This data privacy notice describes how personal information is collected, used, retained and disclosed at the Liverpool Clinical Trials Centre.
A privacy notice is a statement that describes how personal information is collected, used, retained and disclosed. This Privacy Notice is for people involved in research conducted by the Liverpool Clinical Trials Centre (LCTC).
As a participant in one of our research projects, you will have received detailed written information (Participant Information Sheet) about the project and may also have been given a website address for the project where more detailed information was laid out. This information will have included project-specific details such as the purpose of the project, who the Data Controllers are (and their contact details), how long the project data will be held for, what the sources and recipients of the project data are, etc.
As a research team member involved in one of our projects, detailed information will have been provided to you about the project (e.g. protocol) and your role in conducting it (e.g. training, Delegation Logs, Terms of Reference, etc.). These documents will have included project-specific details such as the purpose of the project, who the Data Controllers are (and their contact details), how long the project data will be held for, etc.
This Privacy Notice is intended to provide more general information about how LCTC handles Personal Data such as the legal bases we rely upon and your right to lodge a complaint with the Information Commissioner’s Office (ICO). It complements the project-specific information already provided to you. Your information may additionally be processed using particular pieces of software such as ADOBE Sign, EDGE, etc. Please see below for more information on these pieces of software.
Your information may additionally be processed by third-parties such as archiving sub-contractors, or due to using particular pieces of software to manage the project, such as ADOBE Sign, EDGE, etc. Please see below for more information on these third-parties.
Since 1881, the University of Liverpool (University) has been dedicated to “the advancement of learning and ennoblement of life”, and as such high quality academic research is at the forefront of University activities. This is reflected in the University Charter, which states that “the objects of the University shall be to advance education, learning and research for the public benefit”. The LCTC is part of the University and conducts health and social care research involving human participants. In accordance with University policy, we are committed to maintaining the highest standards of rigour and integrity in our research by ensuring that all research activities are undertaken in a way that safeguards the dignity, rights, health, safety, and privacy of those involved. We adhere to the UK Policy Framework for Health and Social Care Research and conduct research which is in the public interest and is intended to lead to improvements in patient care. We also adhere to policies and procedures which ensure we comply with all applicable regulation and legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Personal Data means any information which relates to you, or identifies you as an individual. It includes information which can directly identify you, and also information which may identify you if combined with other readily available information. Examples of Personal Data are: names, addresses, telephone numbers, dates of birth, IP address, etc.
Some Personal Data is considered sensitive and is called “special category”. This includes data concerning: racial or ethnic origin, religious beliefs, trade union activities, physical or mental health condition, and sexual life or sexual orientation.
The specific type of Personal Data we collect and use about you, and the purposes for which we use it, depends on the particular research objectives of the project you are involved in. The objectives of each research project are detailed in the project-specific information that has been provided to you as participants or research team members.
Whenever we handle your Personal Data, we comply with Data Protection legislation and make sure we have a valid legal reason to process and use information about you. This is often called a ‘lawful basis’.
When you are involved in one of our research projects, the lawful basis we rely upon for processing your Personal Data is: “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
We are only able to rely upon this lawful basis because the University is a public body and the research we conduct is in the public interest (or “public benefit” as stated in the University Charter). The law requires us to give extra protection to “special category” Personal Data and so an additional lawful basis is needed in order to process this. When we use this type of data, we also rely on the following lawful basis:
“Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes… which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.
We are only able to rely on this additional lawful basis for “special category” data because we use data for a task which is in the “public interest” and because we take special measures to protect the data (these are called “Safeguards”).
We obtain appropriate review and approval from a research ethics committee. The majority of our research is funded by public funders, such as the Department of Health or renowned charities (e.g. Cancer Research UK). The project-specific information will tell you who reviews, approves and funds the project. We also follow the UK Policy Framework for Health and Social Care Research for research run in the NHS or social care environment. By doing all this, we can be sure that a research project is in the “public interest”.
We are committed to protecting your rights and freedoms, and making sure that the Personal Data we hold is always handled it in a sensitive and confidential way. We have put in place a number of “safeguards” to achieve this.
Our staff are required to follow policies and procedures which ensure:
The Data Controller is the organisation which decides what Personal Data is used, for what purpose, and how it will be processed (collected, used, shared, archived and deleted). A Data Controller is responsible for what happens to the data and must ensure it is processed in accordance with Data Protection law. The University will usually be the Data Controller of research projects conducted by LCTC.
Sometimes two or more Data Controllers work jointly on a research project. When the University is a joint Data Controller with other organisations, agreements and/or contractual arrangements are put in place which document how each organisation agrees to share their responsibilities. If there are joint Data Controllers for the research project you are involved in, this will be detailed in the in the project-specific information provided to you.
When the University is not a Data Controller, we are still responsible for the data when we hold and process it, and apply the same standards as when we act as a Data Controller.
Your Personal Data will normally be accessed by people working on the project you are involved in, and people working to ensure it is being run correctly. They will use your data to answer the research questions of the project, and check that this is being done properly. You will be made aware in the project-specific information if there are collaborators within the research team that are not employed by the University who will also access your data, or if your data is planned to be shared with other people for other health or care research projects.
For research project participants, the “special category” data will be “pseudonymised” to help keep it as private as possible. When data is “pseudonymised” this means that direct identifiers such as your name have been removed and replaced with a unique number or code.
