About the NIHR

The National Institute for Health and Care Research (“NIHR”) is strongly committed to protecting personal data (referred to in this document as “data”, “information”, ”personal information”). This privacy statement describes why and how we collect and use personal data and also provides information about individuals’ rights. This statement applies to personal data provided to us, both by members of the public themselves or by others when using our websites, systems or services. Any data that may identify a living individual is considered personal data. When we say "you" or "your” in this statement we mean the specific person who is the subject of the personal data.

The NIHR is funded through the Department of Health and Social Care (“DHSC”) to improve the health and wealth of the nation through research. It is a large, multi-faceted and nationally distributed virtual organisation. The NIHR consists of a number of organisations that are contracted to the DHSC to provide NIHR services by advising on, recommending, organising and administering the commissioning of research programmes, infrastructure, training and patient and public involvement.

Data Controller

The Data Controller for personal data collected by the NIHR is DHSC under the UK GDPR which is the General Data Protection Regulation (GDPR) EC 2016/679 as defined in the Data Protection Act 2018 (DPA 2018) (“UK GDPR”).

Data controller details are as follows:

Department of Health and Social Care
39 Victoria Street
Westminster
London
SW1H 0EU

Data Protection Officer: Lee Cramp (data_protection@dhsc.gov.uk)

The information we collect

The type of personal information we collect will vary according to the interactions you are having with the NIHR. Different interactions and information collected are outlined below:

• For formal interactions with NIHR – such as applications for funding - we will increasingly ask researchers for an ORCiD identifier as a consistent and universal identifier of a researcher across NIHR, and beyond. This will help us (and other research bodies) to recognise you as the same individual and will provide opportunities to remove duplication of your effort in recording information more than once.
• Name, email address and organisational unit – these are collected to allow you to login and access NIHR services.
• Some services may optionally ask for additional data such as date of birth in order to fully participate (e.g. the Google+ service in NIHR Hub). You have full choice over your participation - and control over the disclosure of this information through the application.
• You may also provide additional information including contact details and job title; associations with organisations and institutions and your association with various NIHR activities e.g. applications, grants, awards, studies, training activities projects and programmes, PPIE activities, patient research ambassador activities. Whilst this is not mandatory it will help you achieve more from the corporate systems and services.
• We may also collect additional special category data relating to equality and diversity (such as ethnicity). Where we do this we will store the information separately and encrypted to maintain anonymity.

Patient and Public Engagement

As part of our Patient and Public Engagement (PPIE) work which involves reviewers, PPIE representatives, Research Ambassadors etc-, we may collect personal data such as name, job title, work institution, contact details and bank details.

Cookies

NIHR websites use cookies to monitor use of its websites, web pages and to tailor the website operation to your needs and preferences. More information is available on the specific use of cookies in the NIHR cookies policy and on other NIHR websites with specific purposes. Your IP address is collected and used to analyse trends, to administer the websites, track users' movements through the websites, and gather statistical information. IP addresses are not linked to other personally identifiable information.

Depending on your interactions with the NIHR and its associated organisations, other personal data may be collected for a variety of purposes, each of which may have a different method of collection, legal basis for processing, use, disclosure, and retention period. If this is the case, this will be specified in a separate privacy statement at the point of that collection.

We may use personal data provided to us for any of the purposes described in this privacy statement and as described in relevant system/service specific or other just in time data collection notices.

How and why we use your personal information

The NIHR may use your information for a variety of purposes:

• NIHR internal administration of NIHR websites, systems and services and users’ access rights and privileges in order to effectively manage those systems and services and to provide appropriate privacy and confidentiality protection.
• Administration and management of NIHR including collecting, collating, analysing and interpreting information and insights for the effective and efficient management of NIHR, which may include sharing information - including personal identifiers - with the DHSC, other NIHR organisations and contracted third party suppliers and agents.
• Publication of personal information about lead investigators and personal award holders in receipt of NIHR Funding as part of transparency of public funding expenditure.
• Targeted communications with selected groups of individuals for authorised NIHR business purposes e.g. researchers (applicants), reviewers, panel members and others involved in the research management process.
• Marketing communications to highlight the activities of the NIHR and opportunities for engagement. We will seek your explicit consent to contact you for marketing purposes.
• Communication of your information to third parties who are authorised and contracted to provide NIHR services. Any such third parties will handle your information in compliance with this privacy notice.
• Equality and diversity data, including Special Category Data, is collected for equality monitoring purposes. Equality and diversity data will only be used in an anonymised form to monitor our compliance with equality and diversity objectives, and to allow us to identify, and plan initiatives to address, areas where there may be underrepresentation or inequality in our systems, processes or procedures. Equality and diversity may be used across NIHR in an anonymised form for the above monitoring purposes.

Links to external websites

Our services may contain links to other websites of interest outside the NIHR. This privacy notice only applies to NIHR websites, systems and services, and when moving away from our services the relevant privacy notices on those external websites, systems and services apply.

