ISIS-2 Privacy Notice
This Privacy Notice is being provided for the participants of the ISIS-2 trial, who were recruited between 1985 and 1987 in UK NHS hospitals. It provides information about how data has been collected about you as part of the trial, and how we handle and process it.
If you would like to receive this information in pdf format please email isis.ehr.comms@ndph.ox.ac.uk
Who is responsible for your data?
The University of Oxford1 is the “data controller" for the information that we obtained from you as part of the ISIS-2 study. This means that we decide how to use it and are responsible for looking after it in accordance with the UK General Data Protection Regulation (UK GDPR).
Personal data we hold about you
We collected information directly from you when you were recruited into the ISIS-2 study. This information includes the personal details provided by you at recruitment, information provided from your hospital, and questionnaires that you completed and returned to us. This information includes name, address, gender, NHS Number and date of birth, and special categories of more sensitive personal data including health-related data about your medical history, hospitalisation and treatment.
We may also have collected blood samples from you during the trial, and derived biochemical and genetic data from these samples. While we retain data derived from these samples, the samples themselves have been destroyed.
We also collected additional information from third parties including from the National Health Service (NHS Digital in England (previously information was received from the Office of National Statistics (ONS) and the Health and Social Care Information Centre (HSCIC)), and the National Records of Scotland (NRS), NHS Central Register (NHSCR) (previously information was received from the General Register Office for Scotland). This information includes special category data concerning your health. To obtain this data we sent your identifiers to these registries (including name, date of birth, address, and GP information) to be able to link to their records. No new linkage is taking place.
Overall, the data we hold about you was collected between 1985 and 1997, with some additional central registry information (NHS number collected in 2014) retained for the purposes of future data linkage.
How we use your personal data
During the main trial and the 10-year follow-up we used data collected from you to investigate the effects of aspirin and streptokinase given to participants after having a heart attack. We combined the information you gave us with the information we collected from third parties. For example, we used linked death data to study the long-term survival of participants. Using this information the ISIS-2 trial demonstrated that the early survival advantages produced by fibrinolytic therapy (streptokinase) and one month of aspirin in acute myocardial infarction seemed to last for at least 10 years.
While there is no specific research currently being conducted for ISIS-2, we are retaining a Legacy Database to preserve the data that was used to produce the important trial results, and to retain the possibility of conducting further analysis in the future.
The lawful basis for the processing and storage of your personal data for ISIS-2 is that it is ‘a task in the public interest’ – UK GDPR Article 6(1)(e) - and, that sensitive personal data is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes – UK GDPR Article 9(2)(j).
We have special permission from the Confidentiality Advisory Group (CAG) to retain ISIS-2 historical data without further consent. This permission is given under Section 251 of the National Health Service Act 2006 and its current regulations, the Health Service (Control of Patient Information Regulations 2002) (CAG reference number: 22/CAG/0090).
The ISIS-2 Legacy Database has been reviewed and approved by the London-Harrow Research Ethics Committee (Reference number: 22/LO/0443).
We do not use your personal data for any form of automated decision making or public profiling.
How long we keep your data
The University of Oxford is required to keep information collected about you for at least 25 years after the "end of the study". Information may also be kept for longer if required by law or for research purposes. The need to retain this data is regularly reviewed.
General information about how long different types of information are retained by the University can be found in the University’s Policy on the Management of Data Supporting Research Outputs, available at https://researchdata.ox.ac.uk/university-of-oxford-policy-on-the-management-of-datasupporting-research-outputs/.
How we protect your data
We protect your personal data against unauthorised access, unlawful use, accidental loss, corruption, and destruction.
We use technical measures such as encryption and password protection to protect your data and the systems in which they are held, and the information that we receive is stored securely in a study database. Access to the study database is by unique combinations of usernames and passwords and only authorised study personnel can access information about participants. The University building is also secure with authorised swipe card access only.
We also use operational measures to protect the data, for example by limiting the number of people who have access to the databases in which your data is held.
We keep these security measures under review and refer to University Security Policies to keep up to date with current best practice.
Sharing your data
Any personal data that identifies you is managed by the ISIS-2 team at the Nuffield Department of Population Health (NDPH), University of Oxford and will not be shared with anyone else.
Transfer of your data outside of the European Economic Area (EEA)
Your data is safely stored on our secure servers and/or at our premises within the UK. Your data will not be transferred outside of the EEA.
Your rights
Under the UK General Data Protection Regulation (UK GDPR), you have the following rights in relation to the information that we hold about you (your ‘personal data’):
- The right to request access to your data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
- The right to request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
- The right to request erasure of your data. This enables you to ask us to delete or remove your data in certain circumstances, for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
- The right to object to the processing of your data. This enables you to oppose our using your data where we are processing it to meet our public tasks or legitimate interests (or the legitimate interests of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
- The right to request that the processing of your data is restricted. This enables you to ask us to suspend the processing of your data, for example, if you want us to establish its accuracy or the reason for processing it.
- The right to request transfer of your data to another party. This enables you to request that we transfer data you provided to us to a third party in a safe and secure way.
Depending on the circumstances, we may have grounds for not complying with your request, for example, where we consider that deleting your information would seriously harm the research or where we need to process your data for the performance of a task in the public interest.
If you wish to exercise any of these rights, please contact isis.ehr.comms@ndph.ox.ac.uk.
If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally identifiable information possible. For further information, see: https://compliance.admin.ox.ac.uk/individual-rights.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time.
Complaints
If you wish to raise a complaint about how we have handled your personal data, you can contact our Data Protection Officer (data.protection@admin.ox.ac.uk), who will investigate the matter. If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful, you can complain to the Information Commissioner’s Office (ICO) by visiting their website at https://ico.org.uk/make-a-complaint/ or by calling their helpline on 0303 123 1113.
Contact
If you wish to raise any queries or concerns about this privacy notice, please contact us at isis.ehr.comms@ndph.ox.ac.uk, telephone: 0800 585323, or write to: ISIS Legacy Studies, Clinical Trial Service Unit, Nuffield Department of Population Health, University of Oxford, Richard Doll Building, Roosevelt Drive, Oxford OX3 7LF, UK.
1 The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford
ISIS-2 Privacy Notice v2.2 06-Jun-22 [PDF]