Information security and privacy notice

The data we have collected on you for the CHS study is to enable us to look at whether growth and development during childhood and adolescence may be associated with risk factors for chronic diseases such as heart disease and diabetes. We have a wide range of different types of data; (a) questionnaire –self-report (b) clinic measurements - things like weight or blood pressure taken by the practice nurse, (c) biomarkers – measures derived from a blood sample such as cholesterol (d) outcome data such as whether a participant has reported a heart attack or has been diagnosed with cancer and sadly if they have died what was the cause of death. We obtained causes of death or diagnosis of cancer by linking our research data with the records held by NHS-Digital (NHS-D) who support medical research. To do this we provided NHS-D with the forename, surname, date of birth and NHS number of our study participants. In return NHS-D provided us with details from the death certificate for those subjects who had sadly died or the cancer registration information for subjects who were diagnosed with cancer.

We take data security very seriously and adhere fully to the University of Bristol’s data protection and information security policies and procedures. University of Bristol is the Data Controller, and is responsible for ensuring that all data are securely stored, handled and used in accordance with the Data Protection Act 2018 and General Data Protection Regulation (GDPR). University of Bristol data policies and procedures comply with legislative and regulatory requirements, including NHS standards. The principal investigator remains the Data Custodian and oversees the way in which the study members’ data are looked after.

All contact information, such as names, addresses and telephone numbers of study members, is stored on an IT network that is protected by digital access controls, firewalls, security testing, full auditing, and other security provisions, to protect against the risk of unauthorised access. This system is also physically locked down and is only accessible by authorised personnel.

The same security measures are applied to all data that has been collected on study participants, be it questionnaire, clinical data or from any blood samples. All participants are coded with an arbitrary reference number, which means that researchers analysing results cannot directly identify participants and never see any contact information. Similarly, any data that is shared with research collaborators is fully anonymised to protect confidentiality and only used for approved ethical research purposes. All paper records are kept locked away in a secure storage area with restricted access. We will keep your data until we feel it no longer can add to our scientific knowledge and help society. At this moment this will review the value of the study again in 2025 at which point we will decide if we should continue to look after the data for longer or destroy it.

The legal basis for personal data to be obtained and processed for this purpose is Article 9 (2) (j) that covers processing that is necessary for reasons of public interest in the area of research.

Participants whose data is being processed have certain rights over their data. Further details can be found in the University of Bristol’s Data Protection Policy. Anyone who believes their data is being processed in a way that isn’t fully compliant with requirements has the right to submit a complaint to the Information Commissioner’s Office.

Any queries about the University of Bristol’s compliance with data protection requirements should be directed to data-protection@bristol.ac.uk or (0117) 3941824.