The Lawful Basis for Processing

Under the UK GDPR, the following lawful bases are used for the processing of your personal data:

• For personal data collected for the administration and commissioning of NIHR research programmes, faculty and infrastructure, including the exercise of any appropriate legislation that applies to the delivery of a public task, the lawful basis for processing is Article 6.1 (e) of the GDPR- “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
• For Joint Dementia Research and Be Part of Research, the appropriate lawful bases for processing are Article 6.1 (e) (see above) and Article 9.2 (j) - “research purposes” of the GDPR. Reference should be made to the separate privacy notices governing these systems.
• For the processing of special category data, which is sensitive data, we will rely on the substantial public interest condition in Article 9.2 (g) and paragraphs 6 and 8 of Schedule 1, Part 2 of the DPA 2018.
• For processing data where the activity or purpose does not fall under public task, we shall use legitimate interest, as per Article 6.1 (f) where appropriate, supported by a legitimate interest assessment.
• For further processing for a purpose other than that for which the personal data have been collected, we will seek your consent and rely on the lawful basis of GDPR Article 6.1 (a) Consent, and otherwise adhere to the provisions in Article 6.4 that sets out the tests whether further processing is allowed.
• For direct marketing purposes we will seek your explicit consent to participate and will rely on the lawful basis of GDPR Article 6.1 (a) Consent.
• Where NIHR systems or services have the potential to transfer data outside of the United Kingdom, NIHR ensures that any such transfers are covered by relevant supplementary controls in line with advice from the Information Commissioner’s Office, will rely on the lawful basis of GDPR Article 6.1 (a) Consent.

Terms and Conditions of Use/Other user agreements

Some NIHR services/systems may have their own specific terms and conditions/user agreements relating to how the information within those services/systems may be used. If this is the case, as a user, you will be expected to sign up to and accept those terms and conditions of use/user agreement. Adherence to those terms and conditions/user agreement will be a condition of continued use of such a website, system or service, but casual use of websites may not require a formal agreement.

How we protect your personal data

Accuracy

NIHR is committed to maintaining accurate records. Your information may be held in a number of locations across NIHR due to the dispersed nature of the NIHR. The most efficient way of verifying or amending your personal information may be to contact the administrator managing the service. Each website, system or service will provide a mechanism for doing this. Alternatively, you may contact us by writing to us at: NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP, or contact us by email at: gdpr_requests@nihr.ac.uk

Security

We are committed to ensuring that your information is secure. We use leading technologies and encryption software to safeguard your data, and maintain strict security standards to prevent any unauthorised access to it. We make every effort to reduce the risks associated with data in transit over the internet by using appropriate technology, including (but not limited to) SSL for any of our websites or applications which collect data from you. However, we cannot guarantee the security of your data in the parts of its journey which are not under our direct control.

Confidentiality

In terms of confidentiality, please refer to the NIHR Confidentiality Policy, that is in keeping with the DHSC Personal Information Charter. Information collected in funding applications, including personal identifiers, will be shared with DHSC and NIHR for the purposes described above. We will not sell your personal information. We will not disclose your personal information to third parties outside of the NIHR, except for the purposes described in this privacy notice, unless we have your consent, or are required by law to do so.

Storage of your personal information

We will keep your data for varying amounts of time depending on the nature of the interaction with our services:

• We only store data that is necessary for a specific purpose.
• We will not store your data for longer than is necessary for the purpose for which it was collected, unless we are legally obligated to do so by contract or other legal requirement as a public body.
• Your data will be securely deleted when no longer needed for the purpose(s) for which it was collected and/or the DHSC are no longer obligated to keep it.

You should note any differences that may apply via separate system/service privacy notices or just in time notices at the point of collection.

Your rights over your personal data

As a data subject, you may have the following rights under the Data Protection Laws:

• the right of access to personal data relating to you
• the right to correct any mistakes in your information
• the right to ask us to stop contacting you with direct marketing
• rights in relation to automated decision making
• the right to restrict or prevent your personal data being processed
• the right to withdraw consent

These individual rights are explained on the Information Commissioner's Office website. If you wish to exercise any of your data subject rights, the NIHR would prefer to receive this in writing as this provides an audit trail and relevant contact details, so please contact the NIHR Service Desk in the first instance - either:

• Write to The NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP
• or Email: gdpr_requests@nihr.ac.uk

We will respond in a timely manner to any rights that you wish to exercise, and for Subject Access Requests (SARs) this has to be within a month of receiving your request unless the request is particularly complex.

The NIHR is subject to the Freedom of Information (FOI) arrangements of the DHSC. You can find further information about making an FOI request on the DHSC website information about making an FOI request on the DHSC website.

Your rights are not absolute. If we are not able to meet your request, we will explain the reason.

Contacting the Regulator

If after reading this privacy notice, you do not think the NIHR has processed your data in accordance with this notice, you should let us know as soon as possible. Similarly you have the right to lodge a complaint with the Information Commissioner’s Office if you think there is a problem with the way we are handling your personal identifiable information.