1. What is the purpose of this document?
The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).
This privacy policy describes how we collect and use your personal data during your participation in the Age Extension Trial (AgeX) in accordance with the General Data Protection Regulation (GDPR).
It is important that you read this policy, together with any other privacy policy we may provide on specific occasions when we are collecting or processing information about you, so that you are aware of how and why we are using your information. We may update this policy at any time.
2. Glossary
Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified. It does not include data where your identity has been removed (anonymous data).
Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure or retention.
3. Who is using your personal data?
The University of Oxford (the University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford) is the “data controller” for the information that we obtain from you or others as part of the Age Extension Trial. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.
The Cancer Epidemiology Unit (CEU) acts as the ‘data processor’. Access to your data will be provided to designated members of our staff who need to view it as part of their work in carrying out the purposes set out in section 5. We also share it with the third parties described in section 6.
4. The types of data we hold about you and how we obtained it
The information we collect when you are randomised into the trial includes personal details about you including your name, NHS number and date of birth provided via the Breast Screening Service and Public Health England (PHE).
We also collect additional information from third parties including from the National Health Service (NHS Digital in England and the Information Services Division in Scotland and Public Health England). This information includes special category sensitive data concerning your health, such as information on cancer registrations and cancer screening and hospital admissions.
5. How the University uses your data
We combine all the above information to study the effect of breast screening in early diagnosis of breast cancer in women who are screened between the ages of 47-49 and 71-73, who are outside the limits of the breast screening ages for the national breast screening program. We use linked cancer registration data to compare the number of women who develop breast cancer with women of a similar age who have not received a breast screen.
We collect and process your data (including your special category sensitive data) in this way for the purpose of performing scientific (medical) research being carried out in the public interest. This is known under data protection law as our “legal basis” for processing personal data. We will only process your personal data for the purposes for which we collected it. This also includes using personal details such as name, NHS number and date of birth to link with the data providers described in section 4.
Please note that we may process your data without your knowledge or consent, in compliance with the above rules. The law that permits us to perform this is Section 251 of the NHS Act.
6. Who has access to your data?
Access to your data within the University will be provided to those who need to view it as part of their work in carrying out the purposes described above. The people who analyse the information will not be able to identify you and will not be able to find out your name, address, NHS number or your contact details. Personal identifiable data which is collected and managed by the CEU will not be shared with anyone else unless this is required as part of the conduct of the research. In addition, in order to perform our research and other legal responsibilities or purposes, we will, from time to time, need to share your information with the following:
- with collaborating research organisations working with us
- with external organisations providing services to us, including those who provide us with data; and
- with external regulatory bodies.
Where information is shared with third parties, we will seek to share the minimum amount necessary, including pseudonymising your data where possible. This means we remove your identity and replace it with a code before sharing the information. Only we have access to the ‘key’ linking the code to your identity.
All our third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
7. Transfer of your data outside of the European Economic Area (EEA)
Your data is stored on our secure servers and/or in our premises within the UK. It will not be transferred to anyone outside the UK.
8. Retention Period
The AgeX Trial is a long term trial, still under active follow-up. We hope to continue follow-up until the mid-2020s and we will retain your data for as long as we need it to meet our purposes, including our medical research and any relating to legal, accounting, or reporting requirements.
9. Security
Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website:
https://www.infosec.ox.ac.uk/.
10. Your rights
Under certain circumstances, by law you have certain rights with respect to your data. A summary of these rights is available here:
http://www.admin.ox.ac.uk/councilsec/compliance/gdpr/individualrights/.
If you want to exercise any of the rights described or are dissatisfied with the way we have used your information, please contact the University’s Information Compliance Team at data.protection@admin.ox.ac.uk. The same address can be used to contact the University’s Data Protection Officer. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/concerns/.
11. Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and will seek to inform you of substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
12. Contact
If you wish to raise any queries or concerns about this privacy notice please contact us at agex@ndph.ox.ac.uk, or write to Professor Julietta Patnick AgeX Trial, Cancer Epidemiology Unit, Nuffield Department of Population Health, University of Oxford, Richard Doll Building, Roosevelt Drive, Oxford OX3 7LF, UK.