Information for HPS participants about how your information is stored and processed
Introduction to participant data privacy
The University of Oxford is a world-leader in developing systems to ensure that information is stored safely for studies like the Heart Protection Study. Information held about participants is only used for medical research purposes and for routine regulatory and audit purposes. The University of Oxford uses GDPR Articles 6(1)(e ) and 9(2)(j) as the legal basis for processing personal and sensitive data. Where the University of Oxford is using information for research purposes, it will only process personal data as necessary for the performance of such research being carried out in the public interest. The University of Oxford will safely keep the study data for archiving purposes at least 25 years after the end of the study, and perhaps longer if required by the law or other research needs. When there is no longer any requirement to keep the data it will be deleted.
The data controller for this study is the University of Oxford (University Offices, Wellington Square, Oxford OX1 2JD). The data controller decides how to use your data and is responsible for looking after it in accordance with the GDPR.
The data protection officer for the University of Oxford can be contacted by email at: firstname.lastname@example.org. For more information you can read the University Policy on Data Protection .
How is information about me collected by HPS currently?
You may recall that HPS study clinics stopped in 2000-2001, and the last postal questionnaires were mailed out in 2007. Information about people taking part in HPS now comes from NHS Digital which holds information nationally from the records that health and social care providers keep about the care and treatment they give; this information received by HPS includes information about hospital attendances or admissions (called Hospital Episode Statistics or HES).
We will use this information to learn more about the long-term benefits and safety of statins (and also anti-oxidant vitamins). Statins are one of the most widely prescribed drugs worldwide, and prolonged follow-up of a large randomised trial like HPS provides uniquely reliable evidence about the protection such drugs provide against heart attacks and strokes, and also allows detection of any delayed hazards associated with lowering cholesterol which may take many years to emerge.
Who will you share my data with?
We send your identifiable data (name, date of birth, NHS number and postcode) to NHS Digital who have a record of all hospital admissions and outcomes data from the Hospital Episode Statistics (HES) dataset and will link this information to individual participants in the study. NHS Digital also provide us with information relating to cancer registrations on behalf of Public Health England (PHE). In addition NHS Digital provide us with information about participants who may have passed away, which includes date and cause of death and is sourced from civil registration data.
The University of Oxford will safely keep the study data for at least 25 years after the end of the study, and perhaps longer if required by the law or other research needs. When there is no longer any requirement to keep the data it will be deleted.
Is the information about me collected by HPS secure?
For the purpose of the Data Protection Act, the University of Oxford is the Data Controller. All information is stored securely by University of Oxford and is kept confidential. Access to the computer database is by unique combinations of usernames and passwords and only authorised study personnel can access information about participants. The building is secure with authorised swipe card access only. No individuals will be identified in any study reports.
The personal identifiers, including your NHS number, name, gender and date of birth, are removed from the data on receipt from NHS Digital and stored securely in an encrypted container within the Clinical Trials Service Unit (CTSU). Researchers at the CTSU will work with the “de-identified” data.. De-identified means that health information are labelled with unique numbers linked inside a computer and not by name. It would be very difficult for anyone to re-identify participants after de-identification as we use special measures to protect data, but it remains theoretically possible.
De-identified information about study participants, which would not identify you, may be shared in the future with other approved medical researchers. Sharing of information with other researchers helps ensure that research is open to scrutiny and that best use is made of the information collected. Researchers at University of Oxford will remain responsible for the security and validity of the information held.
How does a participant find out what data is held about them?
You have the right to know what personal data the University of Oxford hold about you and to have a copy of that data. You also have the right to correct wrong or outdated personal data and request the deletion of your data. However, the study may be obliged by law to keep data to ensure consistency and reproducibility of the results and we cannot delete data that has already been used in analyses (note that analyses are run regularly throughout the study).
You also have the right to restrict or object to what we do with your data, or to request that your data be transferred elsewhere. However, sometimes the data controller may not to be able to (or have grounds not to) follow a request, for example, if we consider that deleting data would seriously harm the research.
What if I no longer wish for my information to be accessed or used in HPS?
For the long-term results of HPS to be as reliable as possible, the study team need to try to find out what has happened to everyone who initially agreed to enter the trial. If you do not wish to have information about you collected or recorded then you should inform the study team using the contact details below. You do not need to give a reason and this will not affect your usual medical care in any way.
Who to contact for further information about data privacy
Any participant wishing to exercise any of their rights can contact us. The data protection officer for the University of Oxford can be contacted by email at: email@example.com. If you are not happy with the way we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (telephone 0303 123 1113 or ico.org.uk).
Clinical Trial Service Unit (CTSU)
Richard Doll Building
University of Oxford
Old Road Campus
Telephone: 0800 585323