This privacy notice explains your rights to your personal information, what you can expect us (the Cancer Screening and Prevention Research Group) to do with your personal data and our lawful basis for doing so. This notice also explains who you should contact if you have any queries or complaints about how we are processing your personal data.
Under the 2018 General Data Protection Regulation (GDPR) and accompanying Data Protection Act (2018) ‘personal data’ is any data that can be linked to an identifiable individual (for a full definition see: Information Commissioner’s Office (ICO) website: What is Personal Data?). Some types of personal data, such as health data, are additionally classified as ‘special category personal data’. The law considers special category personal data to be more sensitive and gives it more legal protection (for more information see: ICO website: Special Category Data). As the Cancer Screening and Prevention Research Group processes (processing is the term used to refer to collecting, analysing and storing data) health data, much of the personal data we hold is considered to be special category personal data.
Who is responsible for the lawful processing of your personal data?
The GDPR and Data Protection Act define roles and responsibilities for those involved in processing personal data.
The Cancer Screening and Prevention Research Group (hereafter; CSPRG) are a research group at Imperial College London. The CSPRG can be contacted via the ‘Contact Us’ page on this website. The data controller determines the purpose for which and the manner in which personal data is to be processed see ICO website: Controllers and Processors. For the personal data held by the CSPRG, the data controller is Imperial College London. The data controller’s representative for our data is the Director of Information Governance for Academic Health Sciences. All queries relating to the handling of personal data should be directed to the Imperial College London Data Protection Officer via email at firstname.lastname@example.org. Contact details can also be found at the end of this privacy notice.
Why are we processing personal data?
The research focus of the CSPRG is bowel cancer, also known as colorectal cancer. In the UK, every year over 41,000 people are diagnosed with bowel cancer and 16,000 people die from this disease. Through our research we hope to reduce the number of people being diagnosed with bowel cancer and dying from this disease. Much of our work focuses on how to help make bowel cancer screening and surveillance programmes more effective and acceptable for patients, and more efficient for the NHS, and other health services internationally. To understand the effectiveness of bowel cancer screening and surveillance programmes, we conduct large scale studies on procedures conducted and the benefits to patients. Identifiable patient data are usually necessary to track long-term health outcomes from participants enrolled in our studies. The CSPRG therefore needs to collect and hold personal data – often special category personal data. Our more specific purposes for processing data for each of our studies are detailed on the ‘Studies’ pages of our website.
What personal data do we have?
The personal data we hold is special category personal data relating to individual health. For example, for several of our studies we analyse procedure and treatment information, information about cancers occurring, whether they progress and the patients’ long-term health outcomes. In addition, we also often require some basic information about patients such as age and gender to inform our analysis. The full details of the personal data processed for each of our studies can be found on the ‘Studies’ pages of our website.
To fulfil our research aims we obtain personal data from a variety of sources. Much of our data is either obtained directly from NHS Trusts, or via third parties such as NHS Digital, the Office for National Statistics, the Bowel Cancer Screening Programme, National Cancer Registries (including the Welsh Cancer Intelligence and Surveillance Unit) and Information Services Division Scotland, part of NHS National Services Scotland. More detailed explanations of our sources of data can be found on the ‘Patient Data’ page and ‘Studies’ pages of our website.
Where data has been obtained from third party data providers under section 251 approval, national data opt-outs have been applied by the provider since 2016.
How do we process personal data?
All personal data we hold are processed in secure systems. For each active study we have completed a Data Protection Impact Assessment that has been approved by the Head of the CSPRG (as the Information Asset Owner) and the Imperial College London Data Protection Officer. No processing performed by the CSPRG involves automated decision-making or profiling. Unless stated otherwise on the ‘Studies’ pages of our website, all personal data are processed exclusively by the CSPRG. None of our studies process or transfer personal data outside the UK.
The Imperial College Data retention schedule mandates that data is retained for ten years after the end of a study (see the College Retention Schedule here). The expected end of these ten year retention periods for each of our studies are listed under the ‘Studies’ pages of our website under the ‘How long will we retain the data?’ sections.
What is our lawful basis for processing personal data?
Processing personal data requires justification under two legal frameworks: the GDPR/Data Protection Act 2018 and under the common law duty of confidentiality.
Article 6 of the GDPR lays out six valid bases under which personal data can be processed lawfully. We process personal data under lawful basis 6(e) ‘Public task’ as: processing is necessary for the performance of a task carried out in the public interest. We are also required to have a separate lawful basis for processing the more sensitive special category personal data. Our legal basis for processing special category personal data is Article 9(j) ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes […]’
In addition, health data (such as that the CSPRG hold) require a separate lawful basis under the common law duty of confidentiality. In some of our studies, patients consented to be part of the study and for the CSPRG to process their data. In other studies, consent could not be sought due to practical considerations or the nature of the study. In these studies, we have obtained lawful permission to obtain and process personal data under section 251 of the National Health Act 2006. The common law legal bases for data processing in each study are explained in the ‘Studies’ pages of our website under the ‘What approvals has the study received?’ sections.
What are your rights concerning your personal data?
The GDPR grants individuals several rights concerning their personal data:
- The right to object (to processing of the data)
- The right to correct (inaccurate or incomplete data)
- The right to erasure (also known as “the right to be forgotten”)
- The right to restrict processing (e.g. while the accuracy of the data is contested)
- The right to portability (to have a copy of any data you have provided to us)
- The right to access (to have a copy of data we hold about you)
- The right to withdraw consent (if you have previously consented to take part)
If you think that we might be processing your data and you wish to exercise any of the rights listed above, please get in touch using the details on the Contact Us page or by contacting the Imperial College London Data Protection Officer via email at email@example.com. Though it may not always be possible for us to fulfil your request, we will respond to your query within one month. For more information on your GDPR rights, please see guidance provided by the Information Commissioner’s Office.
Where can you direct queries or complaints?
Please be aware that individuals also have a right to complain to a supervisory authority- in this case the Information Commissioner’s Office (ICO) – if they feel their data is being used unlawfully. The ICO does recommend that you seek to resolve matters with the data controller – for our data that is Imperial College London – before contacting the commissioner’s office. If you wish to raise a complaint on how we have handled your personal data or if you want to find out more about how we use your data, please contact Imperial College London’s Data Protection Officer via email at firstname.lastname@example.org, via telephone on 020 7594 3502 or via post at Data Protection Officer, Faculty Building Level 4, Imperial College London, London SW7 2AZ. If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can raise your complaint with the Information Commissioner’s Office.