Institute of Epidemiology & Health Care


BRHS Privacy Notice

Privacy Notice for participants in the British Regional Heart Study (BRHS)


About this privacy notice

The purpose of this local Privacy Notice is to explain to you, our participants, how we, the British Regional Heart Study (BRHS) Research Team collect, share and use the personal information about you.  This Privacy Notice sets out the types of data we have collected from you and how and by whom that data is used. It also sets out the lawful basis on which we process your data, your rights as a data subject and your rights to withdraw from the BRHS.  We are required to provide the information set out below in accordance with the UK GDPR and UK Data Protection Act 2018 ("DPA").  This privacy notice is intended to be brief and clear and does not cover every single way we handle your personal details in minute detail. However, we are happy to provide further information on request. 

Fundamentally, we should like to assure you that we will only process, store and use your data in a manner that is consistent with the basis on which you joined the BRHS. The BRHS Research team values your contribution to the study and understands the importance of protecting personal information.  In particular, your information will continue to be made available only to bona fide researchers undertaking health research that is in the public good.  We would also emphasise that wherever possible your data is de-identified such that direct and indirect identifiers are removed.

About the British Regional Heart Study (BRHS)

The BRHS is a national cohort cohort study, based in Research Department of Primary Care & Population Health in UCL Institute of Epidemiology and Health Care.  It is a long term research project that aims to identify the causes of why some people's health, development or wellbeing are good, while others may face challenges. The BRHS regularly contacts our surviving cohort (originally  7735 men) recruited from a General Practice in 24 British towns (1978-80) - about all aspects of their life.

For the purposes of data protection law, UCL is the entity that determines how and why your personal data is processed and so is the Data Controller.  The Director of the BRHS is responsible for overseeing the way in which the study team looks after your data on a day to day basis and acts as the Data Custodian.

As Data Controller, UCL decides how and why your personal data is processed. UCL aims to conduct research to the highest standards of research integrity. Our research is underpinned by policies and procedures that ensure we comply with regulations and legislation that govern the conduct of research; this includes data protection legislation such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

Further information on how UCL uses participant information can be found in our ‘general’ privacy notice and more specifically for participants in health and care research studies  

Our Commitment to the BRHS study participants
  • Taking part in the project is voluntary and you are free to withdraw at any time without giving a reason.
  • We will ensure that your personal data are processed lawfully, fairly, transparently, and for a specific purpose Confidentiality is very important to us.
  • You will not be identified from the research - researchers do not see your name with your information - they just see your ID number
  • We do not do research with the aim of commercial gain - all our research aims to benefit society and is not for profit.
  • Every research project is checked to make sure it meets the highest scientific and ethical standards.
  • There are independent experts whose job it is to look at what we do and how we do it to make sure your rights are protected.
Personal Information – what do we collect and where do we get it from?

The BRHS collects personal information about study participants from four sources of data (1) directly from participants (2) from their GP, (3) linkage to National Registries, NHS Health records. (4) 0ther publicly available data and (5) through data generation.  These are explained in more detail below.

1. Data collected directly from participants:   We will only use your personal data when the law allows us to. Most commonly, we will use your personal data to invite you to take part in data collections (clinic visit or for postal questionnaires).  Your personal data will be collected and processed primarily by our the BRHS team. Access to your personal information is limited to staff who have a legitimate need to see it for the purpose of carrying out their job within the BRHS study.  When participants attend the physical examination clinics (1978-80, 1998-2000, 2010-2012 2018 ), they provided a wide variety of data – weight, height and blood pressure and biological samples.  The BRHS has continued to collect more data directly from participants on a periodic basis, thorough Postal Surveys and Accelerometer surveys to measure movement, please see study webpages for more details.

2. Data collected directly from participants GP: The BRHS team contact Participants GP to obtain updates on specific health events and contact details,  please see study webpages for more details..

3. Data collected from linked healthcare data providers: A great deal of information is collected and stored about all of us in our official records, this information gives a detailed picture of many aspects of our life.  The information held and maintained by NHS Digital to provide further information about the health status of participants. Where we have permission the BRHS will identify and collect data from your health records; including those held by the NHS. To make sure we accurately identify your records we may have to share your personal data with third parties for the purpose of linking to health records (e.g. Name, address, NHS number, Date of Birth and postcode).  These organisations will then provide us with updates on the health of study participants.   NHS Central Registry for Mortality (identifiable data including date and cause of death), Cancer notifications (date of diagnosis and type of cancer), NHS Digital data for hospital admissions (HES, MMHDS, DIDS) (De identified data on hospital admissions, diagnosis, length of stay).  These data linkages are governed by Data Sharing Agreements with other data controllers to ensure that your information is kept secure.

4. Other publicly available data: including environment and weather data may be added to your record for example, grouped data about the area you live in such as level of deprivation or air pollution.

5. Data Generation:  With the data and samples that you provide us we are able to generate further data to enhance our database, particularly from undertaking assays of the samples. Biomarkers - which include common biomarkers, such as cholesterol, infectious disease markers, proteomic and metabolomic markers - and if you gave us permission, genetic data (ranging from genotype to exome sequence to whole genome sequence). Biological samples are shared securely with accredited biobanks and laboratories that store and process the samples on our behalf or for research purposes.

We de-identify (anonymise), pseudonymise (remove identifiers such as your name and replace this with a unique code or key) or delete personal information collected as part of their research at the earliest opportunity. All personal information is treated in the strictest confidence in accordance with the UK Data Protection Act 2018 and all samples in accordance with the Human Tissue Act (2004).

We will only share your personal details with third parties under strict conditions set out in a legally binding data processing contract. This offers assurances about the use, access and security of any personal data provided to the third party and prevents them passing on or selling your personal data. We also use Royal Mail for posting questionnaires, sending invitations to take part in other face-to-face data collections (e.g. home visits, clinics) and other correspondence associated with keeping in touch with you.

How we use your research data

Access to your data is strictly limited.   We will only ever collect your data with permission, for example by asking you to attend a clinic or complete a questionnaire. Once we have collected it, it will be processed for research use.  Participant information is split into two parts are held on separate secure research databases.

(1) Personal identifiable data is carefully controlled stores in a secure and restricted contact management database, to which only a small number of authorised staff have access.

The personal data are used to update and maintain contact with participants and their GP, so that we send invitations to assessments, survey data collections, clinical results or any other correspondence such as newsletters. In addition, we supply some of these identifiable fields to NHS Digital to perform the linkage with external health records needed for research purposes.

(2) Research data- They do not contain any personal details and are held together with the survey responses from thousands of other participants.  The research data does not contain any personal details that would enable you to be identified at individual level. 

Research from the BRHS has provided scientific-based evidence and knowledge to clinical guidelines and policy in the management and prevention of CVD. Our research goes beyond heart disease prevention and tries to look at strategies to improve the health of older people generally.  Our current research is investigating how to reduce co-morbidity related to heart disease, such as frailty and dementia- further information is available.

The research data is a scientific resource for the legitimate research community. Researchers working at other universities may apply to access research data. Principles and procedures set out in our Data sharing Framework.  If we share information with other organisations, safeguards are in place to ensure that your information is secure.  Research Data is robustly pseudonymised before it is shared securely with researchers. UCL has ISO-27001 certification which demonstrates that all efforts are taken to keep your data secure.  Data will only be shared with bona fide researchers to undertake health research that is in the public good.

Your contact details are never shared with researchers who process de-identified survey or research data.   We never make your personal details available to researchers or to any third parties who might use them for marketing purposes.  The personal information you provide us will not be used to make any decisions which could affect you in any way.

BRHS lawful basis for processing your data

A legal requirement of the UK GDPR is that we tell you about the legal basis on which the British Regional Heart Study research team will process your personal data.

The BRHS has always met to the statutory requirements.  Written consent was sought from all participants for their participation in 2003. Through the information materials and consent form the BRHS research team set out to explain the basis of such participation and a summary of the scope to which participant data would be used by the BRHS research team and wider research community.

The lawful basis for processing personal data (Article 6.1) e:  Public task: the processing is necessary for the data controller to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law. and GDPR article 10 and Part 1 of the DPA 2018 for sensitive/special category personal data.

