Transparency wording

Transparency

The lawfulness, fairness and transparency principle of GDPR requires data subjects to be provided with certain information about the collection and processing of their personal data. This information is typically provided in the form of ‘fair processing notices’ or ‘privacy notices’. In a research context, this information may often be included within a patient information sheet or similar document which is provided to support informed consent, though it can be provided separately.

The GDPR require the information to be provided to data subjects in a concise, transparent, intelligible and easily accessible form and to be written in clear and plain language (in particular where directed to a child).

Fair Processing Information 

The following information always needs to be provided to individuals whose personal data is being used: 

  •  The name and contact details of the University
  •  The contact details of the Data Protection Officer
  •  The lawful basis for the processing
  •  The rights available to individuals when their personal data is being processed
  •  The right to lodge a complaint with the data protection regulator

Lawful Basis

There are six different legal justifications for processing identifiable information; 'consent' is one of them but, perhaps counter-intuitively, researchers should not generally use this as their legal basis. This is, in part, due to a data subject's right to withdraw consent at any time.
 
The University Charter gives it, and its researchers, the power to “make provision for research and for the advancement and dissemination of knowledge”, and this provides our legal basis for the processing of data for research purposes. We would therefore generally expect researchers to stipulate the legal basis for processing data as ‘public task’.

This does not in any way alter the requirement to seek consent for participation in research:

“It is important not to confuse consent sought for other purposes, e.g. an ethical or common law requirement, with the lawful basis for processing under data protection legislation. The lawful basis for processing under data protection law may be something other than consent with consent still sought for participation in the research.
For example, an individual is asked if they will agree to participate in research but is told that, if they agree to participate, then the processing of his or her personal data will be necessary for the performance of a task carried out in the public interest or in the exercise of official authority.”

From A Lawful Basis for Health Research under Data Protection Law.

Where the processing of personal data is undertaken in reliance upon the public task condition, the right to erasure (‘right to be forgotten’) and right to data portability do not apply. However, data subjects still have other rights in relation to the processing of their personal data.

It must be noted, that any processing of personal data must be “necessary”. If it would be possible to undertake research in a less intrusive way, then the University may not be able to rely upon the public task condition. This might be identified during REC review or as the result of a complaint to the ICO.

Relying upon the public task condition for the processing of personal data does not provide justification for the disclosure of confidential patient information in the public interest.

Recommended Wording for Participant Information – Clinical Research

Information from HRA: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/templates/transparency-wording-for-all-sponsors/

For any trial that requires approval by an NHS REC, the wording below should be included in the patient information sheet.

Text in bold is instructions. Text in [square brackets] should be used as relevant. Terms such as NAME, OTHER, X or EVENT should be replaced with the relevant words.

In the summary PIS

In this research study we will use information from [you] [your medical records] [your GP] [OTHER]. We will only use information that we need for the research study. We will let very few people know your name or contact details, and only if they really need it for this study.

Everyone involved in this study will keep your data safe and secure. We will also follow all privacy rules. 

At the end of the study we will save some of the data [in case we need to check it] AND/OR [for future research]. 

We will make sure no-one can work out who you are from the reports we write.

The information pack tells you more about this.

In the PIS or document provided to participants

How will we use information about you? 

We will need to use information from [you] [from your medical records] [your GP] [OTHER] for this research project.

This information will include your [initials/ NHS number/ name/ contact details/ provide a bullet list of identifiers held by site and/or sponsor for the research]. People will use this information to do the research or to check your records to make sure that the research is being done properly.

OPTION where applicable: People who do not need to know who you are will not be able to see your name or contact details. Your data will have a code number instead.

OPTION if not already stated: The University of Bristol is the sponsor of this research, and is responsible for looking after your information. We will keep all information about you safe and secure by:

In bullet points, concisely list some of the steps you will take to keep information secure

International transfers

[IF NO TRANSFERS OUT OF UK WILL OCCUR] Your data will not be shared outside the UK.

