HPS2-THRIVE Legacy Study Privacy Notice
This Privacy Notice is being provided for the participants who took part in the HPS2-THRIVE trial between 2007 and 2012 in UK NHS hospitals. It provides information about how data is collected about you as part of the trial, and how we handle and process it.
1. Who responsible for your personal data?
The University of Oxford, as sponsor, is the Data Controller. This means that we, as University of Oxford researchers, are responsible for looking after your information and using it properly in accordance with the UK General Data Protection Regulation (UK GDPR).
2. Personal data we collect about you
The HPS2-THRIVE study clinics stopped in 2012. We hold information that we collected directly from you at clinic visits. This information includes name, address, date of birth, gender and special categories of more sensitive personal data including health-related data about medical history, hospital admissions, and factors such as height, weight, blood pressure. We hold information about blood samples that you may have provided us at clinic visits, which may include derived biochemical and genetic data.
We also received information from health registries and NHS bodies (e.g. NHS Digital and NHS Scotland) which hold national health and social care records. This information includes special category data concerning your health, such as information on death and cancer registrations.
For the long-term follow-up legacy study, we provide your details (name, date of birth, gender, NHS number – or community health index (CHI) number in Scotland – and postcode) to health registries in order to receive information about study participants in return. This includes the following data from NHS Digital: Civil registration – deaths, demographics, cancers, hospital episode statistics (HES), and mental health datasets. Similar information is requested from Public Health Scotland (PHS) and the National Records of Scotland (NRS) about Scottish participants, and from Digital Health and Care Wales (DHCW) for participants in Wales.
3. Why we collect and process your data
The main purpose of the HPS2-THRIVE long-term follow-up legacy study is to assess the effect of LDL-cholesterol lowering on dementia, major vascular diseases (such as heart attack and stroke) and death in people with previous vascular diseases. We will use the linkage described above in combination with data collected during the main trial to compare rates of important health outcomes, including all major vascular diseases and dementia, experienced by participants. The main purpose is to investigate whether long-term benefits or harms emerge during long-term follow-up. By processing health registry data, we will be able to code medical events experienced by study participants accurately, ensuring that high quality information is available for analysis.
We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason that is compatible with the original purpose. We do not use your personal data for any form of automated decision-making or public profiling, and we will not use your data for any unrelated purposes.
Participants provided consent to take part in the main HPS2-THRIVE trial. For the long-term follow-up the Confidential Advisory Group (CAG) approved the HPS2-THRIVE Legacy study (ie to link, transfer, process and analyse the data) without further consent from participants. This support is given under Section 251 of the National Health Service Act 2006 and its current regulations, theHealth Service (Control of Patient Information Regulations 2002) (CAG reference number: 19CAG0166).
The long-term follow-up legacy study has been reviewed and approved by the West of Scotland REC 3 Research Ethics Committee, reference number 19/WS/0116.
4. How we use your personal data
As a publicly funded organisation, we have to ensure that it is in the public interest when we use personally identifiable information from people who have agreed to take part in research.
The lawful basis for the processing and storage of personal data for HPS2-THRIVE is that it is ‘a task in the public interest’ (article 6(1)(e) UK General Data Protection Regulation (UK GDPR)) and, that special category personal data is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (article 9(2)(j), based on Article 89(1) UK GDPR).
This means that we will use your data (including your health data) in the ways needed to conduct the research study and analyse the research data. Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. To ensure we carry out the research to the highest standards we comply with the Clinical Trials Regulation 536/2014 and the UK Policy Framework for Health and Social Care Research.
5. How long we keep your data
The Sponsor will retain your personal data for at least 25 years after the end of the study (when the last piece of health data is collected about study participants, which will be many years after everyone stopped the study medication), in line with Good Clinical Practice (GCP) and relevant legislation. Because the study is continuing after the initial treatment phase to assess the long-term effects of the treatment, your direct identifiers will be stored until at least 2035 and your other personal data may be stored for a longer period. At the end of the retention period, your personal data will either be deleted or rendered anonymous (non-identifiable).
