Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

What is the purpose of this notice?

The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).

This privacy policy describes how we collect and use your personal data during your participation in the EPIC-Oxford Study. The legal basis for the processing and storage of your personal data for EPIC-Oxford Study is that it is ‘a task in the public interest’ (Article 6(1)(e) UK General Data Protection Regulation (UK GDPR). In addition, a required condition under the UK GDPR to process your special category (sensitive) personal data is met as it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 9(2)(j) UK GDPR).

This means that when you agree to take part in a research study, we will use your data (including your health data) in the ways needed to conduct and analyse the research study. Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. To ensure we carry out the research to the highest standards we comply with the UK Policy Framework for Health and Social Care Research.

It is important that you read this policy, together with any other privacy policy we may provide on specific occasions when we are collecting or processing information about you, so that you are aware of how and why we are using your information. We may update this policy at any time.


Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified.

Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure or retention.

Who is using your personal data?

The University of Oxford* as Sponsor is the “data controller" for the information that we obtain from you or others as part of the EPIC-Oxford Study. This means that we decide how to use it and are responsible for looking after it in accordance with UKGDPR legislation.

* The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford

Access to your data will be provided to designated members of our staff who need to view it as part of their work in carrying out the purposes set out in section 5. We also share it with the third parties described in section 6.

The types of data we hold about you and how we obtained it

We collect the majority of the information directly from you, when you complete our questionnaires. This information includes the personal details provided by you on study questionnaires at recruitment between 1993 and 1999, and on re-survey questionnaires since then.

This information includes name, address and date of birth, and special categories of more sensitive personal data including health-related data on factors such as height, weight, smoking, alcohol, diet, personal and family medical history, physical activity, childbearing, use of HRT and other medication, working patterns and general wellbeing.

We may also have collected blood samples from you, and derived biochemical and genetic data from these samples.

We also receive additional information about from third parties about your health and hospital records including from the National Health Service (NHS England, Public Health Scotland and NHS Central Register (NHSCR) about Scottish patients and Patient Episode Database Wales (PEDW) for Welsh participants), your General Practitioner and other databases. This information includes special category sensitive data concerning your health, such as information on cancer registrations and hospital admissions. NHS England, or similar bodies in Scotland and Wales, also provide us with information about people who may have passed away, which includes date and cause of death. This is supplied on behalf of the Office for National Statistics (ONS) and is sourced from civil registration data.

How the University uses your data

We combine the information you have given us on our questionnaires with the information we have collected from third parties. For example, to study the relationship of diet and obesity with the risk of gallstones we used linked hospital admission data to compare the number of participants who went on to develop gallstones among participants in EPIC-Oxford grouped according to their diet and their body mass index (an indication of obesity), and allowing for other important factors such as age and smoking. We found that the risk for developing gallstones did not differ between vegetarians and non-vegetarians, whereas obesity was associated with a large increase in the risk for this condition.

We collect and process your data (including your special category sensitive data) in this way for the purpose of performing scientific (medical) research being carried out in the public interest. This is known under data protection law as our “legal basis” for processing personal data.

We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose. We do not use your personal data for any form automated decision making or public profiling and we will not use your data for any unrelated purposes.

Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

General information about how long different types of information are retained by the University can be found in the University’s Policy on the Management of Research Data and Records.

Who has access to your data?

Access to your data within the University will be provided to those who need to view it as part of their work in carrying out the purposes described above.

We protect your personal data against unauthorised access, unlawful use, accidental loss, corruption, and destruction.

In addition, in order to perform our research and other legal responsibilities or purposes, we will, from time to time, need to share your information with the following:

  • with collaborating research organisations working with us;
  • with external organisations providing services to us, including those who provide us with data; and
  • with external regulatory bodies.

Where information is shared with third parties, we will seek to share the minimum amount necessary, including pseudonymising your data where possible. This means we remove your identity and replace it with a code number before sharing the information. Only we have access to the ‘key’ linking the code to your identity.

All our third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.

Transfer of your data outside of the European Economic Area (EEA)

Your data is stored on our secure servers and/or in our premises within the UK.

There may be occasions when we transfer your data outside the EEA, for example, to a researcher who is collaborating with us for the purpose of our research. Such transfers will only take place if one of the following applies:

•  the country receiving the data is considered by the EU to provide an adequate level of data protection;

•  the transfer has your consent;

•  the transfer is necessary for the performance of a contract with you or to take steps requested by    you prior to entering into that contract; or

•  the transfer is governed by approved contractual clauses.

Retention Period

University of Oxford is required to keep the information collected about you for at least 25 years after "end of the study" and perhaps longer if required by the law or other research needs, including any relating to legal, accounting, or reporting requirements. We may also retain personal data for further research for which a legal basis exists, but this will always be done in accordance with data protection laws.


We protect your personal data against unauthorised access, unlawful use, accidental loss, corruption, and destruction.

We use technical measures such as encryption and password protection to protect your data and the systems in which they are held, and the information that we receive is stored securely in a study database. Access to the study database is by unique combinations of usernames and passwords and only authorised study personnel can access information about participants. The University building is also secure with authorised swipe card access only.

We also use operational measures to protect the data, for example by limiting the number of people who have access to the databases in which your data is held. And whenever possible, your personal identifiers (name, date of birth, NHS number and address) will be removed and replaced by a unique trial ID number. Your data is treated in the strictest confidence and is used solely for academic research purposes. Importantly, no individuals will be identified in any publications arising from this work.

We keep these security measures under review and refer to University Security Policies to keep up to date with current best practice.

Your rights

Under the UK General Data Protection Regulation (UK GDPR), you have the following rights in relation to the information that we hold about you (your ‘personal data’):

The right to request access to your data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.

The right to request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.

The right to request erasure of your data. This enables you to ask us to delete or remove your data in certain circumstances for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).

The right to object to the processing of your data, where we are processing it to meet our public tasks or legitimate interests (or the legitimate interests of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.

The right to request that the processing of your data is restricted. This enables you to ask us to suspend the processing of your data, for example, if you want us to establish its accuracy or the reason for processing it.

The right to access, change or move your data. Depending on the circumstances, we may have grounds for not complying with your request, for example, where we consider that deleting your information would seriously harm the research or where we need to process your data for the performance of a task in the public interest.

If you wish to exercise any of these rights, please contact the trial at

If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible. For further information, visit the University's Compliance pages.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and will seek to inform you of substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.


If you wish to raise any queries or concerns about this privacy notice please contact us at, or write to Professor Tim Key, EPIC-Oxford Study, Cancer Epidemiology Unit, Nuffield Department of Population Health, University of Oxford, Richard Doll Building, Roosevelt Drive, Oxford OX3 7LF, UK.