How the University uses research participants’ personal data (fair processing notice)

About this notice

The University needs to collect and process the personal data of individuals who take part in research projects to fulfil its statutory functions and operate effectively. Personal data is processed for a variety of reasons relating to research (as set out below), and all personal data will be collected and processed in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and any subsequent relevant legislation.

In this notice:

  • Personal data means any data which can identify you directly or indirectly (whether itself or when combined with other data), regardless of the format or media in which the data are stored. This includes data that can identify you when combined with other data that is held separately (pseudonymous data), but does not include data that has been manipulated so that you can no longer be identified from it (anonymous data).
  • Processing means any activity relating to your personal data including collection, use, alteration, storage, disclosure and destruction.

You must read this notice alongside the specific participant information sheet you will be given by the research team and any other materials or local privacy notices relating to the research. In the unlikely event that there is any contradiction between the general information provided here and the participant information sheet, the participant information sheet takes precedence.

The University is a ‘data controller’ in relation to your personal data and is registered as such with the Information Commissioner’s Office (ICO), under registration number Z6650067.

Changes to this notice

The University may update this notice at any time and may provide you with further notices on specific occasions where we collect and process personal data about you. You should check this notice regularly to be aware of any changes. However, where any change affects your rights and interests, we will do our best to make sure we bring this to your attention and clearly explain what this means for you.

Questions or comments

If you have any questions or comments regarding this notice or the research study that you are participating in, or you wish to exercise any of your rights (see below), you should contact the research team responsible for the study (details will be provided in the participant information sheet). You could also contact the University’s Data Protection Officer by email at data-protection@bristol.ac.uk.

How we collect your personal data

Most of the personal data covered by this notice will come from you during your application, recruitment, or participation in a research project. However, every research project is different, and the information we collect may vary. You will be given a participant information sheet that explains what personal data we need for the project, or where it comes from if it isn’t collected directly from you. Researchers will only collect the minimum personal data needed to achieve the project’s aims.

Some information, such as survey responses, is often collected anonymously. This means that once you have agreed for it to be used, it cannot later be removed because it cannot be linked back to you.

If you could be identified in a research publication — for example through a named quote or a photograph — we will ask for your explicit consent in advance. In most cases, this consent will be collected using the research project consent form.

Types of personal data processed

All research projects are different, and the information collected will vary. The participant information sheet will specify the personal data that is being collected, but it may include some personal details and identifiers (e.g. name and contact details), and information relevant to the research project (e.g. medical details, performance records or views on particular subjects).

Some of the information the University collects about you may be particularly sensitive, known as “special category” personal data. This type of data needs extra protection to keep it secure and confidential. Research projects that deal with areas like health or medicine often collect this kind of data, and we take additional steps to protect it.

Personal data provided by you about others

You may provide us with personal data about other individuals: for example, next of kin/emergency contact details, or information about your family circumstances and dependents. You should notify the relevant person that you are providing their details to the University and explain the reasons why.

How the University uses personal data about you

Depending on your role, the University may process personal data (including special categories of personal data) about you for the following purposes:

  • the recruitment and selection process for the research project
  • the administration of expenses/reimbursements for the research project
  • vetting checks
  • assessing the University’s performance against equality objectives as set out by the Equality Act 2010
  • the administration and management of the research project, and your role in it

Lawful grounds for processing your personal data

We will only use your personal data when we are permitted to do so by law. Most commonly, we will use your personal data:

  • for purposes pursuant of the University’s public task (the University of Bristol is a  public research institution, set up by royal charter to advance knowledge and education through teaching and research. This means that we process personal data because it is necessary for our public duties, for scientific or historical research that benefits the public, and we always apply the appropriate safeguards to protect your data.).

The public task condition outlined above covers all the University’s research activities, but other lawful bases may also apply in specific instances:

  • with your informed consent (for example, you have applied to participate in a research project, you will have done this voluntarily and the process will have been fully explained to you)
  • to protect your vital interests or those of another person (for example, where we know or have reason to believe that you, or another person, may suffer harm)

We can obtain and process special categories of personal data for scientific or historical research purposes, and also for reasons of public interest in the area of public health, as long as appropriate safeguards are applied.  Explicit consent may also be requested for this in some instances.

Please note that the legal basis on which your personal data is processed under data protection law is separate from ethical consent requirements and any common law duty of confidentiality that may apply.

Research at the University is carefully controlled by strict policies and procedures. Any research involving people is reviewed for ethics to make sure it is carried out in a way that protects participants. For more information see our ethics pages.

Sharing your personal data with third parties

To share our research with the public and academic community, your data will usually be anonymised and may be included in publications, conference talks, or public presentations. If researchers want to use any information that could identify you, they will ask for your specific permission through the research project consent form.

Your personal data may be shared with members of the project team who are authorised to work on the project. This could include staff at the University of Bristol or collaborators from other organisations. Sometimes personal data collected for research will be stored in University archives or shared with other legitimate academic researchers. This data is usually anonymised, but in some cases it may not be, for example with video recordings.

