Orchid Data Subject Privacy Notice
ORCHID RESEARCH – DATA SUBJECT PRIVACY NOTICE
1. Data protection - We (the University of Oxford) make the ORCHID database available as a resource for conducting research. This notice pertains to the personal data of NHS patients of any age, including children, who are registered with General Practitioner (GP) practices, which are based in England and affiliated with the Royal College of General Practitioners. We receive several categories of personal data from the third party companies, which administer the computerised medical records for these GPs. They use software to extract and send information without us knowing the identity of the data subjects. These include a data subject’s age, sex, ethnicity, symptoms, procedures, prescriptions, coded information about test results, hospital referrals, etc. We hold only a de-identified form of a person’s NHS number and DOB and do not receive names or other information, such as phone number, e-mail address, etc. of data subjects. We process only data from GPs because the data subjects have not opted out of their GP records being used for research purposes.
We act as the “data controller” when we administer this database and conduct our own research using ORCHID data. Similarly, when we share ORCHID data with other entities, including researchers from other Universities, to conduct research, they act as the data controller. The data controller explains how it uses personal data in a separate privacy notice for each research project.
The legal basis on which we rely for processing data to administer the ORCHID database and share information from ORCHID with other entities is Article 6(1)(f) (legitimate interests) under the UK General Data Protection Regulation (GDPR). This processing satisfies the University of Oxford’s mission to the advancement of learning through research and contributes to the body of research by providing access to an integrated data base, which helps facilitate the completion of research activities through the use of the ORCHID database resource.
When we process personal data from ORCHID for our specific research projects, we do so in accordance with Articles 6 (1e) and 9(2)(j) of the UK GDPR, which allows for this processing as a means to perform a task in the public interest (research). We are also permitted to process special category data as it is necessary for research purposes under Article 9(2)(j) of the UK GDPR. These legal bases (public interest/research) also apply to researchers from other entities when they access the ORCHID database for their research projects. In those instances, they act as the data controller for their own projects.
2. How we use your data – We process data received from GP practices multiple times per week to capture additions and changes and on a quarterly basis to refresh the historic full set of these records. This data does not indicate a data subject’s identity (e.g. name) and we take steps to further de-identify patient NHS numbers and their GPs so researchers are unable to know the identity of the data subjects. We also organise the data received into disease themed datasets from which researchers select for their projects. We create a separate dataset for each approved project so that the researchers do not access data from other projects. We further review and monitor these to prevent any identification of data subjects.
If you wish to withdraw the consent to share your data for research purposes, you may do so at any time by contacting your GP or the contact listed on the privacy notice of the research project for which you provided consent to share your data or accessing the NHS national data opt out service (https://digital.nhs.uk/services/national-data-opt-out). In this event, we will stop the processing as soon as we can. However, for opt outs which NHS processes, we will continue processing de-identified on these data subjects. This will not affect the lawfulness of any processing carried out before your withdrawal of consent. We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purposes. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
ORCHID RESEARCH PARTICIPANT PRIVACY NOTICE
3. Who has access to your data? We will only provide ORCHID access to those individuals approved to conduct research as described above. These include researchers both from within the University of Oxford and other entities, such as researchers from other Universities within the UK. They are required to take appropriate security measures to protect your data in line with our data protection policies. We permit them to process your data only for specified purposes and in accordance with our instructions. Where we share your data with a third party, we will seek to share the minimum amount necessary.
4. Retaining your data - We will only retain your information for as long as the GPs permit us to access this data to meet our purposes, including any relating to legal, accounting, or reporting requirements. We will review the necessity of the database for the purposes of supporting research annually. The University will hold information for research specific projects only for as long required to do so.
5. Security – We hold your data securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website: www.infosec.ox.ac.uk.
6. Where we store and use your data - We store and use your data electronically on University systems in the UK.
7. Your rights- Information on your rights in relation to your personal data are explained here. If you wish to exercise your rights, you would need to supply your actual NHS number and DOB to us so that we can process your request.
8. Contact - If you have any questions about how we will use your data, please contact the ORCHID Team at firstname.lastname@example.org. If you would like to exercise your rights as mentioned above or if, for any reason, you are not happy with the way that we have handled your data, please contact the University’s Information Compliance Team or the University’s Data Protection Officer here: email@example.com.
Otherwise, please send any questions or concerns via post to the Information Governance Manager, Nuffield Department of Primary Care Health Sciences, University of Oxford, Radcliffe Observatory Quarter, Woodstock Road, Oxford, OX2 6GG. If you are still not happy, you have the right to make a complaint to the Information Commission’s Office (https://ico.org.uk/).
This notice is posted and available here: https://orchid.phc.ox.ac.uk/
Effective: 01 07 2021 Last revised: 05 June 2023 (v 2.0)