Privacy policy

Purpose

This privacy policy sets out how the NIHR uses and protects any information – including your personal information – that the NIHR collects and receives when you use any of its websites, systems or services.

The NIHR may change this policy from time to time by updating this document. You may check the latest document content at any time by visiting the privacy policy on the NIHR website at www.nihr.ac.uk/privacy-policy.htm. The latest version of this policy will be presented by reference or link from all relevant NIHR websites, systems and services.

Scope

This privacy policy is applicable to websites, systems and services provided as part of the corporate NIHR representing the set of organisations that are contracted to the Department of Health and Social Care (DHSC) as managing units to deliver the NIHR and referred to as Corporate NIHR. This includes responsible units or services that form part of NIHR such as the NIHR infrastructure.

Relevant contact details

DHSC is the Data Controller for NIHR held personally identifiable information under the General Data Protection Regulation 2016 (GDPR).

Data controller: Department of Health and Social Care
39 Victoria Street
Westminster
London
SW1H 0EU

Data Protection Officer: John Ryder (data_protection@dh.gsi.gov.uk)

For GDPR related requests please contact:
NIHR Service Desk
Back Lane
Melbourn
Royston
SG8 6DP
Email: gdpr_requests@nihr.ac.uk

Who we are

The NIHR is funded through the DHSC to improve the health and wealth of the nation through research. It is a large, multi-faceted and nationally distributed virtual organisation. Together, NIHR people, facilities and systems represent the most integrated clinical research system in the world, driving research from bench to bedside for the benefit of patients and the economy.

The NIHR is not a legal entity; it consists of a number of managing agents that are contracted to the DHSC to provide NIHR by advising on, recommending, organising and administering the commissioning of research programmes, infrastructure, training and patient and public involvement.

For context, as of 01/05/2018, the following specific third party contracted units and services form the NIHR:

• NIHR managing agents, also known as Coordinating Centres:
  • NIHR Central Commissioning Facility (CCF) – supports the commissioning of research programmes and infrastructure and their responsible units / services
  • NIHR Clinical Research Network Coordinating Centre (CRNCC) – establishes infrastructure, training and support and their responsible units / services
  • NIHR Evaluation, Studies and Trials Coordinating Centre (NETSCC) – supports the commissioning of research programmes
  • NIHR Academy – supports training awards to researchers and institutions
  • NIHR Office for Clinical Research Infrastructure (NOCRI) – provides potential partners, including the life sciences industry and charities, with a direct and simplified route to a wide range of experimental medicine facilities and expert NIHR investigators
  • INVOLVE – supports public involvement in NHS, public health and social care research
• NIHR-wide Information and Communication Technology Services
  • The NIHR Hub (Corporate IT services) – including email, document storage and sharing and other collaboration and productivity tools including a corporate directory
  • CloudLock – a security layer for Hub services
  • The NIHR website and associated services
  • Be Part of Research (previously called the UK Clinical Trials Gateway) – provides easy to understand information about trials running in the UK
  • Amazon Web Services – hosting a number of applications
  • Google Cloud Platform – hosting G Suite and the NIHR Hub Homepage
  • ServiceNow – a helpdesk service providing support for NIHR facilities e.g. Hub and Website

This privacy policy is applicable to third parties who are contracted to act on behalf of the NIHR.

How we use your information

The NIHR is committed to ensuring that your privacy is protected. Any information you provide to NIHR will only be used in accordance with this privacy policy.

What information we collect

• For formal interactions with NIHR – such as applications for funding – we will increasingly ask researchers for an ORCiD identifier as a consistent and universal identifier of a researcher across NIHR, and beyond. This will help us (and other research bodies) to recognise you as the same individual and will provide opportunities to remove duplication of your effort in recording information more than once
• Name, email address and organisational unit – these are collected to allow you to login and access NIHR services
• Some services may optionally ask for additional data such as date of birth in order to fully participate (e.g. the Google+ service in NIHR Hub). You have full choice over your participation – and control over the disclosure of this information through the application
• You may also provide additional information including contact details and job title; associations with organisations and institutions and your association with various NIHR activities e.g. applications, grants, awards, studies, training activities projects and programmes. Whilst this is not mandatory it will help you achieve more from the corporate systems and services
• For applicants for funding we may collect additional sensitive data relating to equality and diversity (such as ethnicity). Where we do this it will be through a dedicated Equality and Diversity Reporting System and we will store the information separately and encrypted to maintain anonymity

The information we collect may vary depending on the nature of your interaction with NIHR. However, the way we protect your information is always within the terms of this policy.

Why we collect the information

Information is collected for the administration and commissioning of NIHR research programmes, faculty and infrastructure and any appropriate legislation. The lawful basis for processing this Information is Article 6(1)e of the GDPR- “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”, with the exception of Join Dementia Research and direct marketing purposes where we would seek your explicit consent to participate and will rely on the GDPR Article 6(1)a lawful basis- Consent.

How long will we keep your data

We will keep your data for varying amounts of time depending on the nature of the interaction with our services:

• We only store data that is necessary for a specific purpose
• We will not store your data for longer than is necessary for the purpose for which it was collected, unless we are legally obligated to do so by contract or other legal requirement as a public body
• Your data will be securely deleted when no longer needed for the purpose(s) for which it was collected and/or the DHSC are no longer obligated to keep it

What we do with the information we gather

We require this information for the following reasons:

• NIHR internal administration of NIHR websites, systems and services and users’ access rights and privileges in order to effectively manage those systems and services and to provide appropriate privacy and confidentiality protection
• Administration and management of the corporate NIHR including collecting, collating, analysing and interpreting information and insights for the effective and efficient management of NIHR, which may include:
• Sharing information – including personal identifiers – with the DHSC, other NIHR managing agents and contracted third party suppliers and agents. For example, for:
  • the registration of funding applications
  • the operation of awards/grants processing and management information systems
  • the acquisition of UK and/or international peer reviewer comments on proposals and reports
  • the preparation of material for use by reviewers, experts, referees and review panels
  • response to reviewer comments
  • payments made to host institutions
  • research and statistical analysis using anonymised data (in accordance with the Information Commissioner’s Office code Anonymisation: managing
    data protection risk code of practice”)
  • analysis of the collective activities and outcomes of NIHR
  • Sharing information – including personal identifiers – with authorised external services that collect and collate further information on research outputs, or provide researcher identification in order to provide a more integrated service to users and funders, e.g. researchfish, Europe PubMed Central (Europe PMC) & ORCiD
  • Collating information about the different interactions that you have with NIHR across its constituent parts and over time
• Targeted communications with selected groups of individuals forauthorisedNIHR business purposes e.g. researchers (applicants), reviewers, panel members and others involved in the research management process.
  • The nature of communications will vary according to the role or roles that you adopt, for example:
    • For reviewers: your review of proposals
    • For applicants: the registration of your application; your response to reviewer comment
• Marketing communications to highlight the activities of the NIHR and opportunities for engagement. We will seek your explicit consent to contact you for marketing purposes
• We will use equality and diversity data in an anonymised form to monitor our compliance with equality and diversity objectives
• We will publish personal information about lead investigators and personal award holders in receipt of NIHR Funding

Any specific terms and conditions relating to specific websites, services or systems will be communicated to you in the specific context, for example through a user agreement, but will remain consistent with this policy. User agreements are an important part of protecting privacy by placing behavioural expectations and obligations on all users of a service. Adherence to a user agreement will normally be established as part of registering to use a website, system or service, but casual use of websites may not require a formal agreement.

Context	User agreement/Terms and conditions
NIHR Website	Terms and Conditions
NETCC Management Information System (MiS)	Terms and Conditions
CCF Research Management System (RMS)	Terms and Conditions
Academy Research Awards Management System (ARAMIS)	Terms and Conditions
Be Part of Research	Privacy Policy
Join Dementia Research	Privacy Notice

Third parties

The NIHR may communicate your information to third parties who are authorised and contracted to provide NIHR services. Any such third parties must handle your information in compliance with this privacy policy.

The security and integrity of NIHR systems are of paramount importance to the NIHR. Where systems have the potential to transfer data outside of the European Economic Area, NIHR ensures that any such transfers are covered by relevant supplementary controls in line with advice from the Information Commissioner’s Office.

Cookies and log

We use cookies on NIHR websites to monitor use of our websites, use of web pages and to tailor the website operation to your needs and preferences. More information is available on the specific use of cookies in the NIHR cookies policy and on other NIHR websites with specific purposes (such as Be Part of Research and Join Dementia Research).

When you use the Internet, you are assigned a unique address, known as an IP address. We use IP addresses to analyse trends, to administer the websites, track users’ movements through the websites, and gather statistical information. IP addresses are not linked to other personally identifiable information.

Accuracy

NIHR is committed to maintaining accurate records. Your information may be held in a number of locations across NIHR due to the dispersed nature of the NIHR. The most efficient way of verifying or amending your personal information may be to contact the managing agent operating the service or the service administrator. Each website, system or service will provide a mechanism for doing this. Alternatively, you may contact the Data Controller directly. See the Protecting your personal information section in this policy.

Security and confidentiality

We are committed to ensuring that your information is secure. We use leading technologies and encryption software to safeguard your data, and maintain strict security standards to prevent any unauthorised access to it. We make every effort to reduce the risks associated with data in transit over the internet by using appropriate technology, including (but not limited to) SSL for any of our websites or applications which collect data from you. However, we cannot guarantee the security of your data in the parts of its journey which are not under our direct control.

Links to other websites

Our services may contain links to other websites of interest outside the NIHR. This privacy policy only applies to NIHR websites, systems and services, and doesn’t cover other websites and services that we may link to. You should exercise caution and look at the privacy statement applicable to the website/service in question.

Protecting your personal information

• The DSHC and the NIHR are committed to protecting privacy, and we are legally required to process all personal information in accordance with the GDPR
• Applicants for funding should be aware that information collected in applications will be shared with DHSC / NIHR bodies for the purposes described above. See the What we do with the information we gather section in this policy.
• NIHR use of personal information operates under, and is compliant with, the DHSC Personal Information Charter.
• We will not sell your personal information. We will not disclose your personal information to third parties outside of the NIHR, except for the purposes described in this privacy policy, unless we have your consent, or are required by law to do so.
• The NIHR is subject to the Freedom of Information (FOI) arrangements of the DHSC. You can find further information about making an FOI request on the DHSC website.
• You have the “right of access by the data subject” under the GDPR and may request details of personal data which we hold about you.
• If you would like to request a copy of your personal data or if you have any questions abouttheNIHR’s privacy policy, please write to:
  • NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP
  • Or contact us by email at: gdpr_requests@nihr.ac.uk
• If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.
• You have the right to request erasure and restriction of processing of your personal data held by the NIHR. If you would like to request either of these, please contact us through the details provided above.
• You have the right to object to processing and processing for direct marketing. You also have the right to object to profiling taking place to support those activities.
• You have a right to data portability.
• Your rights are not absolute. If we are not able to meet your request, we will explain the reason.
• You have the right to lodge a complaint with the Information Commissioner’s Office, if you think there is a problem with the way we are handling your personal identifiable information.