How the University uses research participants’ personal data (fair processing notice)

About this notice

The University needs to collect and process the personal data of individuals who take part in research projects in order to fulfil its statutory functions and operate effectively. Personal data is processed for a variety of reasons relating to research (as set out below) and all personal data will be collected and processed in accordance with the requirements of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

In this notice:

You must read this notice alongside the specific participant information sheet you will be given by the research team. In the unlikely event that there is any contradiction between the general information provided here and the participant information sheet, the participant information sheet takes precedence.

The University is a ‘data controller’ in relation to your personal data and is registered as such with the Information Commissioner’s Office (ICO), under registration number Z6650067.

Changes to this notice

The University may update this notice at any time and may provide you with further notices on specific occasions where we collect and process personal data about you. You should check this notice regularly to be aware of any changes. However, where any change affects your rights and interests, we will do our best to make sure we bring this to your attention and clearly explain what this means for you.

Questions or comments

If you have any questions or comments regarding this notice or the research study that you are participating in, or you wish to exercise any of your rights (see below), you should contact the research team responsible for the study (details will be provided in the participant information sheet). You could also contact the Univerity’s Data Protection Officer by email at data-protection@bristol.ac.uk or by phone at (0117) 394824.

How we collect your personal data

Most of the personal data covered by this notice will have been provided by or observed about you in the course of your application and recruitment to, or during your time as a participant in, a research project. However, all research projects are different and the information we collect will vary. You will be provided with a participant information sheet which will specify the personal data that we will need to collect from you for the research project, or the source of the data if it is not obtained directly from you. Researchers will only collect the minimum amount of personal data required to meet the project’s aim.

Some data, such as survey data, is frequently collected anonymously so information derived from your personal data cannot be withdrawn once you have given permission for it to be used. Where you may be identifiable in a research publication, such as an attributable quote or photograph, we will seek your explicit consent.

Types of personal data processed

All research projects are different and the information collected will vary. The participant information sheet will specify the personal data that is being collected, but it may include some personal details and identifiers (e.g. name and contact details), and information relevant to the research project (e.g. medical details, performance records or views on particular subjects).

This information that the University may collect and process about you can include special categories of personal data, which are particularly sensitive and require us to take additional steps to ensure their security and confidentiality. Some research projects, for example, those concerning health and medicine, will likely collect special category data and we protect this with additional measures.

Personal data provided by you about others

You may provide us with personal data about other individuals, for example next of kin/emergency contact details and information about your family circumstances and dependents. You should notify the relevant person that you are providing their details to the University as your listed next of kin/emergency contact.

How the University uses personal data about you

Depending on your role, the University may process personal data (including special categories of personal data) about you for the following purposes:

Lawful grounds for processing your personal data

We will only use your personal data when we are permitted to do so by law. Most commonly, we will use your personal data:

The public task condition outlined above covers all of the University’s research activities, but other lawful bases may also apply in specific instances:

We are able to obtain and process special categories of personal data for scientific or historical research purposes, and also for reasons of public interest in the area of public health, as long as appropriate safeguards are applied. Explicit consent may also be requested for this in some instances.

Please note that the legal basis on which your personal data is processed under data protection law is separate from ethical consent requirements and any common law duty of confidentiality that may apply.

Research in the University is strictly governed by policies and procedures, and all research involving human participants undergoes ethical scrutiny to ensure that the research is conducted in a manner that protects participants. For more information see our ethics pages: (http://www.bristol.ac.uk/red/research-governance/ethics/)

Sharing your personal data with third parties

To communicate our research to the public and the academic community, your anonymised data is likely to form part of a research publication or conference presentation or public talk. Where researchers wish to use any information that would identify you, specific consent will be sought.

Your personal data may be shared with project team members who are authorised to work on the project and access the information. This may include staff at the University of Bristol or collaborators at other organisations.

The University may be undertaking a research project in collaboration with another organisation, for instance another university, research institution, health authority or other external party. Personal data may need to be shared with authorised personnel acting for these parties in such circumstances, but it will be made clear on the participant information sheet if this is the case.

It is also possible that personal data held for the purpose of a research project may need to be shared with the funders and sponsors of the research or other regulatory bodies. On very rare occasions, it may be necessary to disclose personal data to other parties where there is a legal obligation to do so.

Where the University uses third parties to process personal data on its behalf for the purpose of a research project (acting as data processors), a written contract will be put in place to ensure that any personal data shared will be held in accordance with the requirements of data protection law and that such data processors have appropriate security measures in place in relation to your personal data.

Parents, family members and guardians are considered to be third parties and your personal data will not be disclosed to such persons unless you have given your consent or the disclosure is otherwise made in accordance with data protection law.

Where necessary, your personal data may also be made available in confidence to auditors or to a named person in the case of allegations of research misconduct.

Please note that we may need to share your personal information with a regulator or to otherwise comply with the law, and the list above is not necessarily exhaustive.

Where your personal data are stored

Some of your personal data may be held in hard copy files stored in secure locations. Most personal data about you will be stored digitally on servers within the UK or elsewhere within the European Economic Area (EEA). The participant information sheet will provide further details if required. The University will ensure that all personal data is held securely, however it is held.

Some personal data that the University processes about you may be accessed from, transferred to, or stored in, a country or territory outside of the EEA. The University will only transfer your personal data outside of the EEA:

How the University keeps your personal data secure

The University has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost or used, accessed, altered or disclosed in any unauthorised way. In addition, the University limits access to your personal data to the persons and organisations, including those described above, who have a lawful and legitimate need to access it. For further information, visit the University’s Information Security webpages.

The University has also put in place procedures to deal with any suspected personal data security breach and will notify you and any applicable regulator of a suspected breach where we believe it is fair to do so or we are required by law.

How long the University will retain your personal data

The participant information sheet will provide details about the long-term use (and where applicable, re-use) and retention of your personal information in connection with the specific research study you are participating in. If a study is funded, the research funder may define the period of time for which data will be retained. Otherwise, it will be kept in accordance with the University’s Records Retention Schedule for a specified period of time after your research participation with us ceases.

Research data is normally anonymised as quickly as possible after data collection so that individuals cannot be identified and their privacy is protected. You will not be able to have your personal data withdrawn after this point.

In addition to data we collect from you or generate through interactions with you as part of the research activity, we will also hold your personal data within project governance documentation (in particular participant agreements or consent forms) and records of any communications with you via email, letter or other means. These will need to be retained for audit purposes even if you decide not to take part or withdraw from participation at a later date.

CCTV

If you visit University premise in the course of your participation then please note that the University operates CCTV around its properties for security and crime detection purposes. For further information, please see the University’s CCTV Code of Practice.

Your rights

You have a number of rights in relation to the processing of your personal data by the University:

To exercise any of these rights you must contact the University's Data Protection Officer at data-protection@bristol.ac.uk. The University may be entitled to refuse any request in certain circumstances and where this is the case, you will be notified accordingly.

Where the lawful ground relied upon by the University to process any of your personal data is your consent, you have the right to withdraw such consent at any time without having to give any reason. However, if you do so, the University may still be entitled to retain any information you have already provided if it would undermine the research project to delete it. Steps will be taken to anonymise any of your data where possible in these circumstances.

You will not have to pay any fee to exercise any of the above rights, though the University may charge a reasonable fee or refuse to comply with your request if any request is clearly unfounded or excessive. Where this is the case, you will be notified accordingly.

To protect the confidentiality of your personal data the University may ask you to verify your identity before fulfilling any request in relation to your personal data.