1. What is the purpose of this POLICY?
The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).
Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified. It does not include data where your identity has been removed (anonymous data).
Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure or retention.
3. Who is using your personal data?
The University of Oxford (The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford) is the “data controller” for the information that we obtain from you or others as part of the Million Women Study. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.
Access to your data will be provided to designated members of our staff who need to view it as part of their work in carrying out the purposes set out in section 5. We also share it with the third parties described in section 6.
4. The types of data we hold about you and how we obtained it
We collect the majority of the information directly from you, when you complete our questionnaires. This information includes the personal details provided by you on study questionnaires at recruitment between 1996 and 2001, and on re-survey questionnaires since then. This information includes name, address and date of birth, and special categories of more sensitive personal data including health-related data on factors such as height, weight, smoking, alcohol, diet, personal and family medical history, physical activity, childbearing, use of HRT and other medication, falls and fractures, social participation and caring, and general wellbeing.
We may also have collected blood samples from you, and derived biochemical and genetic data from these samples.
We also collect additional information from third parties including from the National Health Service (NHS Digital in England and the Information Services Division in Scotland), your General Practitioner and other databases. This information includes special category sensitive data concerning your health, such as information on cancer registrations and screening, primary care and hospital admissions.
5. How the University uses your data
We combine the information you have given us on our questionnaires with the information we have collected from third parties. For example, to study risk of breast cancer in women using HRT, we used linked cancer registration data to compare the number of women who went on to develop breast cancer between women who told us they had never used HRT, and those who told us that they had. We found that women who were using HRT, especially the combined oestrogen—progestogen form, were more likely to develop breast cancer. The combination, on a very large scale, of detailed information on how women live and complete health follow-up through routine records is very powerful.
We collect and process your data (including your special category sensitive data) in this way for the purpose of performing scientific (medical) research being carried out in the public interest. This is known under data protection law as our “legal basis” for processing personal data.
We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
The University of Oxford Policy on Data Protection can be accessed via the following link https://www.admin.ox.ac.uk/councilsec/compliance/gdpr/universitypolicyondataprotection/
6. Who has access to your data?
Access to your data within the University will be provided to those who need to view it as part of their work in carrying out the purposes described above.
In addition, in order to perform our research and other legal responsibilities or purposes, we will, from time to time, need to share your information with the following:
with collaborating research organisations working with us;
with external organisations providing services to us, including those who provide us with data; and
with external regulatory bodies.
Where information is shared with third parties, we will seek to share the minimum amount necessary, including pseudonymising your data where possible. This means we remove your identity and replace it with a code number before sharing the information. Only we have access to the ‘key’ linking the code to your identity.
All our third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
7. Transfer of your data outside of the European Economic Area (EEA)
Your data is stored on our secure servers and/or in our premises within the UK.
There may be occasions when we transfer your data outside the EEA, for example, to a researcher who is collaborating with us for the purpose of our research. Such transfers will only take place if one of the following applies:
• the country receiving the data is considered by the EU to provide an adequate level of data protection;
• the transfer has your consent;
• the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract; or
• the transfer is governed by approved contractual clauses.
8. Retention Period
The Million Women Study is a long term study, still under active follow-up. We hope to continue follow-up for as long as possible, and we will retain your data for as long as we need it to meet our purposes, including our medical research and any relating to legal, accounting, or reporting requirements.
Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website: https://www.infosec.ox.ac.uk.
10. Your rights
Under certain circumstances, by law you have certain rights with respect to your data. A summary of these rights is available here: https://compliance.admin.ox.ac.uk/individual-rights
If you want to exercise any of the rights described or are dissatisfied with the way we have used your information, please contact the University’s Information Compliance Team at email@example.com. The same address can be used to contact the University’s Data Protection Officer. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/concerns
11. Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and will seek to inform you of substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
If you wish to raise any queries or concerns about this privacy notice please contact us at firstname.lastname@example.org, or write to Professor Valerie Beral, Million Women Study,
Cancer Epidemiology Unit, Nuffield Department of Population Health, University of Oxford, Richard Doll Building, Roosevelt Drive, Oxford OX3 7LF, UK.