Published: 25 May 2018
Version: 2.0 - May 2018Print this document
The NIHR may change this policy from time to time by updating this document. The latest version of this policy will be presented by reference or link from all relevant NIHR websites, systems and services.
Relevant contact details
DHSC is the Data Controller for NIHR held personally identifiable information under the General Data Protection Regulation 2016 (GDPR).
Data controller: Department of Health and Social Care
39 Victoria Street
Data Protection Officer: John Ryder (firstname.lastname@example.org)
For GDPR related requests please contact:
NIHR Service Desk
Who we are
The NIHR is funded through the DHSC to improve the health and wealth of the nation through research. It is a large, multi-faceted and nationally distributed virtual organisation. Together, NIHR people, facilities and systems represent the most integrated clinical research system in the world, driving research from bench to bedside for the benefit of patients and the economy.
The NIHR is not a legal entity; it consists of a number of managing agents that are contracted to the DHSC to provide NIHR by advising on, recommending, organising and administering the commissioning of research programmes, infrastructure, training and patient and public involvement.
For context, as of 01/05/2018, the following specific third party contracted units and services form the NIHR:
- NIHR managing agents, also known as Coordinating Centres:
- NIHR Central Commissioning Facility (CCF) – supports the commissioning of research programmes and infrastructure and their responsible units / services
- NIHR Clinical Research Network Coordinating Centre (CRNCC) – establishes infrastructure, training and support and their responsible units / services
- NIHR Evaluation, Studies and Trials Coordinating Centre (NETSCC) – supports the commissioning of research programmes
- NIHR Academy – supports training awards to researchers and institutions
- NIHR Office for Clinical Research Infrastructure (NOCRI) – provides potential partners, including the life sciences industry and charities, with a direct and simplified route to a wide range of experimental medicine facilities and expert NIHR investigators.
- INVOLVE – supports public involvement in NHS, public health and social care research.
- NIHR-wide Information and Communication Technology Services
- The NIHR Hub (Corporate IT services) – including email, document storage and sharing and other collaboration and productivity tools including a corporate directory.
- CloudLock – a security layer for Hub services
- The NIHR website and associated services
- Be Part of Research (previously called the UK Clinical Trials Gateway) – provides easy to understand information about trials running in the UK
- Amazon Web Services – hosting a number of applications
- Google Cloud Platform – hosting G Suite and the NIHR Hub Homepage
- ServiceNow – a helpdesk service providing support for NIHR facilities e.g. Hub and Website
How we use your information
What information we collect
- For formal interactions with NIHR – such as applications for funding - we will increasingly ask researchers for an ORCiD identifier as a consistent and universal identifier of a researcher across NIHR, and beyond. This will help us (and other research bodies) to recognise you as the same individual and will provide opportunities to remove duplication of your effort in recording information more than once.
- Name, email address and organisational unit – these are collected to allow you to login and access NIHR services.
- Some services may optionally ask for additional data such as date of birth in order to fully participate (e.g. the Google+ service in NIHR Hub). You have full choice over your participation - and control over the disclosure of this information through the application.
- You may also provide additional information including contact details and job title; associations with organisations and institutions and your association with various NIHR activities e.g. applications, grants, awards, studies, training activities projects and programmes. Whilst this is not mandatory it will help you achieve more from the corporate systems and services.
- For applicants for funding we may collect additional sensitive data relating to equality and diversity (such as ethnicity). Where we do this it will be through a dedicated Equality and Diversity Reporting System and we will store the information separately and encrypted to maintain anonymity.
The information we collect may vary depending on the nature of your interaction with NIHR. However, the way we protect your information is always within the terms of this policy.
Why we collect the information
Information is collected for the administration and commissioning of NIHR research programmes, faculty and infrastructure and any appropriate legislation. The lawful basis for processing this Information is Article 6(1)e of the GDPR- “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”, with the exception of Join Dementia Research and direct marketing purposes where we would seek your explicit consent to participate and will rely on the GDPR Article 6(1)a lawful basis- Consent.
How long will we keep your data
We will keep your data for varying amounts of time depending on the nature of the interaction with our services:
- We only store data that is necessary for a specific purpose.
- We will not store your data for longer than is necessary for the purpose for which it was collected, unless we are legally obligated to do so by contract or other legal requirement as a public body.
- Your data will be securely deleted when no longer needed for the purpose(s) for which it was collected and/or the DHSC are no longer obligated to keep it.
What we do with the information we gather
We require this information for the following reasons:
- NIHR internal administration of NIHR websites, systems and services and users’ access rights and privileges in order to effectively manage those systems and services and to provide appropriate privacy and confidentiality protection.
