20 Jun

Our Data Protection and Privacy Notice

Privacy Notice

In order to conduct our research Imperial College London is the data controller for personal information from health care records (also known as ‘special category’ data). We either obtain this data directly from NHS Trusts or via third parties such as NHS Digital, the Office for National Statistics, National Cancer Registries (including the Welsh Cancer Intelligence and Surveillance Unit) and Information Services Division Scotland, part of NHS National Services Scotland This means that we are responsible for looking after your information and using it properly. The CSPRG intends to keep special category, personal data for 10 years after our studies finish, as per the Imperial College London data retention guidelines. Imperial College London, UK, is the sponsor for our studies.

Further information on Imperial College London’s retention periods may be found at https://www.imperial.ac.uk/media/imperial-college/administration-and-support-services/records-and-archives/public/RetentionSchedule.pdf.

A link to Imperial College London’s data protection webpage may be found at https://www.imperial.ac.uk/admin-services/legal-services-office/data-protection/. The CSPRG privacy notice, described here, is most applicable to the information provided by CSPRG study participants and therefore takes precedence.

Your rights / GDPR Individual Rights

Your usual statutory rights to access, change or move your information are limited, because of exceptions applicable to some types of research, and also because we need to manage your information in specific, lawful ways in order for the research to be reliable and accurate. To safeguard your rights, we will use the minimum personally-identifiable information possible.

The EU General Data Protection Regulation (GDPR) grants individuals several rights concerning their data:

  • The right to object (to processing of the data)
  • The right to correct (inaccurate or incomplete data)
  • The right to erasure (also known as “the right to be forgotten”)
  • The right to restrict processing (e.g. while the accuracy of the data is contested)
  • The right to portability (to have a copy of any data you have provided to us)
  • The right to access (to have a copy of data we hold about you)
  • The right to withdraw consent (if you have previously consented to take part)

If you think that we might be processing your data and you wish to exercise any of the rights listed above, please get in touch using the details on the Contact Us page.  Though it may not always be possible for us to fulfil your request, we will respond to your query within one month.  For more information on your GDPR rights, please see guidance provided by Information Commissioners Office.

Legal Basis

As a University we use personal data and special categories of personal data to conduct research to improve health, care and services. As a publicly-funded organisation, we must ensure that it is in the public interest when we use personal data and special categories of personal data.  Some of this data is from patients who have completed a consent form.  Where consent could not be sought, approval for obtaining and processing data was provided under section 251 of the National Health Service Act 2006.

Health and care research should be in the public interest, which means that we must demonstrate that our research serves the interests of society. We do this by following the UK Policy Framework for Health and Social Care Research.

Contact us

If you wish to raise a complaint on how we have handled your personal data or if you want to find out more about how we use your information, please contact Imperial College London’s Data Protection Officer via email at dpo@imperial.ac.uk, via telephone on 020 7594 3502 or via post at Imperial College London, Data Protection Officer, Faculty Building Level 4, London SW7 2AZ.

If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner’s Office (ICO). The ICO does recommend that you seek to resolve matters with the data controller (us) first before involving the regulator.