The legal basis within GDPR and the Data Protection Act 2018 is separate, and in addition to, the permission you gave to take part in the study. Legal basis for processing special category data: (Article 9.2) j: Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

UCL published a statement of tasks in the public interest  in August 2018 which summarises the lawful basis or reason for processing data for research purposes.

Legitimate interest

Legitimate interests are defined in the UK GDPR as “processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.  UCL is the “data controller” and in the UK GDPR ; there is a 3-step test to demonstrate “legitimate interests”. This is set out as a series of questions and answers:

Legitimate interest purpose test: what are BRHS legitimate interests? 

What is BRHS trying to achieve? Our objective is to set up and manage a research resource for health-related research that is in the public interest.

Who benefits from BRHS processing? Patients and the wider public benefit in efforts to improve risk assessment and prediction of CVD in older adults, to developing novel CVD preventive strategies, to improving the health of older adults and to studying the genetic determinants of CVD and related comorbidity including frailty.

How significant/important are these benefits? The BRHS is a rich data resource, including a wide range of morbidity outcomes, phenotypes and a DNA data bank will enable a diverse research program to be undertaken by large consortia and by the wider research community to investigate the aetiology, causes and prevention of CVD and related morbidity in older age. The BRHS study aims to contribute to refinement of clinical guidelines for improved management of CVD in later life.

Legitimate interest necessity test: is the processing necessary for the legitimate interests? 

Is processing personal data a reasonable way to achieve the objective? Without the personal data provided voluntarily by BRHS study participants over the last 40+ years this resource would not exist.

Is there another less obtrusive way to meet our purposes? The data are stored in a way that makes it is extremely difficult even for the BRHS Research team to re-identify you.  Data provided to researchers have personal identifiers removed so that an individual participant cannot be identified. Taking part in the BRHS should not have any adverse effect on you.

Legitimate interest balancing test:  BRHS research team has to weigh up the participant’s interests.

Would participants expect the research team to use their data this way? Yes; this is what we set out in the information materials provided to participants and in the study consent form each of them signed.

How likely would a participant be to object? This is unlikely. Participants are free to withdraw from the study at any time.


The BRHS is a voluntary research study. You are under no statutory or contractual obligation to provide us with your personal data. 

Consent has been sought to underpin the follow-up of all participants for all-cause mortality and morbidity and has been regularly updated when the participants have re-attended for follow-up clinical assessments.  

Each person who joined the BRHS provided their consent for us to collect, store and make available information about them (including data from genetic and other assays of the samples that were collected) for health-related research, and for their health to be followed over many years through medical and other health-related records, as well as by being re-contacted by BRHS research team.

Consent has been obtained for ethical reasons, collection and use of human tissue and compliance with the Common Law Duty of Confidence for disclosure of confidential information.  With regards to the Common Law Duty of Confidence, we will ensure that this data is handled in line with participants' 'reasonable expectations'.  It gives UCL permission to hold and use information that identifies you. It also allows us to follow up on any changes to your health.    Study participants can withdraw from the study at any time.

Where it has not been possible or practical to contact study participants, we have approval from the NHS Health Research Authority’s Confidentiality Advisory Group (CAG) to obtain personal information directly from the NHS under a ‘Section 251 Exemption’.  Section 251 enables the common law duty of confidentiality to be lifted to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent is not practical. For information about the CAG and Section 251, please visit the Health Research Authority website.


Your rights under the GDPR

Under data protection legislation you have individual rights in relation to the personal information we hold about you. For the purposes of research where such individual rights would seriously impair research outcomes, such rights are limited. However under certain circumstances, these include:

Rights of access: 

Under data protection legislation you can get a copy of the information you gave to the surveys. Everyone has the right to access any personal data that is being kept about them. To make a request under Freedom of Information or Data Protection legislation, (e.g. the right of access of your personal data) please contact foi@ucl.ac.uk or data-protection@ucl.ac.uk respectively.   However, unless you are a professional researcher the data may be difficult to understand as they are in a complex format. 

Rights to restrict processing, to be forgotten, erasure and withdrawal: 

These rights are covered by your ability to withdraw from the BRHS at any time for any reason (although we very much hope that you choose not to exercise that right so that your data can continue to be used to help researchers study the causes, prevention and treatment of diseases).

Protecting your data

All data collected from questionnaires, clinical samples and electronic health related records are held securely and confidentially in accordance with the provisions of the GDPR 2018, the Data Protection Act (DPA) 2018 and also the NHS Information Governance requirements.  Your personal details and health data are stored securely in restricted-access computer network and lockable cabinets.

Only a limited number of people working for the BRHS have access to participants’ data with the personal identifiers (which is necessary in order to allow us to interact with you and add more information about each participant as it becomes available).  These individuals are subject to strict confidentiality provisions and are required to undertake regular Information governance and data security training. 

Retention of data- For how long is my information kept?

We keep your data for as long as is required for the purposes of the BRHS and our statutory and legal obligations.  The BRHS project is a long-term study and participants’ data will be kept for the duration of the project, the cohort will continue to be followed up to death, or until funding for follow up ceases.  Follow up is currently funded to September 2024 and an extension will be sought. UCL Records Retention guidance on retention states "the data of clinical or public health studies are kept for 10 years after the study has ended". The current date of retention will be 30th September 2034. Further details about how long personal information obtained for research is kept can be found in UCL records retention schedule.

Contacting us

Phoning or emailing us:

When you phone, email or text us we will verify your identity and ensure that you are a study participant before proceeding. We will also record relevant details (such as date or time) of the phone call, email or text message and any information that you give us will be recorded unless you request otherwise.  The University's third party email provider is Microsoft (Outlook). Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

Updating your contact details via email: 

When you update your contact details via email, the BRHS team will then update your contact details on our contact management system.  The University's third party email provider is Microsoft (Outlook).

Returning completed questionnaires, consent forms, reply slips or other written information:

When you return an item to us in writing (for example a questionnaire, consent form, reply slip or written letter) we will treat this information as confidential. Your personal details will be kept separately from your research data.

Via Social media:

The BRHS will not use this data for research purposes without asking for your permission. We will not attempt to use social media to collect your personal details.  Social media will only be used as a communication tool between us and you.  We may store your Facebook URL, Facebook email address or Twitter username so that we may continue to communicate with you. This piece of administrative data will be stored securely in our contact management database, along with your other contact details that you have provided to us in the past.

Posting information on social media:

The BRHS maintains a number of social media presences, most notably on Twitter. Users of these social media presences should be aware that any information posted is covered by the terms and conditions of the respective site and is in the public domain.  Please be aware that you have a responsibility to ensure that information you post on our social media sites is within the bounds of the law.

Visitors to our website

We are currently not collecting information from site users.  However, in the future, we may collect standard internet log information and details of visitor behaviour patterns. This may help us to find out things such as the number of visitors to the various parts of the site to help us monitor and improve our site. We will collect this information in a way which does not identify anyone. We will not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it. We do not provide any personal information about users of our website to third parties or other users.


When you visit our website, it sends cookies to your computer. You can find information about managing cookies in different browsers here:

Internet Explorer

Concerns or complaints

The BRHS aims to meet the highest standards when collecting and using personal information. We encourage people to tell us if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving the way we handle your personal details.

If you have any questions about the way in which the BRHS is using your personal information, please do not hesitate to contact us. 

Phone us: 020 8016 8021 

Write to us: Lucy Lennon, Senior Research Study Manager, British Regional Heart Study, Department of Primary Care & Population Health, Institute of Epidemiology and Health Care, UCL Faculty of Population Health Sciences, UCL Medical School, Royal Free Campus, Rowland Hill Street London NW3 2PF

Email us:  l.lennon@ucl.ac.uk

If you have any questions about how your personal information is used, or wish to exercise any of your rights, please consult the University’s data protection webpages. If you need further assistance, please contact the University’s Data Protection Officer (data-protection@ucl.ac.uk)

You can contact UCL by telephoning +44 (0)20 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT.

If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF (https://ico.org.uk/).