How will your personal information (data) be processed?

'Personal data' means information relating to a natural (living) person or 'data subject', which can be used to identify the person. How a person or organisation can or cannot lawfully use your personal data is set out in the Data Protection Act 2018 and General Data Protection Regulations, or GDPR.

The responsibility for making sure your personal information is used within the law rests with the organisation, which determines the purposes for and way your personal information is to be collected and used. This makes this organisation the data controller for this personal information.

Where a GP practice collects information about you in your patient health records, they are the data controllers for this information. The AvonCAP GP2 study (University of Bristol) will be provided with a copy of these records under a data sharing agreement with the organisation that originally collected your information.

Once the study has received your record, the University of Bristol will be the data controller for this information (but can only use the data in line with the terms of the data sharing agreement).

How will the information (data) be kept confidential?

When information about a person’s healthcare joins with information that can show who they are (e.g. their name or NHS number) it is called 'identifiable patient information'. It is important that identifiable patient information is kept confidential and there are rules to ensure it is kept safe and secure. The research team will be looking at some of your health records and using some data from your GP records. The information that is collected from the health records by the research team is called research data.

The study team will enter your patient data into a database - a collection of information stored on a protected encrypted computer, which only a small number of authorised staff can access by using a secure password, in accordance with UK Government regulations known as GDPR (see below).

Your information will be entered under a code number, so that it is not possible to identify you from this database (pseudonymised data). These data can only be matched up with data that identifies you (patient identifiable data) using the code number. These data will be held by the University of Bristol for up to 15 years.

The anonymised data may be used for future research related to infectious disease prevention and vaccine development and may be shared with other researchers. Monitors from the University of Bristol may access your records to check the quality of the study. The wider research team and collaborators, including Pfizer Inc, will only have access to the anonymised data.

Will the use of my data meet GDPR rules?

Yes. GDPR stands for the General Data Protection Regulation. In the UK we follow GDPR rules under the Data Protection Act 2018. All research using patient data must follow UK laws and rules.

Universities, NHS organisations and companies may use patient data to do research to make health and care better. Researchers must show that their research takes account of the views of patients and ordinary members of the public. Researchers must also protect the privacy of people who take part. An NHS research ethics committee checks this before the research starts. This process makes sure that research using patient data can only be permitted as ‘a task in the public interest’, and only data needed for the research is used.

When companies do research to develop new treatments, they must prove that there is a need to develop new treatments and that the data is necessary for the research. In legal terms this means that they have a ‘legitimate interest’ in using patient data.

How will the data be used?

The research team will analyse this data to work out the burden of disease (how many patients are diagnosed with chest infections and what impact it has on them and the NHS). We will also try to answer other important questions, such as whether patients with underlying medical conditions are at increased risk of certain causes of infection.

Who will we share your information with and why?

We will want to share some of the data collected through the research with our study funders (Pfizer Inc), but will never share  individuals’ names, postcode, NHS number or date of birth with them.

It is important to share the results of this study with other scientists and healthcare organisations. We will publish what we learn from this study in scientific journals. We will also publish results at national and international research and health service delivery meetings. When we do this, we will make sure that you cannot identify any individual in the publication.

If you have any concerns, or want to know more about your rights, please see Your rights.