OR

[IF TRANSFERS OUT OF UK WILL OCCUR, WHICH IF IT REMAINS A POSSIBILITY E.G. IN THE FUTURE – INCLUDING SHARING IN DE-IDENTIFIED FORM WITH OTHER RESEARCHERS - SHOULD BE INCLUDED AND ABOVE DELETED]

We may share data about you outside the UK for research related purposes to:

In bullet points, concisely list the reasons why you will send data out of the UK

If this happens, we will only share the data that is needed. We will also make sure you can’t be identified from the data that is shared where possible. This may not be possible under certain circumstances – for instance, if you have a rare illness, it may still be possible to identify you. If your data is shared outside the UK, it will be with the following sorts of organisations:

  • [insert list e.g. our partners who analyse your data, companies to pay your expenses, organisations who store your data]

We will make sure your data is protected. Anyone who accesses your data outside the UK must do what we tell them so that your data has a similar level of protection as it does under UK law. We will make sure your data is safe outside the UK by doing the following [DELETE AS APPLICABLE]:

  • (some of) the countries your data will be shared with have an adequacy decision in place. This means that we know their laws offer a similar level of protection to data protection laws in the UK
  • we use specific contracts approved for use in the UK which give personal data the same level of protection it has in the UK. For further details visit the Information Commissioner’s Office (ICO) website
  • we do not allow those who access your data outside the UK to use it for anything other than what our written contract with them says
  • we need other organisations to have appropriate security measures to protect your data which are consistent with the data security and confidentiality obligations we have. This includes having appropriate measures to protect your data against accidental loss and unauthorised access, use, changes or sharing
  • we have procedures in place to deal with any suspected personal data breach.  We will tell you and applicable regulators when there has been a breach of your personal data when we legally have to. For further details about UK breach reporting rules visit the Information Commissioner's Office (ICO) website
  • [OTHER]

Once we have finished the study, we will keep some of the data so we can check the results. We will write our reports in a way that no-one can work out that you took part in the study.

DELETE one option in square brackets: We will keep your study data for the minimum period of time required by [state the conditions that will be used to determine this time period] OR [we will keep your study data for a maximum of XX years]. The study data will then be fully anonymized and securely archived or destroyed.

What are your choices about how your information is used?

  • you can stop being part of the study at any time, without giving a reason, but we will keep information about you that we already have
  • OPTION if follow up data will be collected after withdrawal: If you choose to stop taking part in the study, we would like to continue collecting information about your health from [central NHS records / your hospital / your GP]. If you do not want this to happen, tell us and we will stop
  • you have the right to ask us to remove, change or delete data we hold about you for the purposes of the study. We might not always be able to do this if it means we cannot use your data to do the research. If so, we will tell you why we cannot do this
  • OPTION if data will be used for future research: If you agree to take part in this study, you will have the option to take part in future research using your data saved from this study. [Insert details of any specific bank / repository]

Where can you find out more about how your information is used?

You can find out more about how we use your information, including the specific mechanism used by us when transferring your personal data out of the UK.

  • at http://www.bristol.ac.uk/secretary/data-protection/policy/research-participant-fair-processing-notice/
  • by asking one of the research team
  • by sending an email to data-protection@bristol.ac.uk, or
  • by calling the University’s Data Protection Officer on (0117) 4556325.

----------

Recommended Wording for Participant Information – All Other Research

How will we use information about you? 

We will need to use information that you provide about yourself for this research project. 

This information will include your [initials/ name/ contact details/ provide a bullet list of identifiers held by site and/or sponsor for the research].  People will use this information to do the research or to make sure that the research is being done properly.

OPTION where applicable: People who do not need to know who you are will not be able to see your name or contact details. Your data will have a code number instead. 

We will keep all information about you safe and secure. 

OPTION where applicable: Some of your information will be sent to country X. They must follow our rules about keeping your information safe. 

Once we have finished the study, we will keep some of the data so we can check the results. Once the data has been analysed, we will seek to share our findings through publication, presentation and the media. All reports will be written in a way that ensures that no-one can work out that you took part in the study.

What are your choices about how your information is used?

  • You can stop being part of the study at any time, without giving a reason, but we will keep information about you that we already have. 
  • We need to manage your records in specific ways for the research to be reliable. This means that we won’t be able to let you see or change the data we hold about you. 
  • OPTION if data will be used for future research: If you agree to take part in this study, your data saved from this study may be used for future research. Insert details of any specific bank/ repository. 

Where can you find out more about how your information is used?

You can find out more about how we use your information: