Under data protection law we are legally required to provide information about how we use your information in a way that is:
- easy to understand
- easily accessible
- written in clear, plain language, particularly if addressed to a child
- free of charge
Data protection law says the personal information we hold about you must be:
- used lawfully, fairly and in a transparent way
- collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
- relevant to the purposes we have told you about and limited only to those purposes
- accurate and kept up to date
- kept only as long as necessary for the purposes we have told you about
- kept securely
This privacy notice describes what we do with your personal information for the purposes of health and care research. It tells you what information we collect about you, how we store it, how long we retain it and with whom we might share it.
By health and care research we mean research which serves the interests of society as a whole. We do this by following the UK policy framework for health and social care research.
It is important that you read this notice, together with any other privacy notice or specific information you may already have been given (for example, in participant information booklet/leaflets or any consent forms), so that you are aware of how and why we are using information about you.
Who we are
University Hospitals Birmingham NHS Foundation Trust (UHB) is recognised as home of one of the leading research hospitals in Europe. We employ more than 20,000 staff and run the largest single-site hospital in the country, Queen Elizabeth Hospital Birmingham.
Our researchers, many of which are among the world’s best in their field, are engaged in broad areas of research activity, often crossing between different specialties. For more information about our research, please see our research studies.
We are committed to protecting the privacy and security of your personal information. We are registered with the Information Commissioner’s Office (ICO) to process personal and special category information under registration number Z5568104.
"Anonymisation" means the treatment of personal data such that you can no longer be identified, transforming the data into "anonymised data". Anonymised data is not covered by the General Data Protection Regulation (2016/679).
"Controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.
"GDPR" means the General Data Protection Regulation (2016/679) (as transposed into the UK's national law by operation of section 3 of the EU (Withdrawal) Act 2018).
"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:
- identification number
- social media posts
- location data
- online identifier
Special category of personal data
"Special category of personal data" means information which is thought to be "extra sensitive", such as:
- data concerning health
- biometric data
- sexual orientation
- religious or philosophical belief
"Processing" means anything that is done to the personal data we hold.
"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information (key).
Information Commissioner's Office
The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation. If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the ICO.
Information Commissioner's Office
Cheshire, SK9 5AF
Fax: 01625 524 510
Why we collect personal information about you
We use your personal information to carry out health and social care research in the public interest. This means we have to demonstrate that our research serves the society as a whole, for example by improving existing services or introducing new treatments.
Our legal basis for processing personal information about you
The way in which we use your information is governed by law. The principal legislation that applies is the EU General Data Protection Regulation (GDPR) 2016/679 (as transposed into the UK's national law by operation of section 3 of the EU (Withdrawal) Act 2018) and the Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation)
- Data protection: The Data Protection Act
When we use your information for research, we rely on Article 6(1)e (“processing is necessary for the performance of a task carried out in the public interest”) and Article 9(2)j (“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes”) of the General Data Protection Regulation (GDPR) in combination with Schedule 1, Part 1, Art 4 Data Protection Act (DPA) 2018.
In addition, confidential information which you have shared with our staff to enable them to provide your care is governed by the common law duty of confidentiality, as described by NHS Digital.
Patient recruitment to research studies is carried out by an informed consent process ("consent to research"), whereby we advise you about the benefits and risks associated with a particular research study to enable you to decide whether you wish to participate in (consent to) the research study or not. Where you have formally consented to take part in research, this consent process will also satisfy the common law duty of confidentiality.
In situations where it has been impracticable to obtain your consent to research, but it is in the public benefit to use your data for research, we will have sought approval from the Secretary of State via the Confidentiality Advisory Group under section 251 of the National Health Service Act 2006 ("CAG approval"). The Confidentiality Advisory Group provides independent advice on specific research projects which will use confidential medical information.
Certain research studies also have to be approved by the Research Ethics Committees (REC) which is another independent group which ensures that all our research is ethical.
What personal information we need to collect about you and how we collect it
Where you have consented to the use of your data in a particular research project and have therefore become a study participant, you would have been given a participant information leaflet as part of the consent process (see "our legal basis for processing personal information about you"). This document will tell you what types of personal information we will use in connection with the specific research study or project you are participating in and (where applicable) its sources.
We will often get the necessary information directly from you. In other cases, we might already hold the required information due to the healthcare we provide to you. For information we are likely to already hold about you due to the care we provide, please refer to our main privacy notice for patients.
You are not legally or contractually obliged to supply us with your personal information or to agree that information we already hold about you for care purposes may be used for research purposes.
Should you not wish information about you to be used for research, please let us know via email, by opting out via the National Data Opt-Out Programme, or by speaking to the clinical team treating you.
What we may do with your personal information
For some research projects, information about you may be linked to other information shared by primary care providers (e.g. GPs) and secondary care providers (e.g. acute trusts) with a view to creating a more complete information set which will enable medical research for the benefit of public health. (See also "who we share your information with and why".)
In some cases, we may use information for research which we collected while you were under our care or which we collected as part of a previous research project. Where information used for research identifies you, we can only use the information for new purposes which are compatible with the original purpose to which you have consented or ethical (CAG) approval was granted (see "our legal basis for processing personal information about you"). Where the new purpose is considered to be substantially different, we will obtain separate consent from you or seek new ethical (CAG) approval.
We will not:
- share your identifiable data with third parties for marketing purposes
- sell your identifiable data
Where we are required to transfer identifiable information about you internationally outside the UK/EU, we will make sure that an adequate level of protection is to be satisfied before the transfer.
Information which does not identify you as an individual, and from which you cannot be identified even if other information is available, is called "anonymised" information. We may use such information that is in the public interest, and in reports or presentations.
We work with a number of partner organisations who conduct research using anonymised information, for example Owkin.
With funding from Health Data Research UK (HDR UK), we have also created three specific research data hubs which hold their own ethical approval as a "research database" through which anonymised, structured data can be made available for research that is in the public interest.
For more information, please see the respective privacy notices for INSIGHT, PIONEER and Pathway.
For more information about the work in our research data hubs, please contact our Research and Development Data Governance team.
For more information about the general use of patient data in research in the health service, please see the Health Research Authority (HRA) website.
Who we share your information with and why
When you agree to take part in a research study, the information about your health and care may be provided to researchers running research studies here at UHB and at other organisations. These external organisations may be non-commercial partners such as universities or other hospitals, or commercial companies involved in health and care research in this country or abroad.
Your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research.
There will be someone called a chief investigator responsible for the overall research study. This is usually someone who works directly with you, such as a doctor or nurse.
The principal investigator is the person responsible for the conduct and day-to-day running of a research study and will lead a team to carry out the research. The principal investigator will also ensure that only appropriate staff and third parties will be able to access your personal information, in line with the approved research protocol.
We might link information we hold about you to other information shared by primary care providers (e.g. GPs) and secondary care providers (e.g. acute trusts) with a view to creating a more complete information set, which will enable medical research for the benefit of public health. In order to link the different information extracts with one another, we will share your personal information with Clinical Practice Research Datalink (CPRD), which is part of the Department of Health and Social Care (DHSC), and NHS Digital, the national information and technology partner to health and social care. Only NHS Digital will receive patient identifiable information. The information shared with CPRD will be de-identified and will be limited to such information as is necessary for research purposes.
If you are also a patient at UHB, please refer to our main patient privacy notice which explains when we might have to share information about you with the Care Quality Commission or other regulatory/law enforcement authorities.
How we retain and re-use your information
Your personal information is held in both paper and electronic format, as required, for specified retention periods, as set out in the applicable research protocol. The applicable retention period for research studies may vary and will be outlined to you as part of the informed consent process or ethical approval (see above).
Following the expiry of the relevant retention period, your personal information will be fully anonymised and archived, or destroyed. Where information is to be destroyed, this will be done in a confidential manner and in accordance with the NHS Record Management Code of Practice. Anonymised archived data may be re-used for scientific or historical research purposes.
Under current data protection legislation (Art 13 to 18 GDPR), you have certain rights to manage your data as you see fit. These rights include:
- the right to access and obtain a copy of your personal data
- the right to rectify inaccurate or incomplete personal data
- the right to erasure of your personal data under certain circumstances
- the right to restrict or object to the processing of your personal data
- the right to data portability, where applicable
- the right to withdraw your consent at any time (if consent was the legal basis for processing)
However, for the purpose of research, your rights to access, object, change, transfer and or delete/erase your information are limited. This is because we need to manage the data in specific ways to ensure the research we conduct is reliable and accurate, and that we are accountable to those organisations which fund and monitor our research.
If you withdraw your consent to participate in a research project, we may not remove all of your data. We may keep the information about you that we have already used for a particular research project to ensure research integrity is maintained in the public’s interest and publicly funded research meets is goals. To safeguard your rights, we will strive to use the minimum personally identifiable information possible following your withdrawal of consent. For more information on your right to withdraw from research, please refer to the relevant participant information leaflet and privacy notice of the study sponsor.
Where research has been conducted, based on a section 251 of the National Health Service Act 2006, via CAG approval (see "our legal basis for processing personal information about you"), you may have a right to opt-out. The national data opt-out (NDOO) right emanates from the Caldicott principles and entitles you to object to your information being used in research for which it was not possible to obtain your informed consent, unless this right has been waived by the Secretary of State for Health and Social Care or the Health Research Authority.
If you wish to object to the use of your anonymised information in any specific research project, please contact our Research and Development Data Governance team.
For all other questions, concerns or requests regarding the processing of your personal data or this privacy notice, please contact our Data Protection Officer.
The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.
Information Commissioner's Office
Cheshire, SK9 5AF
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Changes to this privacy notice
This page is reviewed when necessary and at least annually. Any changes will be published here.
Last reviewed: 26 July 2023