Where it is possible to completely anonymise your Personal Data, this will be done as soon as possible. Your information will be used to produce answers to the research questions and these will be presented at conferences and published in medical journals so that we can explain to the medical community what our research results have shown. However, your information will always be fully anonymised when this happens and no-one will know that it is yours.
We have to keep your Personal Data for a number of years after the project has finished in order to comply with laws and regulations which govern research. The length of time depends upon the type of project you are involved in and you will have been told what this is in the project-specific information already provided to you. We will never keep your Personal Data longer than we need to.
Under Data Protection law you have rights in relation to the Personal Data we hold about you. These include the right to:
It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances a right may be limited. This may be the case if implementing a right is likely to make it impossible to do the research, or might seriously impair the objectives of the research. If we cannot implement a right for those reasons, you will be informed of the decision within one month and you also have the right to complain about this decision to the Information Commissioner.
It should also be noted that we can only implement your rights during the period upon which we hold personal identifiable information about you. Once the information has been permanently destroyed or irreversibly anonymised and becomes part of the research data set it will not be possible for us to access your Personal Data.
If you have any questions about how your Personal Data is used, you may find the information you need on the University’s Data Protection webpages. If you don’t find what you are looking for, have more questions, or want to exercise any of your rights, you can contact the University’s Data Protection Manager by emailing LegalServices@liverpool.ac.uk or write to:
The Data Protection Manager
University of Liverpool
2nd Floor – The Foundation Building
Brownlow Hill
Liverpool L69 7ZX
Yes. If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF (www.ico.org.uk).
The University of Liverpool holds contracts with all third-party processors and assurances are given that all Personal Data is processed securely and confidentially.
Clinical research projects require documentation and data to be archived for specified periods following the end of a project. The University of Liverpool uses a third-party company called RESTORE to archive paper records. Data archived includes Participant Personal Data (including pseudonymised Special Category) and Research Team Personal Data (names, contact details).
Access will be restricted to authorised LCTC staff and trial-specific auditors/inspectors as appropriate. Additionally, RESTORE will have access to boxed paperwork, but will not be authorised to open and access paperwork.
Sharepoint is cloud-based software used by Research Team members to store and manage project paperwork. This paperwork includes Research Team Personal Data (names, contact details). Users of Sharepoint will require provision of Personal Data (including, name, email address, IP address).
Access will be restricted to authorised LCTC staff, University of Liverpool IT staff and trial-specific auditors/inspectors as appropriate. Additionally, as this is a cloud-based system, MICROSOFT will process user Personal Data and may need to view these documents as part of the maintenance of the system. Data is hosted on servers based in the UK. Further information about how these organisations process your information is available on the Sharepoint Privacy Webpage: https://privacy.microsoft.com/en-gb/privacystatement.
ADOBE Sign is cloud-based software used to obtain electronic signature on project paperwork. This paperwork includes Research Team Personal Data (names, contact details). Users of ADOBE Sign will require provision of Personal Data (including, name, email address, IP address). ADOBE will process this Data
Access will be restricted to authorised LCTC staff, University of Liverpool IT staff and trial-specific auditors/inspectors as appropriate. Additionally, as this is a cloud-based system, ADOBE Systems Software Ireland will process user Personal Data and may need to view these documents as part of the maintenance of the system. Data is hosted on servers based in the EU (including Frankfurt, Germany). Further information about how these organisations process your information is available on the ADOBE Privacy Webpage: https://www.adobe.com/uk/privacy/policy.html.
EDGE is cloud-based software used by Research Team members to store and manage project paperwork. This paperwork includes Research Team Personal Data (names, contact details). Users of EDGE will require provision of Personal Data (including, name, email address, IP address). EDGE will be also be used to transfer paperwork to LCTC – this paperwork includes Participant Personal Data (including pseudonymised Special Category) and Research Team Personal Data (names, contact details).
Access will be restricted to authorised LCTC staff, University of Liverpool IT staff and trial-specific auditors/inspectors as appropriate. Additionally, as this is a cloud-based system, EDGE and its sub-processors (including Piksel Carelink and Salesforce) will process User Personal Data and may need to view these documents as part of the maintenance of the system. Data is hosted on servers based in the UK. Further information about how these organisations process your information is available on the EDGE Privacy Webpage: https://edgeclinical.com/privacy.
WeTransfer is an encryption service used by Research Team members to securely transfer documents to/from LCTC. Users of WeTransfer will require provision of Personal Data (including email address, IP address). The documents transferred may include Research Team Personal Data (names, contact details) and Participant Personal Data (including pseudonymised Special Category). WeTransfer collect personal information via audited means (including browser information, cookie information, Device information, network information, location data (only with your consent) and service usage information. For further details see Section: What information do we collect? on the WeTransfer Privacy Statement: https://wetransfer.com/legal/privacy.
Access to transferred documents will be restricted to authorized research team staff, authorised LCTC staff, University of Liverpool IT staff and trial-specific auditors/inspectors as appropriate. Data is hosted on servers based in the Republic of Ireland. Further information about how WeTransfer processes information is available on the WeTransfer Privacy Webpages: https://wetransfer.com/legal/terms and https://wetransfer.com/legal/privacy