Privacy Policy for Research

1. General background

Univa Health Ltd. (“Univa”, “we”, “us”, “our”)  is committed to protecting and respecting your privacy. We aim to conduct research to the highest standards of research integrity. Our research is underpinned by policies and procedures that ensure we comply with regulations and legislation that govern the conduct of research; this includes data protection legislation such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

Univa uses personal data to conduct research to improve health, care and our services. This Privacy Policy for Health Research sets forth the terms and restrictions pertaining to the personal information we may collect from you during research projects. Please read this policy carefully to understand our practices regarding your personal data and how we will treat it. .

The controller of your personal data is Univa Health Ltd, 303 Goring Road, Goring-by-Sea, Worthing, West Sussex, BN12 4NX, United Kingdom.

If you have queries on this Privacy Policy or how we process your personal information please contact us by emailing our Data Protection Officer at dataprivacy@univa.health.

If you do not agree to the terms of our Privacy Policy, please discontinue your use, and advise us of your specific objections, questions and concerns.

2. Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way.
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. Accurate and kept up to date.
  5. Kept only as long as necessary for the purposes we have told you about.
  6. Kept securely.

3. What is research?

Research has a special status under data protection legislation. It is important therefore to specify what we mean by research.

Some of the research we undertake will make an original contribution to knowledge and might be published in order to share that knowledge. Other research we undertake such as service evaluations are not necessarily intended to make an original contribution to knowledge and are not usually published.

Some of our research may be conducted in collaboration with other commercial organisations, universities, academic institutions and funding bodies.

4. What is personal data?

‘Personal data’, also referred to as ‘personal information’ means any information which relates to or identifies an individual. This includes information which may not explicitly identify you (e.g. where your name has been removed) but which does make it possible to identify you if it is combined with other information that is readily available. For example, this might be because the information available contains a postcode, your gender and date of birth; in these circumstances it might be possible to identify you by using other information available elsewhere. Therefore, in these circumstances, we would treat the details we hold as personal information and protect it accordingly.

Some information about you that is considered to be ‘sensitive’ is called ‘special category personal data’. This includes information concerning your ethnicity; sexual orientation; gender identity, specifically whether your gender identity is the same as the gender originally assigned to you at birth; your religious beliefs; or details about your health. These types of personal information require additional protections. Access to, and the sharing of, this more sensitive personal data is controlled very carefully and you will be specifically informed about this in your participant information sheet.

We promise to respect the confidentiality of the personal information that you, as a participant in our research, provide to us; that we get from other organisations; and that we share with other collaborating organisations such as universities or other academic institutions.

We will be clear with you when we collect your information how we intend to use it. We will not do anything with your personal information that you wouldn’t reasonably expect. We will use your information only for the purpose of the research you are participating in and we will not usually use your information or contact you for any purpose other than research unless you have agreed to this. We commit to keeping your personal information secure.

5. Who is responsible for your personal data?

When we manage research projects, we will usually be the controller, which means that we will decide how your personal information is created, collected, used, shared, stored and deleted (processed). We will do so in line with the objectives of the research, ensuring we collect only what is appropriate and necessary and we have informed you of what we are collecting.

There are instances where two or more controllers work together on a research project. When this happens, the organisations have agreements and/or contractual arrangements in place which document how they have agreed to share their responsibilities. In these circumstances this will be detailed in the Participant Information Sheet, you will be given.

6. What personal information do we use within research projects and where do we get it from?

The type of personal information collected and used will depend on the particular research objectives of the project you are taking part in. Depending on the study we may collect personal information directly from you or we may collect it from third parties (for example, GP records, hospital records). Whatever personal information we collect and no matter where we collect it from, it will always be proportionate to achieving those objectives.

Where we collect personal information from you directly, a Participant Information Sheet will inform you about what information we are using and how we are going to use it. We often ask you for your informed consent when we contact you directly.

Your information will usually be shared within the research team conducting the project you are participating in. You will be made aware in the Participant Information Sheet if there are collaborators that are not employed by Univa who will also access your information.

All our researchers are asked to de-identify (anonymise), pseudonymise (remove identifiers such as your name and replace this with a unique code or key) or delete personal information collected as part of their research at the earliest opportunity. All personal information is kept in line with our policies or any regulatory requirements.

Information relating to healthcare professionals and others involved in setting up and conducting research studies

For each research study in respect of which Univa is the study sponsor or otherwise managing the research project, Univa will collect personal data (e.g. names, contact details, CVs, training records) about the researchers, being:

  • Doctors, nurses and other staff involved in the recruitment, diagnosis, and treatment of participants taking part in the research study.
  • Laboratory staff, company employees, and staff from other organisations that are supporting and/or funding the research study.
  • Members of the public who contribute to the design and conduct of the research study, including individuals that sit on relevant local working groups or committees.
  • Healthcare professionals who contribute to the trial management groups and oversight committees that oversee the research study.

Univa will collect researcher personal data for the core purpose of carrying out the research study either directly from the researcher (for example, via the staff signature and delegation of responsibilities log) or indirectly from public sources or the study's source data.

7. What safeguards do we have in place to protect your personal information?

In order to protect your rights and freedoms when using your personal information for research and to process special category information we must have special safeguards in place to help protect your information. We have the following safeguards:

  • Policies and procedures that tell our staff how to collect and use your information safely.
  • Training which ensures our staff understand the importance of data protection and how to protect your data.
  • Security standards and technical measures that ensure your information is stored safely and securely.
  • All research projects involving personal data are scrutinised and approved by our executive leadership team and where applicable by a research ethics committee.
  • Contracts with companies or individuals not associated with Univa have confidentiality clauses to set out each party’s responsibilities for protecting your information.
  • We carry out data protection impact assessments on high risk projects to ensure that your privacy, rights as an individual or freedoms are not affected.
  • If we use collaborators outside of Europe, we will ensure that they have adequate data protection laws or are part of privacy and security schemes such as the privacy shield in the US.

