Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

Accept all cookies Reject all non-essential cookies Find out more

Data Privacy Notice

Million Women Study and mws disease susceptibility in women data Privacy Notice V4.2

1. What is the purpose of this document?

The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).

This privacy policy describes how we collect and use your personal data during your participation in the Million Women Study, including the related Million Women Study: Disease Susceptibility in Women study for collection of blood and other biological samples from women enrolled in the Million Women Study, in accordance with the UK Data Protection Act [DPA] 2018, which implements the EU General Data Protection Regulation (GDPR) in the UK.

It is important that you read this policy, together with any other privacy policy we may provide on specific occasions when we are collecting or processing information about you, so that you are aware of how and why we are using your information. We may update this policy at any time.

2. Glossary

Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified. It does not include data where your identity has been removed (anonymous data).

Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure or retention.

In this policy, when we refer to the ‘Million Women Study’, we include where relevant the Million Women Study: Disease Susceptibility in Women study.

3. Who is using your personal data?

The University of Oxford (The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford) is the “data controller” for the information that we obtain from you or others as part of the Million Women Study. This means that we decide how to use it and are responsible for looking after it in accordance with the UK Data Protection Act (UKDPA) 2018 and the General Data Protection Regulation Act (GDPR).

Access to your data will be provided to designated members of our staff who need to view it as part of their work in carrying out the purposes set out in section 5. We also share data with the third parties described in section 6.

4. The types of data we hold about you and how we obtained it

We collect the majority of the information directly from you, when you complete our questionnaires. This information includes the personal details provided by you on study questionnaires at recruitment between 1996 and 2001, and on re-survey questionnaires since then. This information includes name, address and date of birth, and special categories of more sensitive personal data, including health-related data. These data include information on factors such as  height, weight, smoking, alcohol, diet, ethnic group, personal and family medical history, physical activity, childbearing, use of menopausal hormone therapy and other medication, falls and fractures, social participation and caring, and general wellbeing.

We may also have collected blood samples from you as part of the related Million Women Study: Disease Susceptibility in Women study, and with your consent, derived biochemical and genetic data from these samples.

When you joined the study you also gave us consent to use information from your NHS medical records as part of our follow-up. We receive information from health registries and NHS bodies in England and Scotland, which hold national health and social care records. We provide your details (name, date of birth, NHS number or CHI number in Scotland, and postcode) to health registries and some NHS Hospital Trusts in order to receive information about Million Women Study participants in return. This currently includes information on cancer diagnoses and treatment, hospital day cases and admissions, GP consultations and prescriptions, cancer screening and in some cases information about the pathology of tissue samples where a cancer has been diagnosed. In future, it will also include information on mental health. This information is requested from NHS England for participants in England, and from Public Health Scotland and the NHS Central Register (NHSCR) for participants in Scotland. We also contact some NHS Trusts for information about breast cancer screening and information about tissue samples taken when a cancer is diagnosed.  NHS England and the NHS Central Register (NHSCR) also provide us with information about study participants who have died, including date and cause of death. This is supplied on behalf of the Office for National Statistics (ONS) and is sourced from civil registration data (death registrations and death certificates). Having complete follow-up information from the registries is vital for accurate and unbiased analysis, so that we know what happens to the health of all women in the study, including those who cannot or do not wish to complete our follow-up questionnaires. 

We also receive data from contracted third parties, such as laboratories providing blood sample analysis. For this we do not provide identifying details to the third party. Instead, we provide them with “pseudonymised data” which means we remove your identity and replace it with a code number before sharing the information. Only we have access to the ‘key’ linking the code to your identity.

5. How the University uses your data

When you agree to take part in a research study, we use your data (including your health data) in the ways needed to conduct and analyse the research study. Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. To ensure we carry out the research to the highest standards we comply with the UK Policy Framework for Health and Social Care Research.

We combine the information you have given us on our questionnaires with the information we have collected from NHS records or other third parties, and with the results of analysis of blood samples. The combination, on a very large scale, of detailed information on how women live, and health follow-up through routine records for every woman in the study is very powerful. For example, to study risk of breast cancer in women using menopausal hormone therapy, we used linked cancer registration data to compare the number of women who went on to develop breast cancer between women who told us they had never used menopausal hormone therapy, and those who told us that they had. We found that women who were using menopausal hormone therapy, especially the combined oestrogen-progestogen form, were more likely to develop breast cancer.

We collect and process your data (including your special category sensitive data) in this way for the purpose of performing scientific (medical) research being carried out in the public interest. This is known under data protection law as our “legal basis” for processing personal data. We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. We do not use your personal data for any form of automated decision-making or public profiling.

Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

The University of Oxford Policy on Data Protection can be accessed via the University website

6. Who has access to your data?

Access to your data within the University will be provided to those who need to view it as part of their work in carrying out the purposes described above.

In addition, in order to perform our research and other legal responsibilities or purposes, we will, from time to time, need to share your information with the following:

  • external organisations providing services to us, including those who provide us with data; and
  • external regulatory bodies.

All third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions. Where information is shared with any of the third parties listed above, we will seek to share the minimum amount necessary and to provide this information in the form of pseudonymised data (as described in Section 4) wherever possible.

In order to maximise the value of the information that you have given us for health-related research, we will also share data with researchers from collaborating research organisations, and with other researchers employed by bona fide institutions, for the purposes of health-related research.  This may include researchers who are working in other countries, and in commercial companies who are developing new treatments and can provide relevant expertise which is not available in our own institution.

In order to keep the identity and the privacy of our participants safe and secure, we will only share pseudonymised data with external researchers under strict legal agreement between the University of Oxford and the receiving University. Before they can access any data, all researchers will need to demonstrate that they have the necessary approvals and information security credentials to use your de-identified information for their research. Our Data Access Policy provides more information on assessing the suitability of an organisation and the process for data sharing.

7. Transfer of your data outside of the uk and the European Economic Area (EEA).

Your data is stored on our secure servers and/or in our premises within the UK.  Under GDPR the UK shares common data protections with members of the EEA.

There may be occasions when we transfer your data outside the UK and the EEA, for example, to a researcher who is collaborating with us for the purpose of our research. Such transfers will only take place when one or more of the following applies:

  • the country receiving the data is considered by the EU to provide an adequate level of data protection;
  • the transfer has your consent;
  • the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract; or
  • the transfer is governed by approved contractual clauses.

8. Retention Period

The Million Women Study is a long term study, still under active follow-up. We hope to continue follow-up for as long as possible, and we will retain your data for as long as we need it to meet our purposes, including our medical research and any purpose relating to legal, accounting, or reporting requirements.

9. Security

Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website.

10. Your rights

Under certain circumstances, by law you have certain rights with respect to your data. A summary of these rights is available on the University website

If you want to exercise any of the rights described or are dissatisfied with the way we have used your information, please contact the University’s Information Compliance Team. The same address can be used to contact the University’s Data Protection Officer. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office.

11. Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and will seek to inform you of substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

12. Contact

If you wish to raise any queries or concerns about this privacy notice please contact us by email, or write to:

Professor Gillian Reeves,
Million Women Study, Cancer Epidemiology Unit,
Nuffield Department of Population Health,
University of Oxford, Richard Doll Building,
Roosevelt Drive, Oxford OX3 7LF, UK.

Navigation