AFFECT privacy notice

What is a privacy notice?

A Privacy Notice describes how personal information is collected, used, kept and shared. This Privacy Notice is for people involved in research conducted by the Academic Cardiovascular Unit (ACU).

As a participant in this research project, you will have received detailed written information (Participant Information Leaflet) about the research project.

This Privacy Notice gives you more general information about how the ACU handles Personal Data, the legal basis for this, and your right to lodge a complaint with the Information Commissioner’s Office (ICO).

Who are we?

The Academic Cardiovascular Unit (ACU) is a research unit based at South Tees Hospitals NHS Foundation Trust. The Trust is also part of the University Hospitals Tees Group.

ACU are committed to maintaining the highest standards in our research by ensuring that all research activities we undertake safeguards the dignity, rights, health, safety, and privacy of those involved.

We follow the UK Policy Framework for Health and Social Care Research. We conduct research which is in the public interest and all our research hopes to lead to improvements in patient care.

We follow policies and procedures which ensure we comply with the law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What is personal data?

Personal Data means any information which relates to you or identifies you as an individual. It includes information which can directly identify you, and information which may identify you if it is combined with other information. Examples include: names, addresses, telephone numbers, dates of birth, bank and financial details.

The Personal Data we collect and use about you depends on the research project you are involved in.

In AFFECT, your Personal Data will include your name, NHS number*, sex, date of birth, and postcode.

*In the devolved nations of Wales, Northern Ireland and Scotland, NHS numbers sometimes have different names.

How will my personal data be used?

Your Personal Data will be used to help us meet the aims and objectives (plans) of the AFFECT study. This includes accessing further data about you held by NHS England and other similar bodies in the devolved nations. These organisations may change their names over time.

We will also keep data about your medical history, medical events whilst you are in the study, and future medical events if you consent to this. You have the opportunity to provide information to the trial database directly. This will require you to provide the research team with a personal email address.

The research team includes people working at other hospitals and universities.

During the study, personal identifiable data for participants will be shared with NHS England and with similar organisations in the devolved nations as appropriate. This allows them to ‘flag’ your records as being part of the AFFECT clinical trial and to gather the data they collect about you. Most NHS hospital trusts are already required to share information from your patient records to NHS England or similar organisations in the devolved nations. This includes referrals, assessments, diagnoses and other activities (such as taking a blood pressure test). It is this data that would then be shared with the research team. Where this information could identify you, the information will be held securely with strict arrangements about who can access it.

Data that we collect for the research is ‘coded’, meaning that your name is removed and replaced by a code (a number generated by a computer database). After the end of this study, your coded data could be shared outside the research team. We will not identify any individuals in any publication arising from the research. In the future, your information could be used for research in health or care, and could be combined with information about you from other sources held by researchers, the NHS or government. In some circumstances your data could be shared with researchers outside of the UK.

Where there is a risk that you can be identified, your data will only be used after the project has been reviewed by an ethics committee. There would also be an agreement in place to ensure that anyone we share data with keeps it safe and secure.

How long will my data be kept?

Your data must be kept for a while after the research has ended, as described in the Participant Information Leaflet. After this, all Personal Data will be destroyed.

What if I change my mind and want to withdraw from the study?

When you agree to take part in AFFECT, we need to use your data to conduct and analyse the study. This means your rights to access, change or move your information are more limited because we need the data to make sure that the research is accurate and reliable. If you decide to withdraw from the study, we will keep and use the information about you that we already have.

You are free to withdraw from AFFECT at any stage and your future care will not be affected.

We ask you to sign a consent form however, you can still withdraw at any stage. The consent form asks for permission to access your data for the purposes of the study, or if you became unwell and can no longer make decisions for any reason.

How will my data be looked after safely?

During the study your personal data is stored securely within:

NHS Trusts participating in AFFECT,
The Academic Cardiovascular Unit at South Tees Hospitals NHS Foundation Trust,
Wider members of the research team based at Universities and Hospitals,
Within secure data environments, including the main study database.

All electronic data will be stored on secure network systems with restricted access. When Personal Data is shared, it is limited (restricted) to sharing only the information needed to carry out the task.

Who is responsible for my personal data?

The Data Controller is the organisation which decides what Personal Data is used, and how. They are responsible making sure it is handled in accordance with Data Protection laws.

The Data Controller for this study is South Tees Hospitals NHS Foundation Trust. The Trust is registered with the Information Commissioner’s Office as a Data Controller.

When your data is stored within a secure data environment this may fall under different arrangements, where there is a joint data controller. We will update this privacy notice with details of joint data controllership and any new data processing arrangements when they apply.

What is the lawful basis for processing your data?

The lawful bases for carrying out this research are:

Task in the Public Interest (Regulation Article 6,1e). This is because data will be used to inform the research analysis, the results of which would be in the public interest.
Scientific Research (Regulation Article 9, 2j). This is a research project and we ask you to provide consent for the use of your data.

Data protection officer

If you want to understand more from South Tees Hospitals NHS Foundation Trust about how your information is being used, you can contact the Data Protection Officer.

If you wish to contact the DPO please contact them as follows:

South Tees Hospitals NHS Foundation Trust
The James Cook University Hospital
Marton Road
Middlesbrough
TS4 3BW
Main switchboard: 01642 850850
[email protected]

Who do I complain to?

You have a right under law to raise a complaint with the Information Commissioner’s Office (ICO). The ICO is the organisation responsible for enforcing Data Protection laws within the UK. You can do this using the link below. You will require the following information to make a complaint:

Email address for the organisation.
A copy of the complaint you have made to the organisation about how they have handled your personal information.
If complaining on behalf of someone else, a letter of consent from the person the complaint is about.
Any supporting information regarding the mishandling of your personal information i.e. a copy of the email where your information was mis-shared, copy of records with inaccurate information, an apology letter from the organisation for example.