Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

Accept all cookies Reject all non-essential cookies

ORCHID Research Participant Privacy Notice

1. About ORCHID and Your Data 

The University of Oxford runs the ORCHID Trusted Research Environment, which collects and organises health information from GP practices in England that are part of the Oxford-Royal College of General Practitioners network. 

We receive health information from two companies (called Magentus and Optum) that manage GP computer systems. These data companies send us data that does not include your name, phone number, or email.  

The data we receive includes things like: 

  • Month and year of birth, sex, and ethnicity 
  • Symptoms and diagnoses 
  • Prescriptions and treatments 
  • Test results 
  • Hospital referrals 

We receive a very limited amount of confidential patient information, which we process to de-identify then destroy without ever saving.  These are:  

  • Date of death, stored as month and year of death 
  • Partial address, which is converted into codes called: 
  • Lower-layer Super Output Areas (LSOA), which is a group of between 400 and 1,200 households that has about 1,000 and 3,000 people included. 
  • Household key, which allows us to understand how many people live in a household. 

We only store de-identified data, meaning we cannot identify you. This is stored in a secure research database called ORCHID Epidemiology (ORCHID-E).

 

2. Why and How We Use Your Data in ORCHID-E 

This information helps researchers study health and care issues, improve NHS services, and support better treatments and prevention. 

Researchers only get access to the specific data they need for their approved studies. We also make sure that data used in one study cannot be accessed by other researchers or projects. 

We process your data under the UK GDPR for the following reasons: 

  • To support the University’s research goals (Article 6(1)(f): legitimate interests) 
  • To carry out research in the public interest (Articles 6(1)(e) and 9(2)(j)) 

We use your data responsibly for scientific and public benefit, not for marketing or profit. 

The University’s legal basis for processing patient data for:   

  • research purpose is the Health Service (Control of Patient Information - COPI) 2002's Regulation 5.  
  • surveillance is the Health Service COPI 2002’s Regulation 3.   

To meet our common law duty of confidentiality, we have been granted Section 251 approval by the Health Research Authority (HRA) following advice from the Confidentiality Advisory Group (CAG)CAG will recommend approval by the HRA when they believe there is sufficient public interest to temporarily lift the common law duty of confidentiality and enable access to the requested confidential patient information, without individual consent, when it is not practical to obtain it. Learn more herehttps://www.hra.nhs.uk/about-us/committees-and-services/confidentiality-advisory-group/. Find out more about our research herehttps://orchid.phc.ox.ac.uk/ .

 

3. Data Sharing Opt-Outs 

If you choose not to share your data for research and planning through either Type 1 Opt-Out or National Data Opt-Out, we will stop receiving and processing your data for research as soon as possible. However, we may continue to process existing de-identified data, as we have no way of identifying individual patient data in order to remove it. 

 

4. Who Can See Your Data 

Only approved researchers can access ORCHIDE data. These may include researchers from the University of Oxford and other universities or organisations who undertake health research. 

All researchers: 

  • Follow strict data protection and security rules 
  • Use the data only for their approved research project 
  • Have access to only the minimum amount of data needed 

 

5. How Long We Keep Your Data 

We keep the data for as long as GP practices allow us to use it for research. We review this every year. Each research project only keeps data for as long as needed for that study. 

 

6. How We Keep Your Data Safe 

Your data is stored securely on the University of Oxford systems in the UK. We follow strict University information security policies. Learn more here: https://www.infosec.ox.ac.uk. 

 

7. Your Rights 

Under data protection law, you have rights over your personal data. If you wish to check that your data is correct, you can speak with your GP practice. If you choose to opt out of sharing your data for research and planning, we will no longer receive it. 

 

8. Contact Us 

If you have questions about how we use your data or want to exercise your rights, please contact: 

Or write to: 

Information Governance Manager 
Nuffield Department of Primary Care Health Sciences 
University of Oxford 
Radcliffe Observatory Quarter 
Woodstock Road, Oxford, OX2 6GG 

If you are unhappy with how we have handled your data, you can also complain to the Information Commissioner’s Office (ICO): https://ico.org.uk/. 

PRIVACY POLICY