Our Data Protection and Privacy Notice

This privacy notice is also found on the Cancer Screening and Prevention Group (CSPRG) website www.csprg.org.uk/patient-data/ and www.csprg.org.uk/fit_for_follow-up/. As well as the FIT for Follow-Up study, the CSPRG run several other research studies. This privacy notice was written to cover all of the studies performed by the CSPRG. For consistency, this notice has only had minor edits for publication on this website, and retains references to data processing done as part of other CSPRG studies. Detailed privacy information specific to the FIT for Follow-Up study can be found at the end of this notice under the ‘Privacy and data protection information relating specifically to the FIT for Follow-Up study’ section (below) and (identically) at www.csprg.org.uk/fit_for_follow-up/.

Privacy notice

This privacy notice explains your rights to your personal information, what you can expect us (the Cancer Screening and Prevention Research Group) to do with your personal data and our lawful basis for doing so. This notice also explains who you should contact if you have any queries or complaints about how we are processing your personal data.

Under the 2018 General Data Protection Regulation (GDPR) and accompanying Data Protection Act (2018) ‘personal data’ is any data that can be linked to an identifiable individual (for a full definition see: Information Commissioner’s Office (ICO) website: What is Personal Data?). Some types of personal data, such as health data, are additionally classified as ‘special category personal data’. The law considers special category personal data to be more sensitive and gives it more legal protection (for more information see: ICO website: Special Category Data). As the Cancer Screening and Prevention Research Group processes (processing is the term used to refer to collecting, analysing and storing data) health data, much of the personal data we hold is considered to be special category personal data.

Who is responsible for the lawful processing of your personal data?

The GDPR and Data Protection Act define roles and responsibilities for those involved in processing personal data.

The Cancer Screening and Prevention Research Group (hereafter; CSPRG) are a research group at Imperial College London. The CSPRG can be contacted via the ‘Contact Us’ page on this website.  The data controller determines the purpose for which and the manner in which personal data is to be processed (see ICO website: Controllers and Processors). For the personal data held by the CSPRG, the data controller is Imperial College London. The data controller’s representative for our data is the Director of Information Governance for Academic Health Sciences. All queries relating to the handling of personal data should be directed to the Imperial College London Data Protection Officer via email at dpo@imperial.ac.uk.  Contact details can also be found at the end of this privacy notice.

Why are we processing personal data?

The research focus of the CSPRG is bowel cancer, also known as colorectal cancer. In the UK, every year over 41,000 people are diagnosed with bowel cancer and 16,000 people die from this disease. Through our research we hope to reduce the number of people being diagnosed with bowel cancer and dying from this disease. Much of our work focuses on how to help make bowel cancer screening and surveillance programmes more effective and acceptable for patients, and more efficient for the NHS, and other health services internationally. To understand the effectiveness of bowel cancer screening and surveillance programmes, we conduct large scale studies on procedures conducted and the benefits to patients.  Identifiable patient data are usually necessary to track long-term health outcomes for participants enrolled in our studies. The CSPRG therefore needs to collect and hold personal data – often special category personal data. Our more specific purposes for processing data for each of our studies are detailed on the ‘Studies’ pages of our website.

What personal data do we have?

The personal data we hold is special category personal data relating to individual health. For example, for several of our studies we analyse procedure and treatment information, information about cancers occurring, whether they progress and the patients’ long-term health outcomes. In addition, we also often require some basic information about patients such as age and gender to inform our analysis. The full details of the personal data processed for each of our studies can be found on the ‘Studies’ pages of our website.

To fulfil our research aims we obtain personal data from a variety of sources. Much of our data is either obtained directly from NHS Trusts, or via third parties such as NHS Digital, the Office for National Statistics, the Bowel Cancer Screening Programme, National Cancer Registries (including the Welsh Cancer Intelligence and Surveillance Unit) and Information Services Division Scotland, part of NHS National Services Scotland.  More detailed explanations of our sources of data can be found on the ‘Patient Data’ page and ‘Studies’ pages of our website.

Where data has been obtained from third party data providers under section 251 approval, national data opt-outs have been applied by the provider since 2016.

How do we process personal data?

All personal data we hold are processed in secure systems. For each active study we have completed a Data Protection Impact Assessment that has been approved by the Head of the CSPRG (as the Information Asset Owner) and the Imperial College London Data Protection Officer. No processing performed by the CSPRG involves automated decision-making or profiling. Unless stated otherwise on the ‘Studies’ pages of our website, all personal data are processed by the CSPRG and certain third parties (see ‘Third-party processing’ below). None of our studies process or transfer individual-level personal data outside the UK.

The Imperial College Data retention schedule mandates that data is retained for ten years after the end of a study (see the College Retention Schedule here). The expected end of these ten-year retention periods for each of our studies are listed under the ‘Studies’ pages of our website under the ‘How long will we retain the data?’ sections.

Third-party processing

For the purposes referred to in this privacy notice and relying on the bases for processing as set out above, we may share your personal data with certain third parties:

  • Other College employees, agents, contractors and service providers (for example, suppliers of printing and mailing services, email communication services or web services, or suppliers who help us carry out any of the activities described above). Our third-party service providers are required to enter into data processing agreements with us. We only permit them to process your personal data for specified purposes and in accordance with our policies.

 

What is our lawful basis for processing personal data?

