Information about you: how we use your personally identifiable information for patients and their relatives
The information published here applies to the processing (holding or use) of personally identifiable information of patients and their relatives by the National CJD Research & Surveillance Unit (NCJDRSU) of the University of Edinburgh. The information in this notice is general and supplements information you may have already been given by researchers at the University of Edinburgh. In case of discrepancy, please refer to project-specific information.
Document last updated 3 August 2020.
Personally identifiable information is information about an individual that, alone or linked with other data, can reveal the identity of a person. Where information relates to the living, the EU General Data Protection Regulation (GDPR, 2016) and the Data Protection Act (DPA, 2018) require us to be clear about the lawful basis of our data processing.
In general terms, we use information from you and/or your relatives and/or your medical records to undertake core functions under the lawful basis of public interest. This information will include your or your relative’s name, date of birth and contact details as well as health-related information. This information is used for reasons of public interest in public health, including for public health monitoring activities, and for the purposes of scientific research and archiving. We also use personal identifiable information to provide a medical diagnosis, and to give advice, education and support in relation to individual patient health and social care.
In addition, personally identifiable information about you or your relative may also be used on the lawful basis of our legitimate interest to keep you up to date with study progress and news, or to disseminate other relevant information, for example, to administer family-orientated events.
We may also hold and process your personal details to fulfil a contractual requirement, for example with your doctor, or to provide you with advice and information with your consent.
The University of Edinburgh acting through the NCJDRSU has overall responsibility for looking after your information and using it properly with technical and organisational measures in place to ensure personally identifiable information is protected. Information is held securely at all times and our staff, who include healthcare professionals and non-healthcare staff, all have the same duty to maintain confidentiality and are trained in data protection and security, and to treat personally identifiable information in the strictest confidence. Any deliberate or negligent breaches of this duty are disciplinary offences. This is in compliance with the DPA 2018, the GDPR 2016, the Common Law on Confidentiality and national Caldicott principles, as well as the requirements of the University of Edinburgh and its relevant Codes of Practice.
We will use your data in the ways needed to conduct this work and manage your information in specific ways so that the work is reliable and accurate. This means that we will only collect what personally identifiable information we need and use it as the law allows, and we will make sure nobody has access to it who shouldn’t. No automatic decision-making or profiling is done with your data.
Confidential patient information is held in a cloud based healthcare trusted research environment, provided by AIMES Management Services in Liverpool (UK), access to which is controlled by the NCJDRSU.
We hold information for as long as it is needed for processing, and in accordance with the Records Management Code of Practice for Health and Social Care 2016 and its retention schedule. We maintain a retention schedule detailing the minimum retention period for the information and procedures for the safe disposal of personal data.
We often retain health information indefinitely in accordance with our purposes of public interest in the area of public health such as epidemiology (monitoring trends in patterns of disease),
You have rights regarding the use of your personally identifiable information by the National CJD Research & Surveillance Unit.
To find out what information we hold about you please contact the University Records Management Section, providing your contact details and describing the information you want. Requests must be in writing and we will let you have a response within 20 working days. You will need to tell us what project or research study you believe we hold this information for.
University of Edinburgh
Edinburgh EH8 9YL
Tel: 0131 651 4099
You have the right to ask for information about you that you think is inaccurate to be changed or for its use to be restricted. You can also ask for information about you to be deleted, or not to be used, and for information to be transferred to another organisation or given to you. These are not absolute rights and we may need to continue to use your information. We will tell you why if this is the case and to safeguard your rights we will use the minimum personally-identifiable information possible.
When we share information
In the course of doing our work, information about you or your relative may be shared with one or more third parties within the University of Edinburgh or with other organisations, depending on the study involved and where we are required or permitted to do so by law.
In these situations, the only people who will have access to information that identifies you will be those who need access to conduct their work. This will include staff and students of Edinburgh University and our collaborators, or individuals from the University of Edinburgh, NHS Lothian and regulatory organisations who may need to monitor or check the accuracy of a study. We also work with third parties who provide services to support our work, such as document scanning, destruction or information technology support. All organisations go through strict data protection, security and privacy checks and are held to the same standards as ourselves under data protection and common law. You can request to know which organisation your data has been shared with by contacting the University Records Management Section, as above.
For much of the work we will only share de-personalised or anonymous grouped information. This is information about you or your relative, but which does not include information such as names or dates of birth or other details that could identify anyone, either directly or in conjunction with other information. If we need to share personally identifiable information, then the minimum information necessary will be shared and will be subject to data protection safeguards.
We never publish any information that could be used to identify you or your relative.
There may be limited circumstances when we may need to use personally identifiable information without consent, for example, to stop disease from spreading. In these circumstances we will obtain advice and permission from appropriate authorities, for example, from the Public Benefit and Privacy Panel (PBPP) for Health and Social Care in Scotland, or the Confidentiality Advisory Group (CAG) in England and Wales, on whether the use of this information is in the interests of patients and the public. CAG provides advice to the Health Research Authority and also to the Secretary of State for Health and Social Care in England and Wales for non-research uses (known as “Section 251 approval”)
Sharing information for public health, medicine and social care purposes
We may share your and your relative’s personally identifiable information for non-research purposes with NHS doctors, local infection control and/or public health teams, the UK national blood services, NHS Digital; Public Health England and Health Protection Scotland. In some instances, this may also involve sharing information with public health authorities outside the UK, such as doctors within other national surveillance organisations or the European Centre for Disease Prevention and Control. We will only do this if we have special permission to do so, and even then only the minimum information necessary will be shared and will be subject to data protection safeguards.
Sharing information for research purposes
We may share your or your relative’s personally identifiable information for research purposes within and also outside the University of Edinburgh if there is research approval from an ethics committee or other special permission to do so. The third parties may, for example, include the National Prion Clinic (part of the University College London Hospitals NHS Foundation Trust); the National Institute for Biological Standards and Control; other academic collaborators in the UK and overseas. In this situation then the minimum information necessary will be shared and will be subject to data protection safeguards. However, for most research we do we only use de-personalised or anonymous grouped information.
How to report a concern
If you have any questions about the data we hold about you or wish to raise a complaint on how we have handled your information, you can contact the University of Edinburgh’s Data Protection Officer who will investigate the matter. Either e-mail firstname.lastname@example.org or write to:
Data Protection Officer
Governance and Strategic Planning
University of Edinburgh
Edinburgh EH8 9YL
Tel: 0131 651 4114
You also have the right to report any concerns about the way we process your personal information to the Information Commissioner’s Office (ICO) at https://ico.org.uk.
This privacy statement is continued on the University of Edinburgh website at: edin.ac/privacy
Here is specific privacy information given to patients and families in our projects: