We are committed to protecting the privacy and security of your personal information. This notice describes how we collect and use your personal data in accordance with the General Data Protection Regulation (GDPR) and associated data protection legislation.
The University of Oxford is the “data controller" for the information that you provide to us. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR. The University of Oxford central office address is:
Wellington Square, Oxford, OX1 2JD.
The 3C Study is coordinated by the Clinical Trial Service Unit, whose address is:
CTSU, Richard Doll Building, Old Road Campus, Headington, Oxford OX3 7LF.
The University’s Data Protection Officer can be contacted at:
Your data are being collected and analysed (“processed”) in order to investigate the effects of different treatment strategies on outcomes after kidney transplantation. As part of this work, we may use your data to conduct methodological trial research, for example to compare different methods of follow-up and the information they provide. We may also use the data to assess the importance of other factors on outcomes after kidney transplantation. We may share your de-identified data (i.e. a version of the data from which any information which could identify you has been removed) with other scientists if they wish to use it for research which the trial’s principal investigators approve of. We may also combine your data with that from other similar trials to understand all of the available data.
Your data will not be used as part of any automated decision-making, including profiling.
Our lawful basis for processing your personal data (including special category data) is that the processing is necessary to perform a task in the public interest and the task has a clear basis in law – GDPR Article 6(1)(e).
We have collected personal data including health information such as:
These data have been collected at CTSU and are stored securely (both physically and electronically). We may share your data with other scientists if the trial’s principal investigators approve of their research plan. In this case, your data would be “de-identified” (which means that any information which could identify you has been removed).
We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose. Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We may share your data with third parties (e.g. regulators or law enforcement agencies) if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property or safety of our site, our users, and others. Any such third-party would be required to take appropriate security measures to protect your data in line with our policies. We permit them to process your data only for specified purposes. Where your data is shared with third parties, we will seek to share the minimum amount necessary.
There may be occasions when we transfer your data outside the European Economic Area (EEA). Such transfers will only take place if one of the following applies:
For a copy of the safeguards which are put in place for data transfers outside of the EEA, please contact the 3C coordinating centre by emailing firstname.lastname@example.org.
Any data included in the study database, including your personal data, will be retained for 25 years after the end of the trial in accordance with clinical trials regulations. After this time, your personal data will either be deleted or rendered anonymous (non-identifiable).
We may need to retain personal data for longer if it is necessary to fulfil our purposes, including any relating to legal, accounting, or reporting requirements. We may also retain personal data for further research for which a legal basis exists. This will always be done in accordance with data protection laws.
General information about how long different types of information are retained by the University can be found in the University’s Policy on the Management of Research Data and Records, available via http://researchdata.ox.ac.uk/university-of-oxford-policy-on-the-management-of-data-supporting-research-outputs/.
Under the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, you have the following rights in relation to the information that we hold about you (your ‘personal data’).
Further information on these rights is available from the Information Commissioner’s Office.
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop. However, you can withdraw from the study at any time by emailing email@example.com.
If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, you should contact the University’s Information Compliance Team. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). A complaint to the ICO can be made by visiting their website https://ico.org.uk/make-a-complaint/ or by calling their helpline on 0303 123 1113.
In addition to the data we have received from directly (either through interviews during study clinic visits, on questionnaires or by telephone) we will collect data from central registries which routinely collect data for the NHS. These include: