About the NIHR

The National Institute for Health and Care Research (“NIHR”) is strongly committed to protecting personal data (referred to in this document as “data”, “information”, ”personal information”). This privacy statement describes why and how we collect and use personal data and also provides information about individuals’ rights. This statement applies to personal data provided to us, both by members of the public themselves or by others when using our websites, systems or services. Any data that may identify a living individual is considered personal data. When we say "you" or "your” in this statement we mean the specific person who is the subject of the personal data.

The NIHR is funded through the Department of Health and Social Care (“DHSC”) to improve the health and wealth of the nation through research. It is a large, multi-faceted and nationally distributed virtual organisation. The NIHR consists of a number of organisations that are contracted to the DHSC to provide NIHR services by advising on, recommending, organising and administering the commissioning of research programmes, infrastructure, training and patient and public involvement.

Data Controller

The Data Controller for personal data collected by the NIHR is DHSC under the UK GDPR which is the General Data Protection Regulation (GDPR) EC 2016/679 as defined in the Data Protection Act 2018 (DPA 2018) (“UK GDPR”).

Data controller details are as follows:

Department of Health and Social Care
39 Victoria Street

Data Protection Officer: Lee Cramp (data_protection@dhsc.gov.uk)

The information we collect

The type of personal information we collect will vary according to the interactions you are having with the NIHR. Different interactions and information collected are outlined below:

Patient and Public Engagement

As part of our Patient and Public Engagement (PPIE) work which involves reviewers, PPIE representatives, Research Ambassadors etc-, we may collect personal data such as name, job title, work institution, contact details and bank details.


NIHR websites use cookies to monitor use of its websites, web pages and to tailor the website operation to your needs and preferences. More information is available on the specific use of cookies in the NIHR cookies policy and on other NIHR websites with specific purposes. Your IP address is collected and used to analyse trends, to administer the websites, track users' movements through the websites, and gather statistical information. IP addresses are not linked to other personally identifiable information.

Depending on your interactions with the NIHR and its associated organisations, other personal data may be collected for a variety of purposes, each of which may have a different method of collection, legal basis for processing, use, disclosure, and retention period. If this is the case, this will be specified in a separate privacy statement at the point of that collection.

We may use personal data provided to us for any of the purposes described in this privacy statement and as described in relevant system/service specific or other just in time data collection notices.

How and why we use your personal information

The NIHR may use your information for a variety of purposes:

Links to external websites

Our services may contain links to other websites of interest outside the NIHR. This privacy notice only applies to NIHR websites, systems and services, and when moving away from our services the relevant privacy notices on those external websites, systems and services apply.

The Lawful Basis for Processing

Under the UK GDPR, the following lawful bases are used for the processing of your personal data:

Terms and Conditions of Use/Other user agreements

Some NIHR services/systems may have their own specific terms and conditions/user agreements relating to how the information within those services/systems may be used. If this is the case, as a user, you will be expected to sign up to and accept those terms and conditions of use/user agreement. Adherence to those terms and conditions/user agreement will be a condition of continued use of such a website, system or service, but casual use of websites may not require a formal agreement.

How we protect your personal data


NIHR is committed to maintaining accurate records. Your information may be held in a number of locations across NIHR due to the dispersed nature of the NIHR. The most efficient way of verifying or amending your personal information may be to contact the administrator managing the service. Each website, system or service will provide a mechanism for doing this. Alternatively, you may contact us by writing to us at: NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP, or contact us by email at: gdpr_requests@nihr.ac.uk


We are committed to ensuring that your information is secure. We use leading technologies and encryption software to safeguard your data, and maintain strict security standards to prevent any unauthorised access to it. We make every effort to reduce the risks associated with data in transit over the internet by using appropriate technology, including (but not limited to) SSL for any of our websites or applications which collect data from you. However, we cannot guarantee the security of your data in the parts of its journey which are not under our direct control.


In terms of confidentiality, please refer to the NIHR Confidentiality Policy, that is in keeping with the DHSC Personal Information Charter. Information collected in funding applications, including personal identifiers, will be shared with DHSC and NIHR for the purposes described above. We will not sell your personal information. We will not disclose your personal information to third parties outside of the NIHR, except for the purposes described in this privacy notice, unless we have your consent, or are required by law to do so.

Storage of your personal information

We will keep your data for varying amounts of time depending on the nature of the interaction with our services:

You should note any differences that may apply via separate system/service privacy notices or just in time notices at the point of collection.

Your rights over your personal data

As a data subject, you may have the following rights under the Data Protection Laws:

These individual rights are explained on the Information Commissioner's Office website. If you wish to exercise any of your data subject rights, the NIHR would prefer to receive this in writing as this provides an audit trail and relevant contact details, so please contact the NIHR Service Desk in the first instance - either:

We will respond in a timely manner to any rights that you wish to exercise, and for Subject Access Requests (SARs) this has to be within a month of receiving your request unless the request is particularly complex.

The NIHR is subject to the Freedom of Information (FOI) arrangements of the DHSC. You can find further information about making an FOI request on the DHSC website information about making an FOI request on the DHSC website.

Your rights are not absolute. If we are not able to meet your request, we will explain the reason.

Contacting the Regulator

If after reading this privacy notice, you do not think the NIHR has processed your data in accordance with this notice, you should let us know as soon as possible. Similarly you have the right to lodge a complaint with the Information Commissioner’s Office if you think there is a problem with the way we are handling your personal identifiable information.