Skip to main content

Privacy Notice

Introduction

This privacy notice describes what we do with your personal information for the purposes of health and care research within the Thames Valley & Surrey Secure Data Environment (TVS SDE). It tells you what information we collect about you, how we store it, how long we retain it and with whom we might provide access to or share data with.

It is important that you read this notice, together with any other privacy notice or specific information you may already have been given (for example, in participant information booklet/leaflets or any consent forms), so that you are aware of how and why we are using information about you.

1. Definitions

Data controller means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.

De-identified means the removal of personal identifying information from data.

Information Commissioners Office means the body that regulates public bodies under data protection and freedom of information legislation.

UK GDPR “UK GDPR” means the General Data Protection Regulation (2016/679).

Personal data/information means information relating to a natural (living) person or “data subject”, which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

  • name
  • identification number
  • social media posts
  • location data
  • online identifier

Processing means anything that is done to the personal data we hold.

Sensitive Information/Special category of personal data means information that is thought to be ‘extra sensitive’, such as:

  • ethnicity
  • data concerning health
  • biometric data
  • sexual orientation
  • religious or philosophical beliefs

2. Who we are

The Thames Valley & Surrey (TVS) Secure Data Environment (SDE) is an NHS England-funded programme that supports the creation of a secure platform for data analysis. This platform is made available to users to conduct approved projects, such as research and development.

Through the TVS SDE, partner organisations will make the information they hold on you available to SDE Users. The TVS SDE website lists the partner organisations to whom this applies. The areas covered are:

  • Buckinghamshire
  • Berkshire
  • Oxfordshire
  • Surrey Heartlands
  • Milton Keynes
  • Swindon

Each partner organisation is bound by a duty of confidentiality and must abide by the Data Protection Act 2018 and UK GDPR.

Each organisation is required to hold and maintain a registration with the Information Commissioner’s Officer (ICO) as Data Controller of the personal data it collects on you as part of providing direct care.

Oxford University Hospitals NHS Foundation Trust (OUH) is the host organisation for the TVS SDE programme and is registered with the Information Commissioner’s Office (ICO) to process personal and special category information under registration number ZA152461.

3. How will your personal information be used?

High-quality data is essential to ensure health and care research is accurate and successful. We will use your personal information to carry out research in the interests of the public. This means that each research project will be required to demonstrate that the research will have meaningful impact on the population; for example by improving existing services or introducing new treatments. The personal data held by a partner organisation will be de-identified before access is granted to the individuals conducting the research. 

We may use your personal information to process your request to opt out or back in to TVS SDE-supported research projects. Please see the section called ‘Your rights’ below.

4. What personal information will we collect about you and how will we collect it?

The TVS SDE includes information that has been collected as part of the routine care you have received in organisations from across Thames Valley & Surrey that are participating in the programme. This includes information related to:

  • admissions, discharges, and treatments; allergies; medications;
  • contraception and HRT; operations; vitals and measurements; laboratory test results; chronic disease monitoring;
  • diabetes diagnosis; imaging; vaccinations and immunisations; preventative procedures; test results; primary care and
  • secondary care encounters such as attendance at hospital
  • the detailed reports produced by pathology or radiology services and/or additional
  • information about the testing process or the configuration of devices or systems used.

The information that we already hold about you, or that may be collected from you, may include sensitive information such as:

  • ethnicity
  • information concerning your health
  • biometric data
  • sexual orientation
  • religious or philosophical beliefs

If you make a request to opt out or back in to TVS SDE-supported research projects we may use your personal information to process your request. We will ask you to provide the following:

  • Full name
  • Date of birth
  • NHS number
  • Address or postcode
  • Email address

We will collect this through a form on the TVS SDE website. https://thamesvalleyandsurreyhealthandcaredata.nhs.uk/get-involved/what-are-my-choices/

Each project conducted within the TVS SDE is only granted access to the information that is necessary to fulfil the project’s aim.

5. Our lawful basis for processing your personal information

The first principle of UK GDPR requires personal data to be processed lawfully, fairly and transparently. As a result, a lawful basis is required when processing personal information and in this instance the following lawful basis will be relied upon:

When we use your information for research, we rely on Article 6(1)e (“processing is necessary for the performance of a task carried out in the public interest”) and Article 9(2)j (“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes”) of the General Data Protection Regulation (GDPR) in combination with Schedule 1, Part 1, Art 4 Data Protection Act (DPA) 2018.