The University may run a research project together with another organisation, such as another university, a research institute, a health authority, or another external partner. Where this happens, a suitable contract will be in place. Your personal data may need to be shared with authorised staff working for these partners, and this will be clearly explained in the participant information sheet.

Personal data may also need to be shared with research funders, sponsors, or regulatory bodies. In very rare cases, it may be disclosed to others if there is a legal obligation to do so.

If the University uses other organisations to handle personal data for a research project (acting as data processors), a written contract will be in place to make sure your data is kept securely and in line with data protection law.

Parents, family members, and guardians are considered to be third parties. Your personal data will not be shared with them unless you give consent, or the law allows it.

In some cases, your personal data may also be shared confidentially with auditors, or with a named person if there are allegations of research misconduct.

Please note that we may need to share your personal information with a regulator or to otherwise comply with the law, and the list above is not necessarily exhaustive.

Where your personal data are stored

Some of your personal data may be held in hard copy files stored in secure locations. Most personal data about you will be stored digitally on servers within the UK or elsewhere within the European Economic Area (EEA). The participant information sheet will provide further details if required. The University will ensure that all personal data is held securely, however it is held.

Some personal data that the University processes about you may be accessed from, transferred to, or stored in, a country or territory outside of the EEA. The University will only transfer your personal data outside of the EEA:

  • to a country or territory that is the subject of an adequacy decision confirming that it ensures an adequate level of protection for the rights and freedoms of data subjects.
  • in the case of a third party based in the United States of America, where such third party is certified under a relevant certification scheme approved by the UK Government.
  • where the transfer is subject to one or more appropriate safeguards prescribed by law, including standard contractual clauses or the international data transfer agreement.
  • if the transfer is otherwise permitted by law or where you have given your explicit consent.

How the University keeps your personal data secure

The University has appropriate technical and organisational security measures to prevent your personal data from being accidentally lost or used, accessed, altered or disclosed in any unauthorised way. In addition, the University limits access to your personal data to the persons and organisations, including those described in this notice, who have a lawful and legitimate need to access it. For further information, visit the University’s Information Security webpages.

The University also has procedures to deal with any suspected personal data security breach, and will notify you and any applicable regulator of a suspected breach where we believe it is fair to do so or we are required by law.

How long the University will retain your personal data

The participant information sheet will provide details about the long-term use (and where applicable, re-use) and retention of your personal information in connection with the specific research study you are participating in. If a study is funded, the research funder may define the period of time for which data will be retained. Otherwise, it will be kept in accordance with the University’s Records Retention Schedule for a specified period of time after your research participation with us ceases.

Research data is normally anonymised as quickly as possible after data collection so that individuals cannot be identified and their privacy is protected. You will not be able to have your personal data withdrawn after this point.

In addition to the data we collect from you as part of the research, we will also keep some of your personal data in project governance records, such as consent forms and any communications with you by email, letter, or other means. These records may need to be kept for audit purposes, even if you decide not to take part or later withdraw from the project.

CCTV

If you visit University premise in the course of your participation then please note that the University operates CCTV around its properties for security and crime detection purposes. For further information, please see the University’s CCTV Code of Practice.

Your rights

You have a number of rights in relation to the processing of your personal data by the University:

  • Access: You have the right to request access to, and be provided with a copy of, the personal data held about you, together with certain information about the processing of such personal data, to check that the University is processing it lawfully and fairly.
  • Correction: You have the right to request correction of any inaccurate or incomplete personal data held about you.
  • Deletion: You have the right to request erasure of any personal data held about you where there is no good reason for the University to continue processing it, or where you have exercised your right to object to the processing of your personal data.
  • Restriction: You have the right to request restriction of how the University processes your personal data; for example, to confirm its accuracy or the University’s reasons for holding it, or as an alternative to its erasure.
  • Objection: You have the right to object to the University’s processing of any personal data which is based on the legitimate interests of the University or those of a third party based on your particular circumstances. You also have the right to object to the University processing your personal data for direct marketing purposes.
  • Portability: You have the right to receive or request that the University transfers a copy of your personal data in an electronic format where the basis of the University processing such personal data is your consent or the performance of a contract, and the information is processed by automated means.
  • Complaints: You have the right to complain to the Information Commissioner’s Office (ICO) or any other EU supervisory authority in relation to how the University processes your personal data.

To exercise any of these rights you must contact the University's Data Protection Officer at data-protection@bristol.ac.uk. The University may be entitled to refuse any request in certain circumstances and, where this is the case, you will be notified accordingly.

If the University is using your personal data based on your consent, you can withdraw that consent at any time and you do not need to give a reason. However, if you do this, the University may not be able to provide some services to you, or those services may be affected.

You do not usually have to pay a fee to use your data protection rights. However, the University may charge a reasonable fee or refuse a request if it is clearly unreasonable or excessive. If this is the case, you will be told.

To keep your personal data secure, the University may ask you to confirm your identity before dealing with any request about your personal data.