This privacy policy provides information on how Health Data Research UK (“HDR UK” “we”, “us” or “our”) collects and processes your personal data. It also describes your data protection rights, including a right to object to some of the processing which HDR UK carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
The Safe People Registry is a cloud based web-tool which we provide to validate information provided by Users (either on behalf of themselves as a Researcher or on behalf of a Research Organisation) who wish to access sensitive data held on Trusted Research Environments (“TREs”) and NHS Research Secure Data Environments (“SDEs”), which are managed by Data Custodians.
For information on how the Safe People Registry operates please see video.
HDR UK is a limited company registered in England and Wales under company number 10887014. Its registered office is at 215 Euston Road, London, England, NW1 2BE.
HDR UK is the controller and responsible for your personal data.
We have a data protection manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights as set out in this privacy policy, please contact: DataProtection@hdruk.ac.uk
Personal data means any information about an individual from which that person can be identified. We may collect, use, store, and transfer different kinds of personal data:
| Category | Details |
|---|---|
| Identity data | including first name, last name, job title, employment status, location, career history and similar identifiers |
| Career and Education data | such as employment status, professional affiliations, career history, ORDCID IDs and similar information |
| Contact data | such as your email address |
| Communications Data | including your communication preferences. |
| Technical data | such as internet protocol (IP) address, browser type and version and operating system and platform. Please see our cookie policy for further details. |
| Image Data | including photographed identification and facial representations, this is an optional step to verify individual identity and is completed by a third party with you explicit consent. |
We use different methods to collect data from you including through:
You may give us your personal data by filling in the enquiry form on our website, corresponding with us by phone, email, social media or otherwise, when you sign up to our newsletter or register for an event, training session or meeting.
You may give us your personal data by filling in your profile information within the Safe People Registry tool or corresponding with us by email, social media or otherwise, when you sign up to our newsletter or register for an event, training session or meeting.
As you interact with our website we may collect technical data by using cookies or similar technologies. Please see our cookie policy for further details.
You may give us your personal data via a third-party platform such as Eventbrite or Microsoft Teams, we will obtain your registration details from the platform operator.
The Safe People Registry is designed to share (a) a Researcher’s profile data with Research Organisations and Data Custodians; and (b) Research Organisations’ data with Data Custodians. The Safe People Registry does not make any decisions as to whether Researchers and/or Research Organisations are considered ‘safe people’ (as defined in the Five Safes Framework) nor does the Safe People Registry make any decisions regarding the grant of access to sensitive data held on TRE’s and SDEs. The Safe People Registry holds a User’s profile data in a centralised location for convenience purposes only and records the decisions made by Data Custodians. The Safe People Registry does not make any decisions related to User or Organisational data access.
In order to create an account and use the Safe People Registry we need to process and share your personal data. You will not be able to use the Safe People Registry without the processing of your personal data.
We will use your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| We will collect, use and store your identity data, career & education data, and contact data in the provision of the Safe People Registry. | We have a legitimate interest in managing our organisation and providing services to you. |
| We will collect, use, and store your identity data and contact data to provide you with our information and updates about our work, new services, and developments that you may be interested in via newsletters and other communications such as invitations. | Your consent– where we rely on consent we will ask for this at the time we collect your personal data. |
| We collect and use your identity data, contact data and communications data to monitor use of our websites. | We have a legitimate interest in monitoring, improving, and protecting our products, content, services and websites, both online and offline. |
| We will collect, use and store your technical data to improve our website. | Your consent– where we rely on consent we will ask for this at the time we collect your personal data. |
| We will collect, use and store your identity data, contact data, communications data and technical data in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation). | We have a legitimate interest in protecting the legitimate legal, compliance, and regulatory interests of our organisation, including defending or enforcing legal claims, ensuring compliance with legal and regulatory obligations, and cooperating with investigations. This may be required to comply with a legal obligation. |
| We will collect, use, and store your identity data, contact data, and image data to verify your identity. This service is provided by a third party, Veriff, and is entirely optional. Where you consent you will brought to Veriff’s platform to undertake identity verification (Veriff privacy policy). | Consent. |
There are instances where we have a legitimate interest to use your data. Our legitimate interest will vary depending on what we are using your data for, and we explain above what the interest is and how it relates to the processing operations that we are carrying out. Where we process personal data on the basis of a legitimate interest, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals and to determine whether individuals’ interests outweigh our interests in the processing taking place. You can obtain more information about this balancing test by using the contact details at the end of the notice.
Wherever we rely on your consent, you will always be able to withdraw that consent at any time, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out above.
We may share your data with the following categories of recipients:
| Personal Data Category | Category of Recipient | Why? |
|---|---|---|
| Identity data, contact data, career & education data. | Data Custodians | Where you have applied for access to data within a TRE hosted by a Data Custodian, they will process and review your data as part of reviewing your data access application and assessing ‘safe people’ statuses |
| Identity data, contact data, career & education data. | Research Organisations | To verify and confirm your relationship with that organisation. To review the projects you are associated with. |
| Identity data, contact data, communications data and technical data | Third party service providers | We may share your personal data with external third-party system providers who provide services including IT, system administration and cloud-based software services. <br><br>We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. |
| Identity data, contact data, communications data, technical data and image data | Regulators, law enforcement and fraud prevention agencies | We may share your personal information with regulators or other authorities if we have a legal obligation to do so. |
| Identity data, contact data, communications data, technical data and image data | Prospective merger | In the event that HDR UK is transferred or integrated with another business, your details will be disclosed to our advisers and the other party’s advisers. |
| Identity data | Veriff | To verify your identity. This is an optional step and if you choose to complete it you will be brough to a third party site Veriff where they will undertake identity verification process. |
Some of our external third-party system providers are based in the United States or other countries outside the UK and EEA so their processing of your personal data will involve a transfer of data. Whenever we transfer your personal data to a country without an adaquacy decision we ensure a similar degree of protection is afforded to that personal data by ensuring at least one of the following safeguards is implemented:
| Category | Mechanism | Country |
|---|---|---|
| Contact Data and Communications Preferences which is stored on Hubspot. | Standard Contractual Clauses | USA |
A copy the relevant mechanism can be provided for your review on request to the contact details above.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for.
For the provision of the Safe People Registry you require an active account, we process your data for as long as you have an account and for 6 months after this. Certain data may be required to be stored for audit purposes, for more information contact DataProtection@hdruk.ac.uk .
Where we process your personal data based on your consent we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). For example, where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period of 30 days after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
Where we process personal data for site security purposes, we retain it for 6 months. The lifespan of the cookies we use is explained in our cookie policy.
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including:
More information can be found on the For the public page on the ICO’s website.
If you wish to exercise any of these rights, please contact DataProtection@hdruk.ac.uk. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to a data protection authority in the country that you reside in or, the country of your place of work or the country where the alleged infringement took place. In the UK, this would be the Information Commissioner, the UK’s data protection authority.