We may need to retain your personal data for longer if it is necessary to fulfil our purposes, including any relating to legal, accounting, or reporting requirements. We may also retain personal data for further research for which a legal basis exists, but this will always be done in accordance with data protection laws.
General information about how long different types of information are retained by the University can be found in the University of Oxford Policy on the Management of Data Supporting Research Outputs.
6. How we protect your data
We protect your personal data against unauthorised access, unlawful use, accidental loss, corruption, and destruction.
We use technical measures such as encryption and password protection to protect your data and the systems in which they are held, and the information that we receive is stored securely in a study database. Access to the study database is by unique combinations of usernames and passwords and only authorised study personnel can access information about participants. The University building is also secure with authorised swipe card access only.
We also use operational measures to protect the data, for example by limiting the number of people who have access to the databases in which your data is held. And whenever possible, your personal identifiers (name, date of birth, gender, NHS number – or CHI number in Scotland – and address) will be removed and replaced by a unique trial ID number. Your data is treated in the strictest confidence and is used solely for academic research purposes. No individuals will be identified in any publications arising from this work.
We keep these security measures under review and refer to University Security Policies to keep up to date with current best practice.
7. Sharing your data
Any personal data that identifies you are collected and managed by the HPS2-THRIVE research team at the Nuffield Department of Population Health (NDPH), University of Oxford and will not be shared with anyone else, except to obtain health information about you from the health registries as described.
At the end of the trial, anonymised data (from which you cannot be identified) may be shared with other research groups who are doing similar research. This information will not identify you and will not be combined with other information in a way that could identify you. The information will only be used for the purpose of health and care research, and cannot be used to contact you or to affect your care. It will not be used to make decisions about future services available to you, such as insurance.
8. Transfer of your data outside the European Economic Area (EAA)
Your data is securely stored on our secure servers and/or at our premises within the UK. Your data will not be transferred outside of the EEA.
As part of our ongoing research, however, we may send samples – collected from you during the main trial – to laboratories outside the UK for analysis. Such analyses will be governed by a collaborative contract between the laboratory and the University of Oxford. Any such samples will be sent with a pseudonymised identifier and any analyses or results will be transferred using secure methods.
9. Your rights
Under the UK General Data Protection Regulation (UK GDPR), you have the following rights in relation to the information that we hold about you (your ‘personal data’):
- The right to request access to your data (commonly known as a 'subject access request'). This enables you to receive a copy of your data and to check that we are lawfully processing it.
- The right to request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
- The right to request erasure of your data. This enables you to ask us to delete or remove your data in certain circumstances, for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
- The right to object to the processing of your data. This enables you to oppose our using your data where we are processing it to meet our public tasks or legitimate interests (or the legitimate interests of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
- The right to request that the processing of your data is restricted. This enables you to ask us to suspend the processing of your data, for example, if you want us to establish its accuracy or the reason for processing it.
- The right to access, change or move your data. Depending on the circumstances, we may have grounds for not complying with your request, for example, where we consider that deleting your information would seriously harm the research or where we need to process your data for the performance of a task in the public interest.
If you wish to exercise any of these rights, please contact us at thrive@ndph.ox.ac.uk.
If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible. For further information, see the University's website.
10. Changes to this privacy notice
We reserve the right to update this privacy notice at any time.
11. Complaints
If you wish to raise a complaint about how we have handled your personal data, you can contact our Data Protection Officer, who will investigate the matter. If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner’s Office (ICO) by calling their helpline on 0303 123 1113.
12. Contact
If you wish to raise any queries or concerns about this privacy notice please e-mail us at thrive@ndph.ox.ac.uk or write to: THRIVE, CTSU, Nuffield Department of Population Health, Richard Doll Building, Old Road Campus, Oxford OX3 7LF, UK.
HPS2-THRIVE Privacy Notice 04-Jan-2022 v2.6