What about my data privacy?
Who is responsible for your data?
The data controller for this trial is the Sponsoring organisation, University of Oxford.
Personal data we collect about you
Staff within the NHS will collect information from you and your medical records for this research. The Central Coordinating Office based in the Nuffield Department of Population Health, University of Oxford will use your name and NHS number (or CHI number in Scotland) to make sure that relevant information about the study is recorded for your care, and to oversee the quality of the study. In addition to this, we will seek information from Health Registries or NHS bodies such as NHS Digital about care provided during your admission with Covid-19 (e.g. duration of admission, ventilation) your long-term health status (e.g. reasons for any future hospital admissions). To do this, we will provide your details to the Health Registry or NHS bodies to link the data but this will be done in a secure and confidential manner. The information received from the Health Registry or NHS bodies will be imported into a database held securely by the University of Oxford and used solely for research purposes.
Individuals from the Sponsoring Organisation and regulatory organisations may look at your medical and research records to check the accuracy of the research data. The only people at the Sponsor who will have access to information that identifies you will be people involved in the processes of carrying out the study follow-up or auditing the data collection process. The people who analyse the information will not be able to identify you and will not be able to find out your name, address, NHS number or your contact details.
How we use your personal data
As a publicly funded organisation, we have to ensure that it is in the public interest when we use personally identifiable information from people who have agreed to take part in research. This provides the legal basis for our use of your data; GDPR Article 6(1)(e) and Article 9(2) (j). This means that when you agree to take part in a research study, we will use your data (including your health data) in the ways needed to conduct and analyse the research study. Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. To ensure we carry out the research to the highest standards we comply with the Clinical Trials Regulation 536/2014 and the UK Policy Framework for Health and Social Care Research.
We want to keep you informed about the trial results and progress. To do this we will send you letters by post. If you live in England or Wales, these letters will be sent by NHS Digital on our behalf. In order to write to you, NHS Digital will provide your name and address to APS Group who are a UK-based secure communications provider (used by the NHS for other mailings). If you live in Scotland these letters will be sent by the Health Informatics Centre (HIC) at the University of Dundee on our behalf. In order to write to you, HIC will provide your name and address to DocMail who are a UK-based secure communications provider (used by the NHS for other mailings). If you live in Northern Ireland, these letters will be sent by your hospital. If you would like to receive communications from us by email instead, you can ‘opt in’ to email communications by completing this form. You can opt out of these communications at any time by letter, phone or email (details below).
How long we keep your data
The Sponsor will keep your direct identifiers (eg name) for up to one year after the study has finished, unless you are under 18 in which case we have to keep it until you are 21 because of the statute of limitations. Your other personal data will be retained for at least 25 years after the end of the study, in line with relevant legislation. Since the study will continue long-term follow up for 10 years after the initial treatment phase to assess the long-term effects of the treatments being tested, your direct identifiers will be stored until at least 2031 and your other personal data will be stored until at least 2055. At the end of this retention period, your personal data will either be deleted or rendered anonymous (non-identifiable).
We may need to retain personal data for longer if it is necessary to fulfil our purposes, including any relating to legal, accounting, or reporting requirements. We may also retain personal data for further research for which a legal basis exists. This will always be done in accordance with data protection laws.
General information about how long different types of information are retained by the University can be found in the University’s Policy on the Management of Research Data and Records, available via http://researchdata.ox.ac.uk/university-of-oxford-policy-on-the-management-of-data-supporting-research-outputs/.
How we protect your data
We protect your personal data against unauthorised access, unlawful use, accidental loss, corruption or destruction.
We use technical measures such as encryption and password protection to protect your data and the systems they are held in. We also use operational measures to protect the data, for example by limiting the number of people who have access to the databases in which your data is held and using unique reference numbers to identify participants rather than names wherever possible.
We keep these security measures under review and refer to University Security Policies to keep up to date with current good practice.
Sharing your data
Your personal data which are collected and managed by the Sponsor will be used only to allow us to carry out the follow-up of this trial, including linkage with Health Registries or NHS bodies such as NHS Digital. Data from which you cannot be identified may be shared with other research groups who are doing similar research (including the University of Bristol, who are assisting the trial by providing an independent analysis of the trial database, as well as commercial companies and transfer outside the EU). This ‘de-identified’ information will not identify you and will not be combined with other information in a way that could identify you. The information will only be used for the purpose of health and care research, and cannot be used to contact you or to affect your care. It will not be used to make decisions about future services available to you, such as insurance.
Under the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, you have the following rights in relation to the information that we hold about you (your ‘personal data’):
- The right to request access to your data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
- The right to request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
- The right to request erasure of your data. This enables you to ask us to delete or remove your data in certain circumstances for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
- The right to object to the processing of your data, where we are processing it to meet our public tasks or legitimate interests (or the legitimate interests of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
- The right to request that the processing of your data is restricted. This enables you to ask us to suspend the processing of your data, for example, if you want us to establish its accuracy or the reason for processing it.
- The right to access, change or move your data. Depending on the circumstances, we may have grounds for not complying with your request, for example, where we consider that deleting your information would seriously harm the research or where we need to process your data for the performance of a task in the public interest.
If you wish to exercise any of these rights, please contact the trial at email@example.com.
If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible. For further information, see: https://compliance.admin.ox.ac.uk/individual-rights
If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer, firstname.lastname@example.org, who will investigate the matter. If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner’s Office (ICO) by visiting https://ico.org.uk/make-a-complaint/ or by calling their helpline on 0303 123 1113.
If you would like to contact us directly for more information about how we process and protect data collected for research, please email: email@example.com. If you prefer you can call the study team on 0800 138 5451 or write to: RECOVERY Central Coordinating Office, Richard Doll Building, Old Road Campus, Roosevelt Drive, Oxford OX3 7LF