In addition to the above Univa safeguards the data protection legislation also require us to meet the following standards when we conduct research with your personal information:

  • the research will not cause damage or distress to someone (e.g., physical harm, financial loss or psychological pain).
  • the research is not carried out in order to do or decide something in relation to an individual person, unless the processing is for medical research approved by a research ethics committee.
  • the Data Controller has technical and organisational safeguards in place (e.g. appropriate staff training and security measures).
  • if processing a special category personal data, this must be subject to a further public interest test to make sure this particularly sensitive information is required to meet the research objectives.

 

8. The lawfulness of using your personal data

Data protection legislation requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you.

Whilst we are asking you to give your consent to take part in a research project, consent will not be used as the lawful basis for processing your data under the data protection legislation. Rather, in the context of research, the lawful basis upon which we will process your personal information is usually where:

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6(1)(e) of GDPR).

Where we also collect and use sensitive personal information (special category personal data) we only do so where:

The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes... which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”. (Article 9(2)(j) of GDPR).

Where we need to rely on a different legal condition, such as consent, we will inform you of this in the Participant Information Sheet provided to you.

9. Who will your personal information be shared with?

Your information is likely to be shared within the project team, primarily in a way that we can identify you as a participant, however most personal information used in research will be pseudonymised before sharing more widely or publishing the research outcomes. It may sometimes be necessary to share your personal information with other researchers for the purpose of achieving the research outcomes. If this is relevant to the research you are involved with, you will be provided with information about this in your Participant Information Sheet. If you have any further questions about research collaborations please contact the research team you are involved with.

If we are working with other organisations and information is shared with them, we will inform you in the Participant Information Sheet. Information shared will be on a need to know basis, not excessive and with all appropriate safeguards in place to ensure the security of your information.

We also sometimes use products or services provided by third parties who carry out a task on our behalf or used for sharing research data for collaboration. These third parties are known as data processors and when we use them we have contractual terms, policies and procedures to ensure confidentiality is respected. This does not always mean that they access your information. Univa remains responsible for your personal information as the controller and should researchers use another third party service to process your personal information they will provide you with details about the relationship they have with the service provider / supplier/collaborator on the Participant Information Sheet.

Your personal information will only be used for the purpose of health and care research, and cannot be used to contact you or to affect your care.

10. Your rights

Under data protection legislation you have individual rights in relation to the personal information we hold about you. For the purposes of research where such individual rights would seriously impair research outcomes, such rights are limited. However, under certain circumstances, these include the right to:

  • access your personal information
  • correct any inaccurate information
  • erase any personal information
  • restrict or object to our processing of your information
  • move your information (“portability”)

It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances rights may be restricted. If it is considered necessary to refuse to comply with any of your individual rights, you will be informed of the decision within one month and you also have the right to complain about our decision to the Information Commissioner. It should also be noted that we can only implement your rights during the period upon which we hold personal identifiable information about you. Once the information has been irreversibly anonymised and becomes part of the research data set it will not be possible to access your personal information.

11. For how long is your personal information kept?

We ask our researchers to de-identify information wherever possible (anonymisation or pseudonymisation). Information where you can be identified will be kept for up to 10 years, which will vary on the type of research.

You will be informed in your Participant Information Sheet with regards to how long your personal information will be kept for.

12. How do we store and process your personal information?

Your data may be processed or stored outside  the UK and the European Economic Area (EEA). This is because we sometimes work with other companies who help us deliver our research projects  and they might have servers outside the UK or EEA.

This will always be in line with applicable data protection lawful mechanisms and protected by appropriate safeguards (such as EU-approved standard contractual clauses, a Privacy Shield certification, or a supplier’s Binding Corporate Rules).

For further information on how we protect your data if we transfer it outside of the EEA, contact us by email at: dataprivacy@univa.health

13. How do we keep your personal information safe?

Univa takes protection of your personal data very seriously. Univa uses a range of precautions that include administrative, technical and physical measures, to safeguard your personal data against loss, theft and misuse, as well as against unauthorised access, disclosure, alteration and destruction. We store the personal data you provide encrypted on computer servers that are located in highly secure and controlled facilities. We restrict access to personal data to our employees, contractors and agents who need access in order to complete the research project.

We follow industry accepted security standards to protect the personal data you submit to us within a research project, both during transmission and once we receive it.

We have implemented several technical and organisational measures to ensure your personal data is kept secure. This includes:

  • Compliance with the NHS Data Security and Protection Toolkit
  • Annual penetration testing of our systems by an external cyber security specialist company
  • Annual training for all staff on how to handle information securely.
  • Having role-based access controls so that staff can only access records necessary for their role.
  • Hosting on a secure platform through Amazon Web Services who maintain the servers and ensure they are secure and up-to-date at all times with the latest security patches. This also includes extensive physical access security systems to the server sites by professional security staff utilising video surveillance, state-of-the-art intrusion detection systems, and other electronic means.

14. How do you make a complaint?

If you have any complaints regarding our use of your personal data, please contact us by one of the above means. In the event we cannot resolve your complaint, you have the right to complain to the Information Commissioner's Office, the UK data protection regulator.

They can be contacted at:

Information Commissioner’s Office (www.ico.org.uk)  Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 0303 123 1113