This privacy notice describes what we do with your personal information for the purposes of health and care research. It tells you what information we collect about you, how we store it, how long we retain it and with whom we might share it.
With health and care research we mean research which serves the interests of society as a whole. We do this by following the UK Policy Framework for Health and Social Care research.
It is important that you read this notice, together with any other privacy notice or specific information you may already have been given (for example, in participant information booklet/leaflets or any consent forms), so that you are aware of how and why we are using information about you.
Who we are
University Hospitals Birmingham NHS Foundation Trust (UHB) is recognised as one of the leading research hospitals in Europe. We employ more than 20,000 staff and run the largest single-site hospital in the country.
Our researchers are engaged in broad areas of research activity, often crossing between different specialities, many of which are among the world’s best in their field. For more information about the research we do, please visit our website.
As a leading research hospital we are committed to protecting the privacy and security of your personal information. We are registered with the Information Commissioner’s Office (ICO) to process personal and special category information under the following registration number: Z5568104.
"GDPR" means the General Data Protection Regulation (2016/679).
"Personal data" means information relating to a natural (living) person or "data subject", which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:
- Identification number
- Social media posts
- Location data
- Online identifier
Special category of personal data
"Special category of personal data" means information which is thought to be "extra sensitive", such as ethnicity, data concerning health, biometric data, sexual orientation and religious or philosophical belief.
"Data controller" means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.
"Processing" means anything that is done to the personal data we hold.
"Pseudonymisation" is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information (key).
Information Commissioner's Office
The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation. If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.
Information Commissioner's Office
Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate)
Telephone: 01625 545 745 (national rate)
Fax: 01625 524 510
Why we collect personal information about you
We use your personal information to carry out health and social care research in the public interest. This means that we have to demonstrate that our research serves the society as a whole, for example by improving existing services or introducing new treatments.
Our legal basis for processing personal information about you
The way in which we use your information is governed by law. The principal legislation that applies is the EU General Data Protection Regulation (GDPR) 2016/679, which came into force on 25 May 2018, and which is supplemented by the Data Protection Act 2018. When we use your information for research, we rely on Article 6(1)e (“processing is necessary for the performance of a task carried out in the public interest”) and Article 9(2)j (“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes”) of the General Data Protection Regulation (GDPR) in combination with Schedule 1, Part 1, Art 4 Data Protection Act (DPA) 2018.
In addition, confidential information which you have shared with our staff, to enable them to provide your care is governed by the common law duty of confidentiality, as described by NHS Digital.
Patient recruitment to research studies is carried out by an ‘informed consent’ process which means that we advise you about the benefits and risks associated with a particular research study so as to enable you to decide whether you wish to participate in (consent to) the research study or not. Where you have formally consented to take part in research, this consent process will also satisfy the common law duty of confidentiality. In situations where it has been impracticable to obtain your consent, we will have sought approval from the Secretary of State via the Confidentiality Advisory Group under section 251 of the National Health Service Act 2006 (‘CAG approval’). The Confidentiality Advisory Group provides independent advice on specific research projects which will use confidential medical information.
Certain research studies also have to be approved by the Research Ethics Committees (REC) which is another independent group which ensures that all our research is ethical.
What personal information we need to collect about you and how we collect it
Where you have consented to the use of your data in a particular research project, the participant information leaflet would have been given to you as part of the consent process (see above under ‘legal basis’). This document will tell you what types of personal information we will use in connection with the specific research study or project you are participating in and (where applicable) its sources.
We will often get the necessary information directly from you. In other cases, we might already hold the required information due to the healthcare we provide to you .For information we are likely to already hold about you due to the care we provide, please refer to our main privacy notice for patients.
You are not legally or contractually obliged to supply us with your personal information or to agree that information we already hold about you for care purposes, may be used for research purposes.
