, which means that we advise you about the benefits and risks associated with a particular research study to enable you to decide whether you wish to participate in (consent to) the research study or not. Where you have formally consented to take part in research, this consent process will also satisfy the common law duty of confidentiality. In situations where it has been impracticable to obtain your consent, we will have sought approval from the Secretary of State via the Confidentiality Advisory Group under section 251 of the National Health Service Act 2006 ("CAG approval"). The Confidentiality Advisory Group provides independent advice on specific research projects which will use confidential medical information.
Certain research studies also have to be approved by the Research Ethics Committees (REC) which is another independent group which ensures that all our research is ethical.
What personal information we need to collect about you and how we collect it
Where you have consented to the use of your data in a particular research project, the participant information leaflet would have been given to you as part of the consent process (see "our legal basis for processing personal information about you"). This document will tell you what types of personal information we will use in connection with the specific research study or project you are participating in and (where applicable) its sources.
We will often get the necessary information directly from you. In other cases, we might already hold the required information due to the healthcare we provide to you. For information we are likely to already hold about you due to the care we provide, please refer to our main privacy notice for patients.
You are not legally or contractually obliged to supply us with your personal information or to agree that information we already hold about you for care purposes may be used for research purposes.
Should you not wish information about you to be used for research, please let us know via email, by opting out via the National Data Opt-Out Programme, or by speaking to the clinical team treating you.
What we may do with your personal information
For research purposes, we may use your information anonymously in reports or presentations, or share such information with other NHS bodies. Publicly available information will always be presented in aggregated format, which means that you will not be identifiable from this information.
Some information about you may be linked to other information shared by primary care providers (e.g. GPs) and secondary care providers (e.g. acute trusts) with a view to creating a more complete information set which will enable medical research for the benefit of public health.
We may use information collected as part of one research project for further research. However, where this information identifies you, we can only use the information for new purposes which are compatible with the original purpose to which you have consented or ethical (CAG) approval was granted (see "our legal basis for processing personal information about you"). Where the new purpose is considered to be substantially different, we will obtain separate consent from you or seek new ethical (CAG) approval.
We will not:
- share your identifiable data with third parties for marketing purposes
- sell your identifiable data
Where we are required to transfer identifiable information about you internationally outside the UK/EU, we will make sure that an adequate level of protection is to be satisfied before the transfer.
Additional information on the nature of the research project and specifics of how your data will be managed will be contained within the participant/patient information sheet and/or supplementary research transparency information sheet you are provided with during the informed consent process. Please feel free to ask the researchers for clarification.
For more information about the general use of patient data in research in the health service please visit the Health Research Authority website.
Who we share your information with and why
When you agree to take part in a research study, the information about your health and care may be provided to researchers running research studies here at UHB and at other organisations. These external organisations may be non-commercial partners such as universities or other hospitals, or commercial companies involved in health and care research in this country or abroad.
Your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research.
There will be someone called a chief investigator responsible for the overall research study. This is usually someone who works directly with you, such as a doctor or nurse.
The principal investigator is the person responsible for the conduct and day-to-day running of a research study and will lead a team to carry out the research. The principal investigator will also ensure that only appropriate staff and third parties will be able to access your personal information, in line with the approved research protocol.
If you are also a patient at UHB, please refer to our main patient privacy notice which explains when we might have to share information about you with the Care Quality Commission or other regulatory/law enforcement authorities.
How we retain and re-use your information
Your personal information is held in both paper and electronic format, as required, for specified retention periods, as set out in the applicable research protocol. The applicable retention period for research studies may vary and will be outlined to you as part of the informed consent process or ethical approval (see above).
Following the expiry of the relevant retention period, your personal information will be fully anonymised and archived, or destroyed. Where information is to be destroyed, this will be done in a confidential manner and in accordance with the NHS Record Management Code of Practice. Anonymised archived data may be re-used for scientific or historical research purposes.
Under current data protection legislation (Art 13 to 18 GDPR), you have certain rights to manage your data as you see fit. However, for the purpose of research, your rights to access, object, change, transfer and or delete/erase your information are limited. This is because we need to manage the data in specific ways to ensure the research we conduct is reliable and accurate, and that we are accountable to those organisations which fund and monitor our research.
If you withdraw your consent to participate in a research project, we may not remove all of your data. We may keep the information about you that we have already used for a particular research project to ensure research integrity is maintained in the public’s interest and publicly funded research meets is goals. To safeguard your rights, we will strive to use the minimum personally identifiable information possible following your withdrawal of consent.
Where research has been conducted, based on a section 251 of the National Health Service Act 2006, via CAG approval (see "our legal basis for processing personal information about you"), you may have a right to opt-out. The national data opt-out right emanates from the Caldicott principles and entitles you to object to be contacted about new research for which it was not possible to obtain your informed consent, unless this right has been waived by the Secretary of State for Health and Social Care or the Health Research Authority.
Information Commissioner's Office
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.
Information Commissioner's Office
Cheshire, SK9 5AF
Changes to this privacy notice
This page is reviewed when necessary and at least annually. Any changes will be published here.
Last reviewed: 23 June 2021