This privacy notice explains your rights to your personal information, what you can expect us (the Cancer Screening and Prevention Research Group) to do with your personal data and our lawful basis for doing so. This notice also explains who you should contact if you have any queries or complaints about how we are processing your personal data.
Under the 2018 General Data Protection Regulation (GDPR) and accompanying Data Protection Act (2018) ‘personal data’ is any data that can be linked to an identifiable individual (for a full definition see: Information Commissioner’s Office (ICO) website: What is Personal Data?). Some types of personal data, such as health data, are additionally classified as ‘special category personal data’. The law considers special category personal data to be more sensitive and gives it more legal protection (for more information see: ICO website: Special Category Data). As the Cancer Screening and Prevention Research Group processes (processing is the term used to refer to collecting, analysing and storing data) health data, much of the personal data we hold is considered to be special category personal data.
Who is responsible for the lawful processing of your personal data?
The GDPR and Data Protection Act define roles and responsibilities for those involved in processing personal data.
The Cancer Screening and Prevention Research Group (hereafter; CSPRG) are a research group at Imperial College London. The CSPRG can be contacted via the ‘Contact Us’ page on this website. The data controller determines the purpose for which and the manner in which personal data is to be processed see ICO website: Controllers and Processors. For the personal data held by the CSPRG, the data controller is Imperial College London. The data controller’s representative for our data is the Director of Information Governance for Academic Health Sciences. All queries relating to the handling of personal data should be directed to the Imperial College London Data Protection Officer via email at firstname.lastname@example.org. Contact details can also be found at the end of this privacy notice.
Why are we processing personal data?
The research focus of the CSPRG is bowel cancer, also known as colorectal cancer. In the UK, every year over 41,000 people are diagnosed with bowel cancer and 16,000 people die from this disease. Through our research we hope to reduce the number of people being diagnosed with bowel cancer and dying from this disease. Much of our work focuses on how to help make bowel cancer screening and surveillance programmes more effective and acceptable for patients, and more efficient for the NHS, and other health services internationally. To understand the effectiveness of bowel cancer screening and surveillance programmes, we conduct large scale studies on procedures conducted and the benefits to patients. Identifiable patient data are usually necessary to track long-term health outcomes from participants enrolled in our studies. The CSPRG therefore needs to collect and hold personal data – often special category personal data. Our more specific purposes for processing data for each of our studies are detailed on the ‘Studies’ pages of our website.
What personal data do we have?
The personal data we hold is special category personal data relating to individual health. For example, for several of our studies we analyse procedure and treatment information, information about cancers occurring, whether they progress and the patients’ long-term health outcomes. In addition, we also often require some basic information about patients such as age and gender to inform our analysis. The full details of the personal data processed for each of our studies can be found on the ‘Studies’ pages of our website.
To fulfil our research aims we obtain personal data from a variety of sources. Much of our data is either obtained directly from NHS Trusts, or via third parties such as NHS Digital, the Office for National Statistics, the Bowel Cancer Screening Programme, National Cancer Registries (including the Welsh Cancer Intelligence and Surveillance Unit) and Information Services Division Scotland, part of NHS National Services Scotland. More detailed explanations of our sources of data can be found on the ‘Patient Data’ page and ‘Studies’ pages of our website.
Where data has been obtained from third party data providers under section 251 approval, national data opt-outs have been applied by the provider since 2016.
How do we process personal data?
All personal data we hold are processed in secure systems. For each active study we have completed a Data Protection Impact Assessment that has been approved by the Head of the CSPRG (as the Information Asset Owner) and the Imperial College London Data Protection Officer. No processing performed by the CSPRG involves automated decision-making or profiling. Unless stated otherwise on the ‘Studies’ pages of our website, all personal data are processed exclusively by the CSPRG. None of our studies process or transfer personal data outside the UK.
The Imperial College Data retention schedule mandates that data is retained for ten years after the end of a study (see the College Retention Schedule here). The expected end of these ten year retention periods for each of our studies are listed under the ‘Studies’ pages of our website under the ‘How long will we retain the data?’ sections.
What is our lawful basis for processing personal data?
Processing personal data requires justification under two legal frameworks: the GDPR/Data Protection Act 2018 and under the common law duty of confidentiality.
Article 6 of the GDPR lays out six valid bases under which personal data can be processed lawfully. We process personal data under lawful basis 6(e) ‘Public task’ as: processing is necessary for the performance of a task carried out in the public interest. We are also required to have a separate lawful basis for processing the more sensitive special category personal data. Our legal basis for processing special category personal data is Article 9(j) ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes […]’
In addition, health data (such as that the CSPRG hold) require a separate lawful basis under the common law duty of confidentiality. In some of our studies, patients consented to be part of the study and for the CSPRG to process their data. In other studies, consent could not be sought due to practical considerations or the nature of the study. In these studies, we have obtained lawful permission to obtain and process personal data under section 251 of the National Health Act 2006. The common law legal bases for data processing in each study are explained in the ‘Studies’ pages of our website under the ‘What approvals has the study received?’ sections.
