Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

Accept all cookies Reject all non-essential cookies Find out more

HPS Legacy Study Privacy Notice

This Privacy Notice is being provided for the participants who took part in the HPS trial between July 1994 and October 2001 in UK NHS hospitals. It provides information about how data is collected about you as part of the trial, and how we handle and process it.

1. Who is responsible for your personal data?

The University of Oxford, as sponsor, is the Data Controller. This means that we, as University of Oxford researchers, are responsible for looking after your information and using it properly in accordance with the UK General Data Protection Regulation (UK GDPR).

2. Personal data we collect about you

The HPS study clinics stopped in 2001, after this we sent out postal questionnaires until 2007. We hold information that we collected directly from you at clinic visits and via questionnaires that you filled in. 

We are now investigating the longer-term effects of the HPS treatments (simvastatin, and also anti-oxidant vitamins). For the long-term follow-up research, we provide your details (name, date of birth, sex, NHS number or community health index (CHI) number in Scotland, address, and postcode) to UK NHS Data Custodians (these are organisations who are permitted to securely share NHS data with rigorous safeguards and agreements in place). NHS Data Custodians link your identifiers to electronic health records that they may hold about you and then return that information to Oxford.

The following is a list of the types of personal information we may hold about you (including both data collected during the main trial, and through ongoing data linkage to electronic health records). This information contains special category data concerning your health:
• Your name, address, NHS number/CHI number, date of birth and sex
• Some results from tests done on the blood and urine samples you provided during the study
• Other information related to health such as height, weight, BMI and blood pressure (you provided this during the study)
• Your medical conditions including whether you have had a heart attack or a stroke
• Dates and causes of death
• Information about hospital admissions
• Information about cancers
• Information about mental health

Information is requested from NHS Data Custodians which can include:
NHS England who provide: Civil registrations of death, Demographics, Cancer Registration data, Hospital Episode Statistics (HES), and Mental Health datasets for participants in England and Wales.
Public Health Scotland (PHS) who provide data about: Hospitalisations, Cancers, and Mental Health data for Scottish participants.
National Records of Scotland (NRS) who provide data about Deaths of Scottish participants.
Digital Health and Care Wales (DHCW) who provide Hospitalisation data for participants in Wales.

3. Why we collect and process your data

The main purpose of the HPS long-term follow-up research is to assess the long-term benefits and safety of statins (and also anti-oxidant vitamins). Statins are one of the most widely prescribed drugs worldwide, and very long-term follow-up of a large randomised trial like HPS provides reliable evidence about the protection such drugs provide against heart attacks and strokes, and also allows detection of any delayed hazards associated with lowering cholesterol which may take many years to emerge. We will use the linkage described above in combination with data collected during the intrial period to compare rates of important health outcomes, including all major vascular diseases and dementia, experienced by participants. By processing this data, we will be able to code medical events experienced by study participants accurately, ensuring that high quality information is available for analysis.

We have several similar studies (HPS, THRIVE, SEARCH, and REVEAL) with common aims. Due to the similarities between the studies and the participant cohorts, where any one study does not have enough data to be able to give a clear answer for a specific research question, we will perform meta-analyses. This means that we will combine data from all the studies and then analyse it to answer a common research question. All research will be in-line with the original study protocols and will include methodology work.

We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason that is compatible with the original purpose. We do not use your personal data for any form of automated decision-making or public profiling, and we will not use your data for any unrelated purposes.

Participants provided consent to take part in the main HPS trial. For the long-term follow-up, the Confidential Advisory Group (CAG) approved the HPS legacy study (i.e. to link, transfer, process and analyse the data) without further consent from participants.

This support is given under Section 251 of the National Health Service Act 2006 and its current regulations, the Health Service (Control of Patient Information Regulations 2002) (CAG reference number: 20/CAG/0113). The long-term follow-up legacy study has been reviewed and approved by the South Central Oxford B Research Ethics Committee, reference number 19/SC/0262.

4. How we use your personal data

As a publicly funded organisation, we have to ensure that it is in the public interest when we use personally identifiable information from people who have agreed to take part in research.

The lawful basis for the processing and storage of personal data for HPS is that it is ‘a task in the public interest’ (article 6(1)(e) UK General Data Protection Regulation (UK GDPR)), and that special category personal data is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (article 9(2)(j), based on Article 89(1) UK GDPR).