In addition, confidential information that you have shared with our staff to enable them to provide your care is governed by the common law duty of confidentiality, as described by NHS England.

Codes of practice for handling information in health and social care

6. Who will have access to your personal information?

Each partner organisation is responsible for the data they make available for access within the TVS Secure Data Environment. Personal data within the TVS SDE can only be viewed by the TVS Secure Data Environment team. Members of the TVS SDE team who can view your personal data must comply with the law and ensure that your personal data is handled in a lawful way.

Your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research.

If you submit a request to opt out of allowing your health information to be used for research projects supported through the TVS SDE, or to opt back in, your personal information supplied as part of this request will only be seen by our staff responsible for processing your request.

Researchers and organisations that wish to use your information to conduct research within the TVS SDE will only have access to de-identified information.

Some information about you may also be linked to other information shared by primary care providers (e.g. your GP) and secondary care providers (e.g. an acute hospital trust) with the view to creating a more complete information set that will enable medical research for the benefit of public health. The TVS SDE has Confidentiality Advisory Group (CAG) approval (23/CAG/0046) and Research Ethics Committee (REC) approval (22/SC/0330), which provides the correct permissions for the team to link data where appropriate.

As well as the data protection and ethical approvals described, data in the SDE is covered by a number of legal documents or contracts.  These contracts set out the basis for processing and describe the legal roles and responsibilities of the organisations involved and form an important part of the SDE governance framework:

6.1 Data flows into the SDE from the NHS

The first is a document that NHS provider organisations and the TVS SDE signs up to.  This contract is known as the provider terms

6.2 Registration of research organisation and researcher

Second, research organisations who wish to ask for access to data in the SDE will have to sign a research organisation contract.  These organisations will be asked to vouch for the researchers that work for them.

When individual researchers register with the SDE they will be asked to sign up to a set of researcher terms and conditions

6.3 Data access for an agreed research purpose

Finally, a research data access contract, signed by the research organisation and the SDE, will set out: the details of the data set requested, the purpose the data will be used for, data protection arrangements and intellectual property terms. 

7. How we retain and re-use your information

Your personal information is held in electronic format, as required, for specified retention periods, as set out in the applicable research protocol. The applicable retention period for research studies may vary and will be outlined within each application.

Following the expiry of the relevant retention period, your personal information will be de-identified and archived, or destroyed. Where information is to be destroyed, this will be done in a confidential manner and in accordance with the NHS Records Management Code of Practice. De-identified archived data may be re-used for scientific or historical research purposes.

If you register an opt out, the details you provide for this will be retained on record to ensure your opt out remains active.

8. Your Rights

You can choose whether your patient data is used for planning and research. If you’re happy with your information being used you do not need to do anything.

Your choice will not affect your care.

 There are some instances where your individual rights under UK GDPR are limited where your information will be used for research.

You are not legally or contractually obliged to supply us with your personal information or to agree that information already held about you for care purposes may be used for research purposes.

Should you not wish information about you to be used for any health research please visit the national data opt-out service.

If you do not want your health information to be used for research projects supported through the TVS SDE, you can opt-out of the TVS SDE.

We are unable to apply the national opt-out or TVS SDE opt-out retrospectively to data that was provided to researchers before we receive and apply your opt-out.

Once we receive your request to opt out through the TVS SDE opt-out service, it may take up to one month from your request being registered to it being fully applied.

If you withdraw your consent to participate in a research project, we may not remove all of your data. We may keep the information about you that we have already used for a particular research project to ensure research integrity is maintained in the public’s interest and that publicly funded research meets is goals. To safeguard your rights, we will strive to use the minimum personally identifiable information possible following your withdrawal of consent.

Where research has been conducted, based on section 251 of the National Health Service Act 2006, via CAG, you have a right to opt out. The national data opt-out right emanates from the Caldicott principles and entitles you to opt out of your data being used for research. 

The Information Commissioner’s Office (ICO) is the body that regulates hospital trusts under data protection and freedom of information legislation.

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.

You can also call the ICO on 0303 123 1113.

9. Changes to this privacy notice

This page is reviewed when necessary and at least annually. The information on this page will be updated regularly as the programme progresses. Any changes will be published here. Information on the rest of this website will also change at times. We will update relevant pages as the programme progresses.

 

For more information or advice,

please email us: tvssde@ouh.nhs.uk

Useful Links: