LCTC Privacy Notice for Research Participants and Research Team Members

This data privacy notice describes how personal information is collected, used, retained and disclosed at the Liverpool Clinical Trials Centre.

1. What is a privacy notice?

A privacy notice is a statement that describes how personal information is collected, used, retained and disclosed. This Privacy Notice is for people involved in research conducted by the Liverpool Clinical Trials Centre (LCTC).

As a participant in one of our research projects, you will have received detailed written information (Participant Information Sheet) about the project and may also have been given a website address for the project where more detailed information was laid out.

As a research team member involved in one of our projects, detailed information will have been provided to you about the project (e.g. protocol) and your role in conducting it (e.g. training, Delegation Logs, Terms of Reference, etc.).

This Privacy Notice is intended to provide more general information about how LCTC handles Personal Data and complements the project-specific information already provided to you.

2. Who are we and what are our core values?

Since 1881, the University of Liverpool (University) has been dedicated to “the advancement of learning and ennoblement of life”, and as such high quality academic research is at the forefront of University activities. This is reflected in the University Charter, which states that “the objects of the University shall be to advance education, learning and research for the public benefit”. The LCTC is part of the University and conducts health and social care research involving human participants. In accordance with University policy, we are committed to maintaining the highest standards of rigour and integrity in our research by ensuring that all research activities are undertaken in a way that safeguards the dignity, rights, health, safety, and privacy of those involved. We adhere to the UK Policy Framework for Health and Social Care Research and conduct research which is in the public interest and is intended to lead to improvements in patient care. We also adhere to policies and procedures which ensure we comply with all applicable regulation and legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

3. What is Personal Data?

Personal Data means any information which relates to you, or identifies you as an individual. It includes information which can directly identify you, and also information which may identify you if combined with other readily available information. Examples of Personal Data are: names, addresses, telephone numbers, dates of birth, IP address, etc.

Some Personal Data is considered sensitive and is called “special category”. This includes data concerning: racial or ethnic origin, religious beliefs, trade union activities, physical or mental health condition, and sexual life or sexual orientation.

The specific type of Personal Data we collect and use about you, and the purposes for which we use it, depends on the particular research objectives of the project you are involved in. The objectives of each research project are detailed in the project-specific information that has been provided to you as participants or research team members.

4. Why are we able to process your Personal Data?

Whenever we handle your Personal Data, we comply with Data Protection legislation and make sure we have a valid legal reason to process and use information about you. This is often called a ‘lawful basis’.

When you are involved in one of our research projects, the lawful basis we rely upon for processing your Personal Data is: “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

We are only able to rely upon this lawful basis because the University is a public body and the research we conduct is in the public interest (or “public benefit” as stated in the University Charter). The law requires us to give extra protection to “special category” Personal Data and so an additional lawful basis is needed in order to process this. When we use this type of data, we also rely on the following lawful basis:

“Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes… which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

We are only able to rely on this additional lawful basis for “special category” data because we use data for a task which is in the “public interest” and because we take special measures to protect the data (these are called “Safeguards”).

We obtain appropriate review and approval from a research ethics committee. The majority of our research is funded by public funders, such as the Department of Health or renowned charities (e.g. Cancer Research UK). The project-specific information will tell you who reviews, approves and funds the project. We also follow the UK Policy Framework for Health and Social Care Research for research run in the NHS or social care environment. By doing all this, we can be sure that a research project is in the “public interest”.

5. How are we protecting your Personal Data?

We are committed to protecting your rights and freedoms, and making sure that the Personal Data we hold is always handled it in a sensitive and confidential way. We have put in place a number of “safeguards” to achieve this.

Our staff are required to follow policies and procedures which ensure:

  • the amount and type of data collected is proportionate to the objectives of the research
  • the data collected is only retained as long as necessary for the aims and purposes of the research
  • the data is held and handled safely, securely and confidentially
  • Training is delivered to ensure our staff appreciate the importance of data protection and understand the policies and procedures we ask them to follow
  • all research projects undergo a formal risk assessment which includes assessment of data protection issues
  • all research projects involving Personal Data are reviewed and approved by a research ethics committee, which ensures that the research will not cause damage or distress to individuals
  • if external companies or individuals not employed with the University process data on our behalf, or have joint responsibility for the data with us, we put formal agreements in place, which describe everybody’s roles and responsibilities
  • if data is transferred outside of the UK, we ensure that there are adequate data protection laws in place in that country, or that they are part of special schemes providing assurance of privacy and security (e.g. the US Privacy Shield).

6. Who is responsible for my Personal Data?

The Data Controller is the organisation which decides what Personal Data is used, for what purpose, and how it will be processed (collected, used, shared, archived and deleted). A Data Controller is responsible for what happens to the data and must ensure it is processed in accordance with Data Protection law. The University will usually be the Data Controller of research projects conducted by LCTC.

Sometimes two or more Data Controllers work jointly on a research project. When the University is a joint Data Controller with other organisations, agreements and/or contractual arrangements are put in place which document how each organisation agrees to share their responsibilities. If there are joint Data Controllers for the research project you are involved in, this will be detailed in the in the project-specific information provided to you.

When the University is not a Data Controller, we are still responsible for the data when we hold and process it, and apply the same standards as when we act as a Data Controller.

7. Who will have access to my Personal Data

Your Personal Data will normally be accessed by people working on the project you are involved in, and people working to ensure it is being run correctly. They will use your data to answer the research questions of the project, and check that this is being done properly. You will be made aware in the project-specific information if there are collaborators within the research team that are not employed by the University who will also access your data, or if your data is planned to be shared with other people for other health or care research projects.

For research project participants, the “special category” data will be “pseudonymised” to help keep it as private as possible. When data is “pseudonymised” this means that direct identifiers such as your name have been removed and replaced with a unique number or code.

Where it is possible to completely anonymise your Personal Data, this will be done as soon as possible. Your information will be used to produce answers to the research questions and these will be presented at conferences and published in medical journals so that we can explain to the medical community what our research results have shown. However, your information will always be fully anonymised when this happens and no-one will know that it is yours.

We have to keep your Personal Data for a number of years after the project has finished in order to comply with laws and regulations which govern research. The length of time depends upon the type of project you are involved in and you will have been told what this is in the project-specific information already provided to you. We will never keep your Personal Data longer than we need to.

8. Your rights

Under Data Protection law you have rights in relation to the Personal Data we hold about you. These include the right to:

  • be informed about how your information is being used
  • access the information/receive a copy of the information
  • correct any inaccurate information
  • have any information deleted
  • restrict or object to our processing of the information
  • move your information.

It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances a right may be limited. This may be the case if implementing a right is likely to make it impossible to do the research, or might seriously impair the objectives of the research. If we cannot implement a right for those reasons, you will be informed of the decision within one month and you also have the right to complain about this decision to the Information Commissioner.

It should also be noted that we can only implement your rights during the period upon which we hold personal identifiable information about you. Once the information has been permanently destroyed or irreversibly anonymised and becomes part of the research data set it will not be possible for us to access your Personal Data.

9. Who to contact

If you have any questions about how your Personal Data is used, you may find the information you need on the University’s Data Protection webpages. If you don’t find what you are looking for, have more questions, or want to exercise any of your rights, you can contact the University’s Data Protection Manager by emailing LegalServices@liverpool.ac.uk or write to:

The Data Protection Manager
University of Liverpool
2nd Floor – The Foundation Building
Brownlow Hill
Liverpool L69 7ZX

10. Can I complain?

Yes. If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF (www.ico.org.uk).