- Administration and management of the corporate NIHR including collecting, collating, analysing and interpreting information and insights for the effective and efficient management of NIHR, which may include:
- Sharing information - including personal identifiers - with the DHSC, other NIHR managing agents and contracted third party suppliers and agents. For example, for:
- the registration of funding applications
- the operation of awards/grants processing and management information systems
- the acquisition of UK and/or international peer reviewer comments on proposals and reports
- the preparation of material for use by reviewers, experts, referees and review panels
- response to reviewer comments
- payments made to host institutions
- research and statistical analysis using anonymised data (in accordance with the Information Commissioner’s Office code Anonymisation: managing data protection risk code of practice”)
- analysis of the collective activities and outcomes of NIHR
- Sharing information – including personal identifiers – with authorised external services that collect and collate further information on research outputs, or provide researcher identification in order to provide a more integrated service to users and funders, e.g. researchfish, Europe PubMed Central (Europe PMC) & ORCiD
- Collating information about the different interactions that you have with NIHR across its constituent parts and over time
- Targeted communications with selected groups of individualsforauthorisedNIHR business purposes e.g. researchers (applicants), reviewers, panel members and others involved in the research management process.
- The nature of communications will vary according to the role or roles that you adopt, for example:
- For reviewers: your review of proposals
- For applicants: the registration of your application; your response to reviewer comment
- The nature of communications will vary according to the role or roles that you adopt, for example:
- Marketing communications to highlight the activities of the NIHR and opportunities for engagement. We will seek your explicit consent to contact you for marketing purposes.
- We will use equality and diversity data in an anonymised form to monitor our compliance with equality and diversity objectives.
- We will publish personal information about lead investigators and personal award holders in receipt of NIHR Funding.
Any specific terms and conditions relating to specific websites, services or systems will be communicated to you in the specific context, for example through a user agreement, but will remain consistent with this policy. User agreements are an important part of protecting privacy by placing behavioural expectations and obligations on all users of a service. Adherence to a user agreement will normally be established as part of registering to use a website, system or service, but casual use of websites may not require a formal agreement.
- NIHR Website - Terms and Conditions for www.nihr.ac.uk
- Management Information System (MiS) - Terms and Conditions for Management Information System
- CCF Research Management System (RMS) - Terms and Conditions for CCF Research Management System
- Academy Research Awards Management System (ARAMIS) - Terms and Conditions for ARAMIS
- Join Dementia Research - Privacy Notice for Join Dementia Research
The security and integrity of NIHR systems are of paramount importance to the NIHR. Where systems have the potential to transfer data outside of the European Economic Area, NIHR ensures that any such transfers are covered by relevant supplementary controls in line with advice from the Information Commissioner’s Office.
Cookies and Log
When you use the Internet, you are assigned a unique address, known as an IP address. We use IP addresses to analyse trends, to administer the websites, track users' movements through the websites, and gather statistical information. IP addresses are not linked to other personally identifiable information.
NIHR is committed to maintaining accurate records. Your information may be held in a number of locations across NIHR due to the dispersed nature of the NIHR. The most efficient way of verifying or amending your personal information may be to contact the managing agent operating the service or the service administrator. Each website, system or service will provide a mechanism for doing this. Alternatively, you may contact the Data Controller directly. See the Protecting your personal information section in this policy.
Security and confidentiality
We are committed to ensuring that your information is secure. We use leading technologies and encryption software to safeguard your data, and maintain strict security standards to prevent any unauthorised access to it. We make every effort to reduce the risks associated with data in transit over the internet by using appropriate technology, including (but not limited to) SSL for any of our websites or applications which collect data from you. However, we cannot guarantee the security of your data in the parts of its journey which are not under our direct control.
Links to other websites
Protecting your personal information
- The DSHC and the NIHR are committed to protecting privacy, and we are legally required to process all personal information in accordance with the GDPR
- Applicants for funding should be aware that information collected in applications will be shared with DHSC / NIHR bodies for the purposes described above. See the What we do with the information we gather section in this policy.
- NIHR use of personal information operates under, and is compliant with, the DHSC Personal Information Charter.
- The NIHR is subject to the Freedom of Information (FOI) arrangements of the DHSC. You can find further information about making an FOI request on the DHSC website.
- You have the “right of access by the data subject” under the GDPR and may request details of personal data which we hold about you.
- NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP
- Or contact us by email at: email@example.com
- If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the above address. We will promptly correct any information found to be incorrect.
- You have the right to request erasure and restriction of processing of your personal data held by the NIHR. If you would like to request either of these, please contact us through the details provided above.
- You have the right to object to processing and processing for direct marketing. You also have the right to object to profiling taking place to support those activities.
- You have a right to data portability.
- Your rights are not absolute. If we are not able to meet your request, we will explain the reason.
- You have the right to lodge a complaint with the Information Commissioner’s Office, if you think there is a problem with the way we are handling your personal identifiable information.