Should you not wish information about you to be used for research, please let us know either via emailing us at the address below, or by opting out via the National Data Opt-Out Programme using the link below, or by speaking to the clinical team who are treating you and informing them of your wishes.
What we may do with your personal information
For research purposes, we may use your information anonymously in reports or presentations or share such information with other NHS bodies. Publicly available information will always be presented in aggregated format which means that you will not be identifiable from this information.
Some information about you may be linked to other information shared by primary care providers (e.g. GP) and secondary care providers (e.g. Acute Trusts) with the view to creating a more complete information set which will enable medical research for the benefit of public health.
We may use information collected as part of one research project for further research. However, where this information identifies you, we can only use the information for new purposes which are compatible with the original purpose to which you have consented or ethical (CAG) approval was granted (see above – ‘informed consent’). Where the new purpose is considered to be substantially different, we will obtain separate consent from you or seek new ethical (CAG) approval.
We will not:
- share your identifiable data with third parties for marketing purposes
- sell your identifiable data
Where we are required to transfer identifiable information about you internationally outside the UK/EU, we will make sure that an adequate level of protection is to be satisfied before the transfer.
Additional information on the nature of the research project and specifics of how your data will be managed will be contained within the participant/patient information sheet and/or supplementary research transparency information sheet you are provided with during the ‘informed consent’ process. Please feel free to ask the researchers for any clarification you may require.
For more information about the general use of patient data in research in the health service please visit the Health Research Authority website.
Who we share your information with and why
When you agree to take part in a research study, the information about your health and care may be provided to researchers running research studies here at UHB and other third party organisations. These external organisations may be non-commercial partners such as universities or other hospitals or commercial companies involved in health and care research in this country or abroad. For further details of our commercial and non-commercial partners, please visit our website.
Your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research.
There will be someone responsible for the overall research study called a chief investigator. Usually, this is someone who works directly with you, such as a doctor or nurse. The principal investigator is the person responsible for the conduct and day to day running of a research study and will lead a team to carry out the research. The principal investigator will also ensure that only appropriate staff and third parties will be able to access your personal information, in line with the approved research protocol.
If you are also a patient at UHB, then please refer to our main patient privacy notice which explains when we might have to share information about you with the Care Quality Commission or other regulatory/law enforcement authorities.
How we retain and re-use your information
Your personal information is held in both paper and electronic format, as required, for specified retention periods of time, as set out in the applicable research protocol. The applicable retention period for research studies may vary and will be outlined to you as part of the informed consent process or ethical approval (see above).
Following the expiry of the relevant retention period, your personal information will be fully anonymized and archived, or destroyed. Where information is to be destroyed, this will be done in a confidential manner and in accordance with the NHS Record Management Code of Practice. Anonymised archived data may be re-used for scientific or historical research purposes.
Under current data protection legislation (Art 13 to 18 GDPR), you have certain rights to manage your data as you see fit. However, for the purpose of research your rights to access, object, change, transfer and or delete/erase your information are limited. This is because we need to manage the data in specific ways to ensure the research we conduct is reliable and accurate, and that we are accountable to those organisations which fund and monitor our research.
If you withdraw your consent to participate in a research project, we may not remove all your data. We may keep the information about you that we have already used for a particular research project to ensure research integrity is maintained in the public’s interest and that publically funded research meets is goals. To safeguard your rights, we will strive to use the minimum personally-identifiable information possible following your withdrawal of consent.
Where research has been conducted, based on a section 251 of the National Health Service Act 2006, via CAG approval (see above under ‘informed consent’), you may have a right to ‘opt-out’. The national data opt-out right emanates from the Caldicott principles and entitles you to object to be contacted about new research for which it was not possible to obtain your ‘informed consent’, unless this right been waived by the Secretary of State for Health and Social Care or the Health Research Authority. Further information about the national data opt-out can be found on the following website:
Changes to this privacy notice
This web page was last reviewed on 3 November 2020. It is reviewed when necessary and at least annually. Any changes will be published here.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.