Processing personal data requires justification under two legal frameworks: the GDPR/Data Protection Act 2018 and under the common law duty of confidentiality.

Article 6 of the GDPR lays out six valid bases under which personal data can be processed lawfully. We process personal data under lawful basis 6(e) ‘Public task’ as: processing is necessary for the performance of a task carried out in the public interest. We are also required to have a separate lawful basis for processing the more sensitive special category personal data. Our legal basis for processing special category personal data is Article 9(j) ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes […]

In addition, health data (such as that the CSPRG hold) require a separate lawful basis under the common law duty of confidentiality. In some of our studies, patients consented to be part of the study and for the CSPRG to process their data. In other studies, consent could not be sought due to practical considerations or the nature of the study. In these studies, we have obtained lawful permission to obtain and process personal data under section 251 of the National Health Act 2006. The common law legal bases for data processing in each study are explained in the ‘Studies’ pages of our website under the ‘What approvals has the study received?’ sections.

What are your rights concerning your personal data?

The GDPR grants individuals several rights concerning their personal data:

  • The right to object (to processing of the data)
  • The right to correct (inaccurate or incomplete data)
  • The right to erasure (also known as “the right to be forgotten”)
  • The right to restrict processing (e.g. while the accuracy of the data is contested)
  • The right to portability (to have a copy of any data you have provided to us)
  • The right to access (to have a copy of data we hold about you)
  • The right to withdraw consent (if you have previously consented to take part)

If you think that we might be processing your data and you wish to exercise any of the rights listed above, please get in touch using the details on the Contact Us page or by contacting the Imperial College London Data Protection Officer via email at dpo@imperial.ac.uk.  Though it may not always be possible for us to fulfil your request, we will respond to your query within one month.  For more information on your GDPR rights, please see guidance provided by the Information Commissioner’s Office.

Where can you direct queries or complaints?

Please be aware that individuals also have a right to complain to a supervisory authority- in this case the Information Commissioner’s Office (ICO) – if they feel their data is being used unlawfully. The ICO does recommend that you seek to resolve matters with the data controller – for our data that is Imperial College London – before contacting the Commissioner’s Office. If you wish to raise a complaint on how we have handled your personal data or if you want to find out more about how we use your data, please contact Imperial College London’s Data Protection Officer via email at dpo@imperial.ac.uk, via telephone on 020 7594 3502 or via post at Data Protection Officer, Faculty Building Level 4, Imperial College London, London SW7 2AZ. If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can raise your complaint with the Information Commissioner’s Office.

Privacy and data protection information relating specifically to the FIT for Follow-Up study

The CSPRG at Imperial College London processed special category personal data for the FIT for Follow-Up study. We used this information to investigate whether a Faecal Immunochemical Test (FIT), once a year, for people with one large or 3–4 small polyps found at colonoscopy (the ‘intermediate risk group’) is an effective and safe alternative to 3-yearly follow-up colonoscopy. The study also investigated how acceptable the FIT is to this intermediate-risk group as an alternative to follow-up colonoscopy, and whether it is a more effective use of health service resources. To fulfil these aims the CSPRG processed special category personal data to track the long-term health outcomes of our study participants. The special category personal data used in this study is crucial to the success of this project, and the public good generally.

Imperial College London (the data controller for data processed by the CSPRG, see above) are the recipient of data for the FIT for Follow-Up study. The special category personal data for the FIT for Follow-Up study was transferred to the CSPRG from four sources.

  1. NHS Digital

NHS Digital collect and process data from across the health and social care system in England. NHS Digital provided data about the timings and outcome of colonoscopies and other surveillance to the CSPRG. NHS Digital obtained this colonoscopy data from the Bowel Cancer Screening Programme (BCSP).

  1. Bowel Cancer Screening Programme

The BCSP provided some data directly to the CSPRG. The data provided directly by the BCSP included: patient information (such as names and sex), the results of FIT tests and data about the incidence and progression of cancer. The cancer incidence and progression data were provided to the BCSP by National Cancer Registration and Analysis Service, which is part of Public Health England.

  1. Patients

Participating patients also provided some information directly to the CSPRG by returning questionnaires.

Pseudonymised questionnaire data was transferred out of the CSPRG to collaborators in the Department of Behavioural Science and Health at University College London (UCL). Pseudonymised data (see also GDPR Article 4.3) are personal data that can no longer be attributed to a specific individual without additional information. In our case, questionnaire data was transferred with easily-identifiable data (such as names and NHS numbers) removed. The data cannot be linked to specific individuals by our collaborators at UCL.

  1. University of Southampton

In conjunction with the University of Southampton, the CSPRG developed a Patient Management System to securely store and organise patient data for the FIT for Follow-Up study. The Patient Management System was used to store patient information, organise the timely distribution of FIT kits and store the results of the FITs. The Patient Management System was accessible only to specific researchers in the CSPRG. The University of Southampton have now deleted the data from their system, specifically all data stored in the FIT for Follow-Up Patient Management System (hosted at https://fit.edge.nhs.uk/) or otherwise held by the Clinical Informatics Research Unit at the University of Southampton was deleted and they no longer hold data for the FIT for Follow-Up study. They have completed, signed and returned a CSPRG data destruction notice, confirming the date and method of destruction.

No other data was transferred out of the CSPRG.