Data Privacy Notice
Million Women Study and mws disease susceptibility in women data Privacy Notice V4.3 September 2024
1. What is the purpose of this document?
The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).
This privacy policy describes how we collect and use your personal data during your participation in the Million Women Study, including the related Million Women Study: Disease Susceptibility in Women study for collection of blood and other biological samples from women enrolled in the Million Women Study, in accordance with the UK Data Protection Act (DPA) 2018, which implements the EU General Data Protection Regulation (GDPR) in the UK.
It is important that you read this policy, together with any other privacy policy we may provide on specific occasions when we are collecting or processing information about you, so that you are aware of how and why we are using your information. We may update this policy at any time.
2. Glossary
Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified. It does not include data where your identity has been removed (anonymous data).
Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure or retention.
In this policy, when we refer to the ‘Million Women Study’, we include where relevant the Million Women Study: Disease Susceptibility in Women study.
3. Who is using your personal data?
The University of Oxford (The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford) is the “data controller” for the information that we obtain from you or others as part of the Million Women Study. This means that we decide how to use it and are responsible for looking after it in accordance with the UK Data Protection Act (UK DPA) 2018 and the General Data Protection Regulation Act (GDPR).
Access to your data will be provided to designated members of our staff who need to view it as part of their work in carrying out the purposes set out in section 5. We also share data with the third parties described in section 6.
4. The types of data we hold about you and how we obtained it
We collect the majority of the information directly from you, when you complete our questionnaires. This information includes the personal details provided by you on study questionnaires at recruitment between 1996 and 2001, and on re-survey questionnaires since then. This information includes name, address and date of birth, and special categories of more sensitive personal data, including health-related data. These personal data include information on factors such as height, weight, smoking, alcohol, diet, ethnic group, personal and family medical history, physical activity, childbearing, use of menopausal hormone therapy and other medication, falls and fractures, social participation and caring, and general wellbeing.
We may also have collected blood and saliva samples from you as part of the related Million Women Study: Disease Susceptibility in Women study, and with your consent, derived biochemical and genetic data from these samples.
When you joined the study you also gave us consent to use information from your NHS medical records as part of our follow-up. We receive information from health registries and NHS bodies in England and Scotland, which hold national health and social care records. We provide your details (name, date of birth, NHS number or CHI number in Scotland, and postcode) to health registries and some NHS Hospital Trusts in order to receive information about Million Women Study participants in return. This currently includes information on cancer diagnoses and treatment, hospital day cases and admissions, GP consultations and prescriptions, cancer screening data and mammographic images and, in some cases we obtain tissue samples where a cancer has been diagnosed and information about the pathology of these tissue samples. In future, it will also include information on mental health. The majority of this information is provided by NHS England and by Public Health Scotland. We also receive information about study participants who have died, including date and cause of death, which is supplied on behalf of the Office for National Statistics (ONS) and is sourced from civil registration data (death registrations and death certificates). The Clinical Practice Research Datalink (PRD) provides information on GP consultations and prescriptions for a subset of participants.
Having complete follow-up information from the registries is vital for accurate and unbiased analysis, so that we know what happens to the health of all women in the study, including those who cannot or do not wish to complete our follow-up questionnaires.
We also receive data from contracted third parties, such as laboratories providing blood sample analysis. For this we do not provide identifying details to the third party. Instead, we provide them with “pseudonymised data” which means we remove your identity and replace it with a code number before sharing the information. Only we have access to the ‘key’ linking the code to your identity.
5. How the University uses your data
When you agree to take part in a research study, we use your data (including your health data) in the ways needed to conduct and analyse the research study. Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. To ensure we carry out the research to the highest standards we comply with the UK Policy Framework for Health and Social Care Research.
We combine the information you have given us on our questionnaires with the information we have collected from NHS records or other third parties, and with the results of analysis of blood samples. The combination, on a very large scale, of detailed information on how women live, and health follow-up through routine records for every woman in the study is very powerful. For example, to study risk of breast cancer in women using menopausal hormone therapy, we used linked cancer registration data to compare the proportions of women who went on to develop breast cancer in women who told us they had never used menopausal hormone therapy, and those who told us that they had. We found that women who were using menopausal hormone therapy, especially the combined oestrogen-progestogen form, were more likely to develop breast cancer.
We collect and process your data (including your special category sensitive data) in this way for the purpose of performing scientific (medical) research being carried out in the public interest. This is known under data protection law as our “legal basis” for processing personal data. We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. We do not use your personal data for any form of automated decision-making or public profiling.
The data is stored at The University of Oxford Old Road Campus Nuffield Department of Population Health (NDPH) and the Biomedical Research Cluster (BMRC). The University of Oxford is a world-leader in developing systems to ensure that information is stored safely for studies such as The Million Women Study. Only staff with appropriate training and permission can access these computer systems.
Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
The University of Oxford Policy on Data Protection can be accessed via the University website.
6. Who has access to your data?
Access to your data within the University will be provided to those who need to view it as part of their work in carrying out the purposes described above.
In addition, in order to perform our research and other legal responsibilities or purposes, we will, from time to time, need to share your information with the following:
1. external organisations providing services to us, including
- those who provide us with data such as NHS England, Public Health Scotland
- printing and mailing companies
2. external regulatory bodies.
All third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions. Where information is shared with any of the third parties listed above, we will seek to share the minimum amount necessary and to provide this information in the form of pseudonymised data (as described in Section 4) wherever possible.
In order to maximise the value of the information that you have given us for health-related research, we will also share data with researchers employed by reputable organisations, for the purposes of health-related research. This may include researchers who are working in other countries, and in commercial companies who are developing new treatments and can provide relevant expertise which is not available in our own institution.
In order to keep the identity and the privacy of our participants safe and secure, we will only share pseudonymised data with external researchers under strict legal agreement between the University of Oxford and the receiving organisation. Before they can access any data, all researchers will need to demonstrate that they have the necessary approvals and information security credentials to use your de-identified information for their research. Our Data Access Policy provides more information on assessing the suitability of an organisation and the process for data sharing.
7. Transfer of your data outside of the uk and the European Economic Area (EEA).
Your data is stored on our secure servers and/or in our premises within the UK. Under GDPR the UK shares common data protections with members of the EEA.
There may be occasions when we transfer your data outside the UK and the EEA, for example, to a researcher who is collaborating with us for the purpose of our research. Such transfers will only take place when one or more of the following applies:
- the country receiving the data is considered by the EU to provide an adequate level of data protection;
- the transfer has your consent;
- the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract; or
- the transfer is governed by approved contractual clauses.
8. Retention Period
The study is expected to continue until around 2045, after which the data will be de-identified and retained in accordance with the funder's requirements for at least 25 years.
9. Security
Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website.
10. Your rights
Under certain circumstances, by law you have certain rights with respect to your data. A summary of these rights is available on the University website.
If you want to exercise any of the rights described or are dissatisfied with the way we have used your information, please contact the University’s Information Compliance Team. The same address can be used to contact the University’s Data Protection Officer. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office.
11. Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and will seek to inform you of substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
12. Contact
If you wish to raise any queries or concerns about this privacy notice please contact us by email, or write to:
Professor Gillian Reeves,
Million Women Study, Cancer Epidemiology Unit,
Nuffield Department of Population Health,
University of Oxford, Richard Doll Building,
Roosevelt Drive, Oxford OX3 7LF, UK.