Patient Data

Our Data Protection and Privacy Notice

Privacy notice

This privacy notice explains your rights to your personal information, what you can expect us (the Cancer Screening and Prevention Research Group) to do with your personal data and our lawful basis for doing so. This notice also explains who you should contact if you have any queries or complaints about how we are processing your personal data.

Under the 2018 General Data Protection Regulation (GDPR) and accompanying Data Protection Act (2018) ‘personal data’ is any data that can be linked to an identifiable individual (for a full definition see: Information Commissioner’s Office (ICO) website: What is Personal Data?). Some types of personal data, such as health data, are additionally classified as ‘special category personal data’. The law considers special category personal data to be more sensitive and gives it more legal protection (for more information see: ICO website: Special Category Data). As the Cancer Screening and Prevention Research Group processes (processing is the term used to refer to collecting, analysing and storing data) health data, much of the personal data we hold is considered to be special category personal data.

Who is responsible for the lawful processing of your personal data?

The GDPR and Data Protection Act define roles and responsibilities for those involved in processing personal data.

The Cancer Screening and Prevention Research Group (hereafter; CSPRG) are a research group at Imperial College London. The CSPRG can be contacted via the ‘Contact Us’ page on this website. The data controller determines the purpose for which and the manner in which personal data is to be processed (see: ICO website: Controllers and Processors). For the personal data held by the CSPRG, the data controller is Imperial College London. The data controller’s representative for our data is the Director of Information Governance for Academic Health Sciences. All queries relating to the handling of personal data should be directed to the Imperial College London Data Protection Officer via email at dpo@imperial.ac.uk. Contact details can also be found at the end of this privacy notice.

Why are we processing personal data?

The research focus of the CSPRG is gastrointestinal cancers which includes bowel cancer, also known as colorectal cancer. In the UK, every year over 41,000 people are diagnosed with bowel cancer alone and 16,000 people die from this disease. Through our research we hope to reduce the number of people being diagnosed with gastrointestinal cancer and dying from this disease. Much of our work focuses on how to help make bowel cancer screening and surveillance programmes more effective and acceptable for patients, and more efficient for the NHS, and other health services internationally. To understand the effectiveness of bowel cancer screening and surveillance programmes, we conduct large scale studies on procedures conducted and the benefits to patients. Identifiable patient data are usually necessary to track long-term health outcomes for participants enrolled in our studies. The CSPRG therefore needs to collect and hold personal data – often special category personal data. Our more specific purposes for processing data for each of our studies are detailed on the ‘Studies’ pages of our website.

What personal data do we have?

The personal data we hold is special category personal data relating to individual health. For example, for several of our studies we analyse procedure and treatment information, information about cancers occurring, whether they progress and the patients’ long-term health outcomes. In addition, we also often require some basic information about patients such as age and gender to inform our analysis. The full details of the personal data processed for each of our studies can be found on the ‘Studies’ pages of our website.

To fulfil our research aims we obtain personal data from a variety of sources. Much of our data is either obtained directly from NHS Trusts, or via third parties such as NHS England, the Office for National Statistics, the Bowel Cancer Screening Programme, National Cancer Registries (including the Welsh Cancer Intelligence and Surveillance Unit) and Information Services Division Scotland, part of NHS National Services Scotland. More detailed explanations of our sources of data can be found on the ‘Patient Data’ page and ‘Studies’ pages of our website.

Where data has been obtained from third party data providers under section 251 approval, national data opt-outs have been applied by the provider since 2016.

How do we process personal data?

All personal data we hold are processed in secure systems. For each active study we have completed a Data Protection Impact Assessment that has been approved by the Head of the CSPRG (as the Information Asset Owner) and the Imperial College London Data Protection Officer. No processing performed by the CSPRG involves automated decision-making or profiling. Unless stated otherwise on the ‘Studies’ pages of our website, all personal data are processed by the CSPRG and certain third parties (see ‘Third-party processing’ below). None of our studies process or transfer individual-level personal data outside the UK.

The Imperial College Data retention schedule mandates that data is retained for ten years after the end of a study (see the College Retention Schedule here). The expected end of these ten year retention periods for each of our studies are listed under the ‘Studies’ pages of our website under the ‘How long will we retain the data?’ sections.

Third-party processing

For the purposes referred to in this privacy notice and relying on the bases for processing as set out above, we may share your personal data with certain third parties:

Other College employees, agents, contractors and service providers (for example, suppliers of printing and mailing services, email communication services or web services, or suppliers who help us carry out any of the activities described above). Our third-party service providers are required to enter into data processing agreements with us. We only permit them to process your personal data for specified purposes and in accordance with our policies.

What is our lawful basis for processing personal data?

Processing personal data requires justification under two legal frameworks: the GDPR/Data Protection Act 2018 and under the common law duty of confidentiality.

Article 6 of the GDPR lays out six valid bases under which personal data can be processed lawfully. We process personal data under lawful basis 6(1)(e) ‘Public task’ as: processing is necessary for the performance of a task carried out in the public interest. We are also required to have a separate lawful basis for processing the more sensitive special category personal data. Our legal basis for processing special category personal data is Article 9(2)(j) ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes […]’

In addition, health data (such as that the CSPRG hold) require a separate lawful basis under the common law duty of confidentiality. In some of our studies, patients consented to be part of the study and for the CSPRG to process their data. In other studies, consent could not be sought due to practical considerations or the nature of the study. In these studies, we have obtained lawful permission to obtain and process personal data under section 251 of the National Health Act 2006. The common law legal bases for data processing in each study are explained in the ‘Studies’ pages of our website under the ‘What approvals has the study received?’ sections.

What are your rights concerning your personal data?

The GDPR grants individuals several rights concerning their personal data:

The right to object (to processing of the data)
The right to correct (inaccurate or incomplete data)
The right to erasure (also known as “the right to be forgotten”)
The right to restrict processing (e.g. while the accuracy of the data is contested)
The right to portability (to have a copy of any data you have provided to us)
The right to access (to have a copy of data we hold about you)
The right to withdraw consent (if you have previously consented to take part)

If you think that we might be processing your data and you wish to exercise any of the rights listed above, please get in touch using the details on the Contact Us page or by contacting the Imperial College London Data Protection Officer via email at dpo@imperial.ac.uk. Though it may not always be possible for us to fulfil your request, we will respond to your query within one month. For more information on your GDPR rights, please see guidance provided by the Information Commissioner’s Office.

Where can you direct queries or complaints?

Please be aware that individuals also have a right to complain to a supervisory authority- in this case the Information Commissioner’s Office (ICO) – if they feel their data is being used unlawfully. The ICO does recommend that you seek to resolve matters with the data controller – for our data that is Imperial College London – before contacting the Commissioner’s Office. If you wish to raise a complaint on how we have handled your personal data or if you want to find out more about how we use your data, please contact Imperial College London’s Data Protection Officer via email at dpo@imperial.ac.uk, via telephone on 020 7594 3502 or via post at Data Protection Officer, Faculty Building Level 4, Imperial College London, London SW7 2AZ.

If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can raise your complaint with the Information Commissioner’s Office. The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; Helpline number: 0303 123 1113; ICO website: https://www.ico.org.uk.

What do we do with the data we hold for the purposes of our research studies?

We undertake research with a focus on screening, prevention and diagnosis of gastrointestinal cancers such as bowel cancer, gastric cancer and oesophageal cancer. We aim to provide high quality evidence to underpin health policy changes. To achieve this aim, we have carried out, or are carrying out, a number of UK-wide clinical trials and studies which are testing ways to reduce the numbers of people being diagnosed with, and dying from, gastrointestinal cancer.

Our team uses statistical methods to look for trends in the data which will help improve our ability to prevent people developing gastrointestinal cancer, as well as improving survival if someone is diagnosed with this disease.

What are anonymised, pseudonymised and identifiable personal data?

The GDPR applies when dealing with “personal data”. If data is considered personal then the GDPR places specific legal obligations on the controller of that data. If data is not personal (i.e. if it never related to a person or if it has since been anonymised) then the GDPR does not apply.

Personal data

Also known as “identifiable data”. According to the Information Commissioner’s Office (ICO), this is “any information relating to an identifiable natural person (data subject) who can be directly or indirectly identified in particular by reference to an identifier”.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, address, identification number, location data or online identifier.

In the field of medical research, some commonly encountered identifiers, in addition to name and address, are: NHS number, date of birth and date of death. Certain medical conditions could also be considered identifiers, if they are very rare.

Pseudonymised data

Also known as “de-identification”, pseudonymisation is the process of separating data from direct identifiers so that discovering the identity of an individual is not possible without additional data. We do this with an artificially created identifier that we refer to as a “study number”. The resulting dataset is called “pseudonymised” or “de-identified” data.

When our data is pseudonymised, we do not hold patient identifiers; we only hold the clinical data needed for our research (e.g. symptoms, diagnoses, clinical examinations, outcomes, cancers and mortality information) and the study number of the individual. This makes the pseudonymised data held by the CSPRG effectively anonymous to our research team. The identifiable data (e.g. name, NHS number, address) and study number may be held by our data providers such as NHS hospitals responsible for the individual’s care, NHS Digital and the National Cancer Registration and Analysis Service.

The GDPR considers pseudonymisation to be one of several privacy-enhancing techniques that can be used to reduce the risk of re-identification. Although pseudonymised data may be hard to re-identify, it is not exempt from the GDPR.

Anonymised data

Anonymised data is data that cannot be used to identify individuals and is not linked to any individual, not even by study number. The GDPR does not apply to anonymised information.

Total anonymisation is an extremely high bar. Therefore, the ICO does not require anonymisation to be perfect but that the risk of re-identification be made remote.

Special category data

According to the ICO, “Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. In order to lawfully process special category data, controllers must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9.”

The GDPR lists the special categories of data in Article 9. They include political opinions, religious beliefs, trade union membership, genetic data, biometric data, data concerning health and data concerning a natural person’s sex life or sexual orientation.

As a medical research group, much of the data we hold is special category data.

Statistical analysis and protecting the identity of individuals

All our statistical analyses are conducted using de-identified (pseudonymised) or anonymised information (without identifiable data). Our research findings never report on individual cases and all findings are reported for aggregated data so no patients will be identifiable from any of our published research findings.

Information we may hold about you and your options if you wish to opt out

If you have taken part in the NHS Bowel Cancer Screening Programme, visited your GP with symptoms suggestive of bowel cancer, agreed to participate in one of our studies, visited a hospital with symptoms related to bowel cancer or had bowel cancer treatment on the NHS, we may hold some information about you.

Please look at our individual Studies pages under sections ‘When and where did the study take place’ and ‘Who is/was included in the study’ to assess whether we may have collected your information for any of our studies.

If we hold only pseudonymised or anonymised (explained above) information about you, we cannot identify you from the data that we hold. This page and our Studies pages list our data providers so you can approach them directly to find out whether we hold data about you.

You have the right to access the personal data we hold about you. See the ICO website for your rights on Subject Access Request. If you wish to write to us, our contact details can be found here.

If your information has been used in any of our studies and we can identify you from the data we hold about you, you have the right to refuse or withdraw consent to sharing your information at any moment in time. There are possible consequences to our research if you do not share your information, but these will be fully explained to you to help you with making your decision. You can opt out at any time by contacting us.

How securely are the data kept?

We take our role as guardians of individual/patient data extremely seriously. The CSPRG is part of Imperial College London and we comply with our Data Protection Policy.

The objectives of the policy are to protect the personal information processed by or disclosed to staff of Imperial College London or other authorised persons, ensuring its confidentiality, integrity and availability by processing it in accordance with current legislation.

As an organisation which processes personal data, Imperial College London is required to report to the Information Commissioner’s Office (the body that upholds information rights) certain types of personal data breaches within 72 hours. Imperial College London’s registration number is Z5940050 and can be searched on the Information Commissioner’s Office website.

We have administrative, technical and physical safeguards in place to ensure that the data we hold on study participants are held and processed securely. We continuously monitor and improve our Information Governance arrangements to minimise any security risk for our data. Our staff receive regular training on data handling, data confidentiality and Information Governance. As a result of the data handling and IT security measures we have put in place, we have been granted a Data Security and Protection Toolkit by NHS Digital (see details below).

Data Security and Protection Toolkit – assessment of our data handling processes

As our research involves data from NHS patients we must demonstrate that we handle this sensitive information in accordance with the Department of Health and Social Care’s stringent requirements. We have carried out an assessment of how we handle the sensitive information we use for our research using the NHS Digital’s Data Security and Protection Toolkit. The Data Security and Protection Toolkit allows organisations processing personal data to demonstrate they are practising good data security – and that personal information is handled correctly. Our toolkit has been assessed and been found to satisfactorily meet requirements.

What permissions do we need before we can collect the data we use for our research?

Ethics approval

All research involving human participants in the UK, whether in the NHS or the private sector, must be approved by an independent research ethics committee. These committees protect the rights and interests of the people who will be the subject of the research study. Before we conduct any research, we submit a detailed plan of our proposed research (protocol) to a recognised research ethics committee. We cannot begin our studies until the appropriate ethics committee(s) have reviewed and approved it. The ethics committees that review clinical trials in the NHS are part of the Health Research Authority’s National Research Ethics Service (NRES). NRES publishes plain-language summaries of clinical trials so that the research is accessible to anyone who is interested.

Research and development (R&D) approval

For any research that involves NHS hospital patients, we have to obtain permission from NHS Trusts to collect and use data from their patients. The Research and Development (R&D) Office(s) at each NHS Trust assesses the study carefully before approving it. All NHS organisations are required to give permission before research can begin within their organisation (this is in addition to ethical approval). Without this approval, indemnity/insurance cannot be assumed to be in place to cover the proposed research activity.

See more details about R&D approval on the Health Research Authority website.

Section 251 approval

In some circumstances informed consent for a research study cannot be obtained, and anonymised or de-identified (pseudonymised) data are not sufficient to answer the research question(s). In these circumstances, and if research is deemed to be in the interests of patients or the wider public, permission to use identifiable data can be exceptionally sought from bodies with legal responsibility for the protection of the interests of patients and the public in health research. In England and Wales, approval is obtained from the Confidentiality Advisory Group (CAG) of the Health Research Authority under Section 251 of the National Health Service Act 2006. The ‘Section 251 agreement’ (previously Section 60 of the Health and Social Care Act 2001 as re-enacted by Section 251 of the NHS Act 2006) allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. In Scotland, approval can be sought from Caldicott Guardians and in Northern Ireland from Medical Directors.

We are also required to comply with the Data Protection Act 2018, the General Data Protection Regulations and other relevant standards about how data must be processed. Further details can be found on the Information Commissioner’s Office website and throughout this page.

Public Benefit and Privacy Panel for Health and Social Care

In Scotland, a single application and scrutiny process for uses of health data is operated by the Public Benefit and Privacy Panel for Health and Social Care.

Why do we need to collect additional data from other sources?

In some cases, our research may require us to collect additional data for the following reasons:

To provide supplementary data that we may not have been able to obtain during the initial data collection stage because it was not available at that time.
For validation of the quality of datasets i.e. to ensure that datasets are consistent and accurate, usually by cross-checking data from different sources.
To enable research that follows the health outcomes of individuals over extended periods of time. For example, for the UK Flexible Sigmoidoscopy Screening Trial (UKFSST), for which recruitment and screening started in November 1994 and was completed in March 1999, we are still collecting data for the purposes of this study to understand the duration of the protective effect of screening.
To collect information on cancer diagnoses and deaths over the long term and combine this with clinical data collected from our studies. This enables us to use statistical methods to improve our understanding of bowel cancer prevention, screening and treatment strategies, which will help improve bowel cancer survival.

Which external agencies/data providers do we use to obtain data?

There are several government agencies/data repositories in the UK that hold patient information that we require for our research. We have to apply to each agency separately and comply with their criteria in order to obtain or hold this information. In addition to this, in many cases, we have to submit annual reviews/assessments to show that we are complying with all the requirements. Some of the data repositories/agencies we use are listed below.

Office of National Statistics (ONS)

The ONS collects information on cause of death from civil registration records related to a person’s death taken from the death certificates for all deaths registered in England and Wales. In the past, we obtained information on cancer diagnoses and deaths from the ONS. The CSPRG no longer obtains follow-up data on cancer diagnoses and deaths from the ONS directly, instead the CSPRG obtains this data via NHS Digital.

NHS Digital

We obtain ONS cancer and mortality data through NHS Digital. We comply with the Data Security and Protection Toolkit required by NHS Digital, which is a detailed assessment to ensure that we follow strict Information Governance policies and standards to ensure the confidentiality of the data held by us.

Cancer Registries

The National Cancer Registration and Analysis Service (NCRAS) registers all cancers and some pre-cancerous lesions diagnosed in England. The Welsh Cancer Intelligence and Surveillance Unit (WCISU) does the same for Wales. We obtain cancer staging information, which is based on the size and/or extent (reach) of the original (primary) tumour, the location of the cancer and whether or not the cancer has spread in the body. This provides very valuable insight for our bowel cancer research.

NHS Bowel Cancer Screening Programme (BCSP)

We sometimes request pseudonymised data (no patient identifiers are shared with us) that are collected as part of the Bowel Cancer Screening Programme. We do this because applying our research techniques to the very large numbers of people included in the screening programme helps ensure our results are of high quality. We previously had to obtain permission from the Office for Data Release (ODR) at Public Health England before doing this. Since the dissolution of Public Health England on 1 October 2021 this is now done through NHS Digital. The ODR ensured that all releases were conducted in accordance with the rights of the data subject, the legislative framework (including the principles set out in the GDPR and Data Protection Act 2018) and the seven Caldicott Principles.

NHS National Services Scotland (NSS)

Information Services Division (ISD) Scotland is part of NHS National Services Scotland and they obtain cancers and mortality data that are registered in Scotland for patients who either currently live in Scotland or who previously lived in Scotland. We have to obtain approval from the Public Benefit and Privacy Panel for Health and Social Care (PBPP) before ISD can release any information to us.

NHS Central Register (NHSCR)

The National Health Service Central Register (NHSCR) exists mainly to allow the smooth transfer of patients who move between Health Board areas (or across borders within the UK). We obtain the cancer and mortality data for patients registered in Scotland who either currently live in Scotland or who previously lived in Scotland. It allows us to validate the data provided by the NSS or NHS Digital and obtain cancer or mortality data that may have been missed by other agencies. Before we obtain any data we have to obtain approval from the Public Benefit and Privacy Panel for Health and Social Care (PBPP).

Do we share the personal data we hold and, if yes, with whom do we share it?

The data we hold are only shared when we have received permission to do so as part of the approvals process for our research studies. Moreover, data collected by the CSPRG are only shared with the following groups, where a clear legal basis for such sharing exists:

Approved collaborators and sub-contractors for specific studies on a need-to-know basis if they have legal contracts with Imperial College London. Wherever possible no patient identifiable data are shared, unless absolutely necessary and where we have the appropriate approvals in place to do so.
Organisations such as NHS Digital, Cancer Registries, GPs, etc. to obtain additional data for research. These organisations already hold the patient identifiable information which they obtain from the NHS and other sources. We sometimes provide them with a list of patients taking part in a particular study and ask them to match our study participants to their data so that they can supply us with follow-up data that are required for our research. For example, we supplied NHS Digital details of individuals in our UKFSST study to determine who has been diagnosed with colorectal cancer.
It may also be a requirement of some funders (e.g. Cancer Research UK) to make data available to legitimate access requests for secondary academic research. Our NHS Data Security and Protection Toolkit and Information Governance Policy ensure that we have processes in place to manage data access requests and the secure transfer and storage of data where requests are granted, and in compliance with the UK Data Protection Act 2018 and UK GDPR. If an application for access is approved and it is in compliance with all data sharing restrictions mandated by the Research Ethics Committee, Health Research Authority (HRA) and HRA Confidentiality Advisory Group (HRA-CAG), as well as any formal data sharing agreements with other data providers (e.g. NHS Digital), we would share only de-identified/anonymised data.

The legal contracts with collaborators ensure that the shared data is held and processed securely and no further sharing is allowed without our permission or knowledge.