This means that we will use your data (including your health data) in the ways needed to conduct the research study and analyse the research data. Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. To ensure we carry out the research to the highest standards we comply with the Clinical Trials Regulation 536/2014 and the UK Policy Framework for Health and Social Care Research.

5. How long we keep your data

The Sponsor will retain your personal data for 25 years after the end of the study (when the last piece of health data is collected about study participants, which will be many years after everyone stopped the study medication), in line with Good Clinical Practice (GCP) and relevant legislation. Because the study is continuing after the initial treatment phase to assess the long-term effects of the treatment, your direct identifiers will be stored until 2035 and your other personal data may be stored for a longer period. At the end of the retention period, your personal data will either be deleted or rendered anonymous (non-identifiable).

We may need to retain your personal data for longer if it is necessary to fulfil our purposes, including any relating to legal, accounting, or reporting requirements. We may also retain personal data for further research for which a legal basis exists, but this will always be done in accordance with data protection laws.

General information about how long different types of information are retained by the University can be found in the University of Oxford Policy on the Management of Data Supporting Research Outputs.

6. How we protect your data

We protect your personal data against unauthorised access, unlawful use, accidental loss, corruption, and destruction. We use technical measures such as encryption and password protection to protect your data and the systems in which they are held.

We also use operational measures to protect the data, for example by limiting the number of people who have access to the databases in which your data is held. And whenever possible, your personal identifiers (name, date of birth, sex, NHS number or CHI number in Scotland, address, and postcode) will be removed and replaced by a unique trial ID number. Your data is treated in the strictest confidence and is used solely for academic research purposes. No individuals will be identified in any publications arising from this work.

We keep these security measures under review and refer to University security policies to keep up to date with current best practice.

7. Sharing your data

Any personal data that identifies you are collected and managed by the HPS research team at the Nuffield Department of Population Health (NDPH), University of Oxford and will not be shared with anyone else, except to obtain health information about you from the health registries as described.

Anonymised data (from which you cannot be identified) may be shared with other research groups who are doing similar research. This information will not identify you and will not be combined with other information in a way that could identify you. The information will only be used for the purpose of health and care research, and cannot be used to contact you or to affect your care. It will not be used to make decisions about future services available to you, such as insurance.

8. Transfer of your data outside the European Economic Area (EAA)

Your data is securely stored on our secure servers and/or at our premises within the UK. Your data will not be transferred outside of the EEA.

As part of our ongoing research, however, we may send samples – collected from you during the main trial – to laboratories outside the UK for analysis. Such analyses will be governed by a collaborative contract between the laboratory and the University of Oxford. Any such samples will be sent with a pseudonymised identifier and any analyses or results will be transferred using secure methods.

9. Your rights

Under the UK General Data Protection Regulation (UK GDPR), you have the following rights in relation to the information that we hold about you (your ‘personal data’):

  • The right to request access to your data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
  • The right to request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
  • The right to request erasure of your data. This enables you to ask us to delete or remove your data in certain circumstances, for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
  • The right to object to the processing of your data. This enables you to oppose our using your data where we are processing it to meet our public tasks or legitimate interests (or the legitimate interests of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
  • The right to request that the processing of your data is restricted. This enables you to ask us to suspend the processing of your data, for example, if you want us to establish its accuracy or the reason for processing it.
  • The right to access, change or move your data. Depending on the circumstances, we may have grounds for not complying with your request, for example, where we consider that deleting your information would seriously harm the research or where we need to process your data for the performance of a task in the public interest.

If you wish to exercise any of these rights, please contact us at hpsinfo@ndph.ox.ac.uk.

If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible. For further information, see the University of Oxford individual rights webpage.

10. Changes to this privacy notice

We reserve the right to update this privacy notice at any time.

11. Complaints

If you wish to raise a complaint about how we have handled your personal data, you can contact the University of Oxford Data Protection Officer (data.protection@admin.ox.ac.uk), who will investigate the matter. If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner’s Office (ICO) by visiting their website at https://ico.org.uk/make-a-complaint/ or by calling their helpline on 0303 123 1113.

12. HPS Study Contact

If you wish to raise any queries or concerns about this privacy notice, please contact us:

Telephone: 0800 585 323

E-mail us at hpsinfo@ndph.ox.ac.uk

Address: HPS, CTSU, Nuffield Department of Population Health, Oxford Population Health, Richard Doll Building, Old Road Campus, Oxford OX3 7LF, UK

HPS - Legacy Study Privacy Notice v2.1 2025-06-17 [PDF]