What are your rights concerning your personal data?
The GDPR grants individuals several rights concerning their personal data:
- The right to object (to processing of the data)
- The right to correct (inaccurate or incomplete data)
- The right to erasure (also known as “the right to be forgotten”)
- The right to restrict processing (e.g. while the accuracy of the data is contested)
- The right to portability (to have a copy of any data you have provided to us)
- The right to access (to have a copy of data we hold about you)
- The right to withdraw consent (if you have previously consented to take part)
If you think that we might be processing your data and you wish to exercise any of the rights listed above, please get in touch using the details on the Contact Us page or by contacting the Imperial College London Data Protection Officer via email at email@example.com. Though it may not always be possible for us to fulfil your request, we will respond to your query within one month. For more information on your GDPR rights, please see guidance provided by the Information Commissioner’s Office.
Where can you direct queries or complaints?
Please be aware that individuals also have a right to complain to a supervisory authority- in this case the Information Commissioner’s Office (ICO) – if they feel their data is being used unlawfully. The ICO does recommend that you seek to resolve matters with the data controller – for our data that is Imperial College London – before contacting the commissioner’s office. If you wish to raise a complaint on how we have handled your personal data or if you want to find out more about how we use your data, please contact Imperial College London’s Data Protection Officer via email at firstname.lastname@example.org, via telephone on 020 7594 3502 or via post at Data Protection Officer, Faculty Building Level 4, Imperial College London, London SW7 2AZ. If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can raise your complaint with the Information Commissioner’s Office.
Information relating specifically to the SOCCER and SIGGAR studies
The CSPRG at Imperial College London processes special category personal data for the SIGGAR and SOCCER studies. SIGGAR and SOCCER are two closely linked projects aimed at reducing colorectal cancer incidence and mortality. SIGGAR involved two randomised controlled trials to compare the efficacy of Computed Tomographic Colonography (CTC) to two established examination techniques: colonoscopy and barium enema to examine patients with symptoms requiring a whole-colon examination. The SOCCER study used data gathered during the SIGGAR trials to investigate the potential efficacy of flexible sigmoidoscopy (a technique which examines only the last [distal] part of the colon) as an alternative to whole-colon examination. To fulfil the aims of the study and understand the long-term effectiveness of the different examination techniques, the CSPRG processes special category personal data to track the long-term health outcomes of study participants. The special category personal data used in this study is crucial to the success of this project, and the public good generally.
Imperial College London (the data controller for data processed by the CSPRG, see above) are the recipient of data for the SIGGAR and SOCCER studies. The special category personal data for these studies is received by the CSPRG from several sources.
1. NHS Hospital trusts in England and Scotland
The CSPRG received demographic information, symptom information, consent forms, trial-linked clinical notes and treatment data about patients in the SIGGAR and SOCCER studies directly from the 21 hospitals in which the SIGGAR trials were conducted. The 21 participating hospitals were:
- Bradford Hospital
- Frimley Park Hospital
- Charing Cross Hospital
- Hammersmith Hospital
- St Mary’s Hospital
- Leighton Hospital
- University Hospital of North Tees
- St Mark’s Hospital
- Nottingham City Hospital
- Nottingham Queens Medical Centre
- Oxford Radcliffe Hospital
- Royal Oldham Hospital
- Derriford Hospital
- Queen Alexandra Hospital
- Royal Cornwall Hospital
- Royal United Hospital
- Withington Hospital
- Wythenshawe Hospital
- Queen Elizabeth Hospital
- Furness General Hospital
- Royal Lancaster Infirmary
NHS Digital collect and process data from across the health and social care system in England. NHS Digital provide cancer and deaths data about patients enrolled in the SIGGAR and SOCCER studies to the CSPRG. NHS Digital receive some of this data from the Office for National Statistics.
The Office for National Statistics process cancer and deaths data for patients in England. The Office for National Statistics provided this information to the CSPRG for the patients in this study. The data were passed to the CSPRG via NHS Digital.
The research team working on the SIGGAR study have access to the identifiable special category personal data for patients enrolled in the trials. The SOCCER study team only have access to pseudonymised data for the patients included in the SOCCER study. Pseudonymised data (see also GDPR Article 4.3) are personal data that can no longer be attributed to a specific individual without additional information. In this case, the SOCCER database does not contain any easily identifiable information such as names or NHS numbers.
The SIGGAR study was performed in collaboration with researchers at University College London (UCL) and the University of Birmingham. The main analysis for the SIGGAR study was done in collaboration with researchers at UCL who received subsets of the data to answer specific research questions. Researchers at UCL also received a pseudonymised subset of the data to perform a Health Psychology Assessment. Researchers at the University of Birmingham received a pseudonymised subset of the data to perform a Health Economics Analysis. Both groups received only pseudonymised data and therefore could not link the data they received to identifiers such as names and NHS numbers.