Introduction - protecting your privacy
The Department of Health and Social Care ("DHSC”) is the Data Controller for the Patient Engagement in Clinical Development "[PECD]" service under the Data Protection Act 2018, the UK GDPR, and the General Data Protection Regulation (EU) 2016/679 ("Data Protection Laws").
The University of Leeds (“The Host Organisation”) is the Data Processor for the PECD Service. The University of Leeds provides the National Institute for Health and Care Research (“NIHR”) Research Delivery Network Coordinating Centre (“RDNCC”) on behalf of the Department of Health and Social Care and the RDNCC is responsible for the processing of your personal data.
About the NIHR Research Delivery Network Coordinating Centre
The RDNCC manages the NIHR Research Delivery Network ("RDN") on behalf of the Department of Health and Social Care. The RDN makes it possible for patients and health professionals across England to participate in clinical research studies within the NHS. The RDN provides the infrastructure that allows high-quality clinical research funded by charities, research funders and life-sciences industry to be undertaken throughout the NHS. The RDN works with patients and the public to make sure their needs are placed at the heart of all research and provides opportunities for patients to gain earlier access to new and better treatments through research participation. The RDN provides practical help in identifying and recruiting patients for clinical research studies, so that researchers can be confident of completing the study on time and as planned.
The RDN supports around 5,000 clinical research studies each year.
The information we collect
For the purposes of the Activity, we shall collect certain data from you. Specifically, we will collect the following personal information from you:
- Contact details including full name, postal address, email address and telephone number
- Age and year of birth
- Sex, gender identity and sexual orientation
- Ethnicity
- Religion
- Whether you have any caring responsibilities
- Health information including treatment history
- Disability status and whether you need any adjustments to participate in the activity
- Any prior experience of providing patient or public input into research studies
- Any previous participation in health or care research studies
- (For virtual insight sessions) Your voice, first name and if you agree to have your camera on, your facial features. An audio and video recording is taken during the virtual insight session
For the purposes of payment for the Activity, we would need to collect the following additional information:
- Bank details
- Date of birth
- National Insurance number
How and why we use your personal data
Your personal data is used by us in order to enable and facilitate your active participation in the PECD Service, to receive payment for that participation, and to allow us to measure the impact of the Service and develop and improve it going forward.
Uses made of your personal data include:
- Contact details to enable us to contact you about your participation and to inform you of and engage you in relevant activities in which you may be interested
- Age, year of birth, ethnicity, sex, gender, sexual orientation, religion and caring responsibilities help us to inform our and the company’s equality, diversity and inclusion (EDI) statistics, and meet specific clinical development activity requirements. Please be assured that only anonymised data will be used for EDI analysis purposes
- Health information to ensure your involvement/inclusion in relevant activities as identified from the commercial company requirements. Information from you about your health, any relevant conditions or treatments will ensure that you are only invited to relevant activities
- Bank details, date of birth, address, and National Insurance number are needed to ensure that you are paid for your involvement in relevant activities
If we became aware of an “unusual incident” during the course of your involvement in the PECD Service, it may be the case that we would need to use your personal data to address that. For example, any unusual incident involving an adult in a vulnerable circumstance will be reported immediately to the Designated Safeguarding Lead (National Head of Public Partnerships, NIHR RDNCC) who will then report in accordance with the procedure set out in the relevant University of Leeds/RDNCC policies and procedures. An ‘unusual incident’ is one which might reasonably give grounds for concern about the health, safety or welfare of the individual concerned or other people.
If we require your consent for any additional uses of your personal information, including your image and more sensitive personal information (e.g. ‘Special Category Data’) we will ask you for this separately and specifically.
We do not share any identifiable information about you with the Company. Any data used to select the most appropriate public contributors for the Activity is made anonymous before it is seen by anyone outside of the PECD Team. Feedback is checked to ensure no identifying information is passed on, so there is no way for anyone to link your comments back to you from the report provided to the Company.
The lawful basis for processing
Data protection laws mean that each use we make of your personal information must have a “lawful basis” for the processing of that information. The relevant lawful bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK Data Protection Act 2018 and UK GDPR.
Whilst we are asking you to give your consent to participate in the PECD activities, consent will not be used as the lawful basis for processing your data under the data protection legislation. Rather, the legal basis for processing your personal data under the data protection legislation will be as follows:
- Article 6.1 (e) performance of a task in the public interest or in the exercise of official authority vested in controller
- Article 9.2 (j) - research purposes. The NIHR funds, enables and delivers world leading health and social care research that improves people's health and wellbeing and promotes economic growth. The NIHR RDNCC acts as an agent of the DHSC in this endeavour. The Secretary of State for Health and Social Care has a duty to promote health and care research and a public sector equality duty; thus, this Service falls right within the public interest task of the DHSC
For further information please refer to the ICO’s website page on lawful basis for processing.
How we protect your data
We are committed to ensuring that your information is secure. We use leading technologies and encryption software to safeguard your data and maintain strict security standards to prevent any unauthorised access to it. However, given that transmitting information over the internet cannot be completely secure, we cannot guarantee the security of your data in transit.
Only key members of the PECD Team will have access to your data and permission levels are controlled.
All data provided to the PECD Team is processed through Microsoft 365 products (Forms, Outlook) and is stored in protected folders, in the PECD Team area, in Microsoft 365 cloud storage software (SharePoint). The PECD Microsoft 365 account is provided through the University of Leeds. University of Leeds Office 365 data is stored and backed up in the UK, on Azure UK South and UK West servers. The University of Leeds has strict training and terms of use policies for its staff, which includes the PECD Team. You can read more around how the University of Leeds uses and protects your data here: https://dataprotection.leeds.ac.uk/
We will store your personal data for 6 months initially. If you agree to join our public contributors contact list, we will renew this permission annually, and you can withdraw permission to store your details at any time. After 6 months, if you have not agreed to join the public contributors contact list, your data will be moved to de-identified storage, with your name and contact details removed. De-identified data will be stored for 7 years, to allow for Service analysis and development.
Who we share your personal data with
We strictly limit the sharing of your personal data to only those individuals and organisations that are essential for the effective delivery of the PECD Service:
Internal within the PECD NIHR RDN CC Team
Your personal data will be accessible only to select Internal Team members who are bound by strict protocols governing confidentiality and protection of data. These include:
- PECD Service Lead: responsible for the overall management and execution of the Service, working closely with the Company/Client organisation to ensure its success and alignment with objectives.
- PECD Service Coordinator: responsible for the logistical, operational and administrative aspects of business to ensure the smooth and efficient delivery of the Service.
- PECD Service Facilitator: responsible for delivering insight sessions, ensuring contributors’ needs are accommodated and supported.
- National Head of Public Engagement: exceptional access only, serving as an escalation point as required.
External to the PECD RDN CC Internal Team
Your data will or may be shared as follows with external parties:
- The University of Leeds: As the host organisation for the NIHR RDN CC, the University of Leeds ensures that public contributor payments are processed accurately and in a timely manner. Your data is held in a secure environment and will only be processed for payment purposes. The University of Leeds adheres to stringent data privacy standards and will only process your data for the explicit purpose mentioned above.
- In exceptional circumstances only - relevant external agencies: If, in the rare event during an Activity, we have concerns about your safety or the safety of others around you, we will inform the relevant professional agencies as appropriate (e.g. the police). A statement of this referral and the incident will be kept and stored within our secure data platform (SharePoint) as evidence of referral and for any subsequent investigations.
- Regulatory Authorities: Such bodies may need to review data relating to the PECD Service for auditing and monitoring purposes, but data used for this purpose will be anonymous and not be personally identifiable at any time.
If, during an Activity, you disclose information about personal poor experiences of health care or conduct by medical staff, we will signpost you to the correct complaints body for your health care provider, e.g. Patient Advice and Liaison Service (PALS).
Your rights over your personal data
The Data Protection Officer for the RDNCC is:
- Name of Data Protection Officer: Lee Cramp
- Address: Department of Health and Social Care, 1st Floor North, 39 Victoria Street, Westminster, London, SW1H 0EU
- Email: data_protection@dhsc.gov.uk
As a data subject, you have the following rights under the Data Protection Laws:
- the right of access to personal data relating to you
- the right to correct any mistakes in your information
- the right to ask us to stop contacting you with direct marketing
- rights in relation to automated decision making
- the right to restrict or prevent your personal data being processed
- the right to have your personal data ported to another data controller (e.g. if you decide to contract with a different supplier)
- the right to erasure
- the right to withdraw consent
These rights are explained in more detail on the Information Commissioner's Office website.
If you wish to exercise any of your data subject rights, please contact the NIHR Service Desk in the first instance - either:
- Write to: The NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP
- Email: gdpr_requests@nihr.ac.uk
We will respond in a timely manner to any rights that you wish to exercise, and for Subject Access Requests (SARs) this has to be within a month of receiving your request unless the request is particularly complex.
Contacting the regulator
It is important that you ensure you have read this privacy notice - and if you do not think that we have processed your data in accordance with this privacy notice - you should let us know as soon as possible by contacting us at pecd@leeds.ac.uk
Similarly, you may complain to the Information Commissioner's Office. Information about how to do this is available online.