In May 2018 a new General Data Protection Regulation (GDPR) came into force which is designed to give you more control over how we will use your data, i.e. the data you provide when you submit a data access request form. Ensuring that personal data are collected, stored, used and shared securely is an essential part of good research practice. GDPR also defines specific roles with duties and responsibilities to protect the rights of subjects whose data are collected. The two most important roles are: the Data Controller and the Data Custodian.
The MRC National Survey of Health and Development is part of University College London (UCL). For the purposes of data protection law, UCL is the entity that determines how and why your personal data is processed and so is the Data Controller.
The MRC National Survey of Health and Development is housed within the MRC Unit for Lifelong Health and Ageing at UCL (LHA). The Director of the LHA is responsible for overseeing the way in which the study team looks after your data on a day to day basis (the Director of the LHA is the Data Custodian).
Personal Data that we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified, such as your name, institution, location and contact details (email address). We only keep your personal data for as long as is necessary.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To manage our relationship with you
- To help you with enquiries
- To provide you with access to LHA data
- To collect metrics regarding the service
Your personal data will be collected and processed by our staff. Access to your personal information is limited to staff who have a legitimate need to see it. When we ask for personal data we will outline how we will use and manage it.
Lawful basis for processing
Data protection legislation requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you.
In the context of research and data sharing, the lawful basis upon which we will process your personal information is usually where “processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.” (Article 6 (1)(e) of GDPR).
Under data protection legislation you have individual rights in relation to the personal information we hold about you.
You have the following rights:
- To be informed of how and why we process your personal data. We have made it clear on the Data/Biological Samples Access Request Form how your information will be used;
- To have access to your personal data. We can send you a copy of the information we hold on you by emailing email@example.com;
- To amend or rectify your personal data. Emailing firstname.lastname@example.org and we can amend your information;
- To request deletion of your personal data. Please note, that there may be circumstances where we are legally required or entitled to retain it. For example, in order for us to maintain an audit trail. If you wish to request deletion of your personal data, please contact email@example.com;
- To restrict and/or object to the processing of your personal data, in certain circumstances. If you wish to request restriction or objection to the use of your personal data, please contact firstname.lastname@example.org,
- To not have a decision based solely on automated processing. We do not use automated decision making (including profiling) when making a decision.
Complaints or queries
The LHA aims to meet the highest standards when collecting and using personally identifiable information. We encourage people to tell us if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving the way we handle your personal details.
If you have any questions about how your personal information is used, or wish to exercise any of your rights, please get in contact with us. You can also contact the University’s Data Protection Officer by telephoning: 020 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT or by email: email@example.com.
We keep this Privacy Notice under regular review. It was last updated on 15th October 2019.