In May 2018 a new General Data Protection Regulation (GDPR) came into force which is designed to give you more control over how we will use your data. Ensuring that personal data are collected, stored, used and shared securely is an essential part of good research practice. GDPR also defines specific roles with duties and responsibilities to protect the rights of subjects whose data are collected. The two most important roles are: the Data Controller and the Data Custodian.
The MRC National Survey of Health and Development is part of University College London (UCL). For the purposes of data protection law, UCL is the entity that determines how and why your personal data is processed and so is the Data Controller.
The MRC National Survey of Health and Development is housed within the MRC Unit for Lifelong Health and Ageing at UCL (LHA). The Director of the LHA is responsible for overseeing the way in which the study team looks after your data on a day to day basis (the Director of the LHA is the Data Custodian).
Our commitment to you
- We will ensure that your personal data are processed lawfully, fairly, transparently, and for a specific purpose.
- We do not conduct research with the aim of commercial gain - all our research aims to benefit society and is not for profit.
- We are interested in long term changes to health. As we are still in the process of collecting data, we have not set a time limit for how long we will keep your data. We do review what we keep on a five-yearly basis.
- Taking part in our studies is voluntary and you are free to withdraw at any time without giving a reason.
- Confidentiality is very important to us. Internal and external researchers do not see your name or any other personally identifiable information, they only see an ID number. Before having access to your data they also sign confidentiality agreements and as a precondition they must complete annual data training
Personal Data that we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified, such as your name, date of birth and contact details (address, phone number, email address). We also hold ‘special category’ data about you, which may include details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions and information about your health.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To manage our relationship with you
- To help you with enquiries. Depending on the circumstances, this may include special category personal data.
- To invite you to take part in data collections (home visit, clinic visit or for postal questionnaires).
- To collect data from you (online questionnaires, postal questionnaires, home visits)
Your personal data will be collected and processed primarily by our staff. Access to your personal information is limited to staff who have a legitimate need to see it for the purpose of carrying out their job at LHA.
We may have to share your personal data with third parties for the purposes of:
- Data processing – Abacus Data and Mailing Ltd have been contacted to create digital versions of consent forms and birthday card reply slips
- Archiving – Iron Mountain provide long term storage
- Linking to your health records – NHS Digital, National Records of Scotland, and NHS Wales Informatics Service (NWIS) provide access to your health records.
- Linking to geographical data – Addresses will be provided to the University of Leicester in order to link this to precise location and then map information about this place (such as air pollution, noise data, services and the amount of greenspace around the property)
- Sending out mail – Abacus Data and Mailing Ltd have been contracted to send out letters and questionnaires. We will also use UCL preferred suppliers for printing and sending out birthday cards, newsletters and letters.
- Data collection - Between major surveys, we may carry out short online surveys using Qualtrics, an online survey platform. Qualtrics is accredited to data security standards and is compliant with data protection legislation. Kantar Public is the independent research organisation that has been contracted to carry out the follow-up waves of the COVID-19 study.
- Antibody testing – Thriva have been contracted to send out testing kits and to analyse the returned tests.
We will only share your personal details with these third parties under strict conditions set out in a legally binding data processing contract. This offers assurances about the use, access and security of any personal data provided to the third party and prevents them passing on or selling your personal data. We also use Royal Mail for posting questionnaires, sending invitations to take part in other face-to-face data collections (e.g. home visits, clinics or focus groups) and other correspondence associated with keeping in touch with you.
How we will use your research data
We will only ever collect your data with permission, for example by asking you to attend a clinic or complete a questionnaire. Once we have collected it, it will be processed for research use, all personal information (name, address, date of birth, etc.) is removed and will be stored securely and confidentially using a unique ID. We will then provide this information to researchers on request and only under strict conditions. We will also place research data onto secure data platforms (such as UK LLC, UKDS and DPUK) but only researchers who have approval by the NSHD data sharing committee will be given access.
Some research projects will require access to some of the sensitive information that has been collected with your consent:
- Mortality, cancers and rare diseases - Subject to data sharing approval, researchers may be allowed to use grouped or ‘aggregated’ data, which minimises the risk of re-identification. Data can only be accessed at the LHA offices.
- Location - We use addresses and postcodes to produce new information about your location (geographic data). Any potentially identifiable geographic data is only made available at the LHA offices.
Lawful basis for processing
Data protection legislation requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you.
In the context of research, the lawful basis upon which we will process your personal information is usually where “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6 of GDPR):
Where we also collect and use sensitive personal information (special category personal data) we only do so where “the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes... which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”. (Article 9 of GDPR).
Under data protection legislation you have individual rights in relation to the personal information we hold about you. For the purposes of research where such individual rights would seriously impair research outcomes, such rights are limited. However under certain circumstances, these include the right to:
- access your personal information
- correct any inaccurate information
- erase any personal information
- restrict or object to our processing of your information
- move your information (portability)
If it is considered necessary to refuse to comply with any of your individual rights, you will be informed of the decision within one month and you also have the right to complain about our decision to the Information Commissioner.
Complaints or queries
The LHA aims to meet the highest standards when collecting and using personally identifiable information. We encourage people to tell us if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving the way we handle your personal details.
If you have any questions about how your personal information is used, or wish to exercise any of your rights, please get in contact with us. You can also contact the University’s Data Protection Officer by telephoning: 020 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT or by email: firstname.lastname@example.org.
We keep this Privacy Notice under regular review. It was last updated on 18/03/2021.