General Data Protection Regulation
How we use your information (GDPR)
Data Privacy and Transparency Notice MYHT Research
What is patient data?
When you go to your GP or hospital, the doctors and others looking after you will record information about your health. This will include your health problems, and the tests and treatment you have had. They might want to know about family history, if you smoke or what work you do. All this information that is recorded about you is called patient data or patient information.
When information about your health care joins together with information that can show who you are (like your name or NHS number) it is called identifiable patient information. It’s important to all of us that this identifiable patient information is kept confidential to the patient and the people who need to know relevant bits of that information to look after the patient. There are special rules to keep confidential patient information safe and secure.
What sort of patient data does health and care research use?
There are lots of different types of health and care research.
If you take part in a clinical trial, researchers will be testing a medicine or other treatment. Or you may take part in a research study where you have some health tests or answer some questions. When you have agreed to take part in the study, the research team may look at your medical history and ask you questions to see if you are suitable for the study. During the study you may have blood tests or other health checks, and you may complete questionnaires. The research team will record this data in special forms and combine it with the information from everyone else in the study. This recorded information is research data.
In other types of research, you won’t need to do anything different, but the research team will be looking at some of your health records. This sort of research may use some data from your GP, hospital or central NHS records. Some research will combine these records with information from other places, like schools or social care. The information that the researcher collects from the health records is research data.
Why does health and care research use information from patients?
In clinical trials, the researchers are collecting data that will tell them whether one treatment is better or worse than other. The information they collect will show how safe a treatment is, or whether it is making a difference to your health. Different people can respond differently to a treatment. By collecting information from lots of people, researchers can use statistics to work out what effect a treatment is having.
Other types of research will collect data from lots of health records to look for patterns. It might be looking to see if any problems happen more in patients taking a medicine. Or to see if people who have screening tests are more likely to stay healthier.
Some research will use blood tests or samples along with information about the patient’s health. Researchers may be looking at changes in cells or chemicals due to a disease.
All research should only use the patient data that it really needs to do the research. You can ask what parts of your health records will be looked at.
How does research use patient data?
If you take part in some types of research, like clinical trials, some of the research team will need to know your name and contact details so they can contact you about your research appointments, or to send you questionnaires. Researchers must always make sure that as few people as possible can see this sort of information that can show who you are.
In lots of research, most of the research team will not need to know your name. In these cases, someone will remove your name from the research data and replace it with a code number. This is called coded data, or the technical term is pseudonymised data. For example, your blood test might be labelled with your code number instead of your name. It can be matched up with the rest of the data relating to you by the code number.
In other research, only the doctor copying the data from your health records will know your name. They will replace your name with a code number. They will also make sure that any other information that could show who you are is removed. For example, instead of using your date of birth they will give the research team your age. When there is no information that could show who you are, this is called anonymous data.
Where will my data go?
Sometimes your own doctor or care team will be involved in doing a research study. Often, they will be part of a bigger research team. This may involve other hospitals, or universities or companies developing new treatments. Sometimes parts of the research team will be in other countries. You can ask about where your data will go. You can also check whether the data they get will include information that could show who you are. Research teams in other countries must stick to the rules that the UK uses.
All the computers storing patient data must meet special security arrangements.
If you want to find out more about how companies develop and sell new medicines, the Association of the British Pharmaceutical Industry has information on its website.
What are my choices about my patient data?
- You can stop being part of a research study at any time, without giving a reason, but the research team will keep the research data about you that they already have. You can find out what would happen with your data before you agree to take part in a study.
- In some studies, once you have finished treatment the research team will continue to collect some information from your doctor or from central NHS records over a few months or years so the research team can track your health. If you do not want this to happen, you can say you want to stop any more information being collected.
- Researchers need to manage your records in specific ways for the research to be reliable. This means that they won’t be able to let you see or change the data they hold about you. Research could go wrong if data is removed or changed.
What happens to my research data after the study?
Researchers must make sure they write the reports about the study in a way that no-one can work out that you took part in the study.
Once they have finished the study, the research team will keep the research data for several years, in case they need to check it. You can ask about who will keep it, whether it includes your name, and how long they will keep it.
Usually your hospital or GP where you are taking part in the study will keep a copy of the research data along with your name. The organisation running the research will usually only keep a coded copy of your research data, without your name included. This is kept so the results can be checked.
If you agree to take part in a research study, you may get the choice to give your research data from this study for future research. Sometimes this future research may use research data that has had your name and NHS number removed. Or it may use research data that could show who you are. You will be told what options there are. You will get details if your research data will be joined up with other information about you or your health, such as from your GP or social services.
Once your details like your name or NHS number have been removed, other researchers won’t be able to contact you to ask you about future research.
Any information that could show who you are will be held safely with strict limits on who can access it.
You may also have the choice for the hospital or researchers to keep your contact details and some of your health information, so they can invite you to take part in future clinical trials or other studies. Your data will not be used to sell you anything. It will not be given to other organisations or companies except for research.
Will the use of my data meet GDPR rules?
GDPR stands for the General Data Protection Regulation. In the UK we follow the GDPR rules and have a law called the Data Protection Act. All research using patient data must follow UK laws and rules.
Universities, NHS organisations and companies may use patient data to do research to make health and care better.
When companies do research to develop new treatments, they need to be able to prove that they need to use patient data for the research, and that they need to do the research to develop new treatments. In legal terms this means that they have a ‘legitimate interest’ in using patient data.
Universities and the NHS are funded from taxes and they are expected to do research as part of their job. They still need to be able to prove that they need to use patient data for the research. In legal terms this means that they use patient data as part of ‘a task in the public interest’.
If they could do the research without using patient data they would not be allowed to get your data.
Researchers must show that their research takes account of the views of patients and ordinary members of the public. They must also show how they protect the privacy of the people who take part. An NHS research ethics committee checks this before the research starts.
What if I don't want my patient data used for research?
You will have a choice about taking part in a clinical trial testing a treatment. If you choose not to take part, that is fine.
In most cases you will also have a choice about your patient data being used for other types of research. There are two cases where this might not happen:
- When the research is using anonymous information. Because it’s anonymous, the research team don’t know whose data it is and can’t ask you.
- When it would not be possible for the research team to ask everyone. This would usually be because of the number of people who would have to be contacted. Sometimes it will be because the research could be biased if some people chose not to agree. In this case a special NHS group will check that the reasons are valid. You can opt-out of your data being used for this sort of research. You can ask your GP about opting-out, or you can find out more.
Who can I contact if I have a complaint?
If you want to complain about how researchers have handled your information, you should contact the research team. If you are not happy after that, you can contact the trust’s Data Protection Officer by sending an email to email@example.com
If you are not happy with their response or believe they are processing your data in a way that is not right or lawful, you can complain to the Information Commissioner’s Office (ICO) (www.ico.org.uk or 0303 123 1113).
You can find out more about how we use your information: