Privacy policy (Version 1, 31 March 2021 – 30 September 2021)

The UK Longitudinal Linkage Collaboration (UK LLC) is designed to support longitudinal research studies and research analysts working within the UK. It has been set up in response to the coronavirus pandemic to allow for the investigation into high priority COVID-19 research questions and help inform public health and social policy.

The UK LLC research database contains information, or data, on millions of people from many UK Longitudinal Population Studies. These types of studies follow aspects of people’s health and wellbeing over time. They can involve collecting data about many aspects of their lives including health status, social status (e.g. occupation, family structure), biological samples (such as blood and saliva) which provides genetic information and environmental information (such as air pollution, the amount of green space around homes), which can then be used for COVID-19 research purposes.

If you have enrolled into a longitudinal study then your data may be in the UK LLC database.

Who is involved?

The database has been designed and built by longitudinal study managers and privacy experts on behalf of all the studies involved. The studies who contribute data are involved in its design and operation. Every collaborating study can see and control how its data are being used, and make sure the rules they set with people participating in their study are being applied.

How does it work?

The UK LLC provides a secure ‘trusted research environment’. This is a safe place in which the data from these studies can be stored, curated and analysed by approved researchers. All data in the UK LLC is anonymised, preventing anyone from discovering the identity of study participants. At no point in any process do UK LLC staff or researchers see names, addresses or other possible identifiers (e.g. NHS ID). All staff and researchers are subject to strict user agreements designed to protect the confidentiality of every single participant.

The UK LLC puts processes in place to make sure the data is as accurate and well organised as possible. The UK LLC then share these processed data, within the trusted research environment, with researchers in order to conduct COVID-19 research.

The UK LLC works with the collaborating studies and data owners, such as the NHS, to protect the privacy of all individuals whose data are held in our database and also the privacy of users of the UK LLC.The UK LLC needs to collect and process the personal data of individuals who have volunteered to take part in the longitudinal population studies that have agreed to be a part of the UK LLC in order to fulfil its statutory functions and operate effectively. Personal data is processed for a variety of reasons relating to research; all personal data will be collected and processed in accordance with the requirements of the UK General Data Protection Regulations (GDPR) and the UK Data Protection Act 2018. The UK LLC is committed to handling, storing and using your data properly, lawfully and in an ethical way.

In this notice we will explain how participants/your data will be used by UK LLC:

• Personal data means any data which can identify you directly or indirectly (whether itself or when combined with other data), regardless of the format or media on which the data are stored. This includes data that can identify you when combined with other data that is held separately (de-identified data).
• De-identified data means data which have had all identifiers removed and which is controlled to the point where re-identification is no longer reasonably likely. This de-identified data will have a unique ID number for each individual in the data set, but the users will not have access to the key that converts the ID number to identifiers such as name.
• Processing means any activity relating to your personal data including collection, use, alteration, storage, disclosure and destruction.

We will explain:

1. who controls the use of your data;
2. the legal basis we have for holding your personal data;
3. how the design of the UK LLC ensures the confidentiality of your data;
4. what to expect if you are a participant in a collaborating study;5. collaborating studies and their contact details;
5. how long the UK LLC will retain your data;
6. the organisations with which your personal identifiers are shared;
7. where your data is stored;
8. how your data are being used:- for users of the UK LLC; for users of the UK LLC website, mailings lists and other communication channels; for users of the UK LLC and mailing lists only; and how you can withdraw your consent.
9. how you can withdraw consent for us (UK LLC) to hold your data;
10. your rights;
11. changes to our privacy policy.

This privacy notice is intended to be clear and does not cover every single way we handle your personal details in detail. We are happy to provide further information on request. You can do this by emailing us at project-infoukllc@bristol.ac.uk

1. Who controls the use of your data

The UK LLC is part of the University of Bristol, which is the Data Controller for the information placed in the UK LLC research database.

The University can be contacted at:Data Protection Officer
University of Bristol
Beacon House
Queens Road
Bristol
BS8 1QU
UK
Email: data-protection@bristol.ac.uk

2. The legal basis we have for studies providing your personal data into the UK LLC

high priority COVID-19 scientific research by linking together longitudinal study data with participant health and social records and making these data research ready within a centralised secure location. This is part of the wider purpose of the University of Bristol to conduct research aiming to improve scientific understanding.

There are two distinct channels that studies may use to contribute your information to enable this:

A. In England and Wales

They will use for the duration of the COVID-19 ‘emergency’ Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 to process confidential patient information without consent. This allows data sharing to support urgent COVID-19 research only.

This legal basis is a short-term measure brought in specifically to address the ability to answer important research questions quickly during the COVID-19 pandemic. Collaborating studies will revert to using their own legal basis once this legislation has expired (Sept 2021). This will either be based on

1. your opt-in consent, or
2. based on providing you with clear information, a means to object and using Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002

This does not impact on your rights in any way. You are able to object and we will not seek to override any existing objections set with your study.

B. The legal basis for the UK LLC under UK GDPR and the Data Protection Act 2018:

1. performance of a task carried out in the public interest (Article 6(1)(e) in the GDPR); and, where sensitive personal information is involved:
2. scientific or historical research purposes or statistical purposes (Article 9(2)(j) in accordance with Article 89(1)).The GDPR defines ‘sensitive personal information’ as information that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; and the processing of genetic data or biometric data for the purpose of uniquely identifying a person; data concerning health or data concerning sex life or sexual orientation.

This legal basis within GDPR and the Data Protection Act 2018 is separate to, and in addition to, the actions and legal basis of the contributing studies which establishes the basis for your data to be collected, processed and shared for research purposes.

3. How the design of the UK LLC ensures the confidentiality of your data

The UK LLC only contains data that has had all identifiable information, such as name and address, removed. This type of data is referred to as ‘de-identified’. The way in which the UK LLC has been designed means the risk of any person being identified by users is minimised to the point where it is not likely to happen. The following step by step process explains how the data moves between all parties to ensure confidentiality.

This diagram helps to visualise the flow of data:

Through this separation principle, the full identifiable datasets remain with the data owners (e.g, contributing studies, the NHS). The DHCW only see identifiers and the UK LLC only access de-identified data. This principle has been used for over a decade in the SAIL Databank and is now used in research and statistical settings across the UK (for example, the Office for National Statistics use this approach for their research datasets).

Only the UK LLC staff (at the University of Bristol) and the IT staff keeping the system safe (at the University of Swansea) have access to all the UK LLC datasets. This is necessary for data management and preparation. Where it may be considered that the provisions of the UK GDPR apply to the UK LLC as a whole because of the breadth of data held, we rely on the provisions for research in the public interest (GDPR Article 6(1)(e) and 9(2)(j) as our lawful basis for processing.

Legitimate UK based researchers are able to apply to access the data in the UK LLC. They will need to demonstrate that they will be competent and safe users, that their project is in the public interest, is not run for profit making purposes, and will meet the requirements of the collaborating studies and data owners. If approved, the researchers will define the minimum data needed to conduct their research.

4. What to expect if you are a participant in a collaborating study

The UK LLC does not change your relationship with the study or studies you are part of.

Your study remains the owner and Data Controller of the study data and has ultimate control of how your data is used in the UK LLC. The UK LLC (University of Bristol) also control your data in terms of day to day processing and curation, establishing the linkages to routine records and integrating the data and the management of research users.

The UK LLC is not able to identify any individual in the data it holds. This means we cannot confirm if your or anyone else’s data is held in the UK LLC. This also means we do not have the ability to apply opt-out/objection requests from members of the collaborating studies. Only your study/studies can tell if your data is included.

Collaborating studies only provide data on some of their participants. Those who have opted out to the study using NHS and other records in research will be excluded from these linkages, and those who have withdrawn from the study will not be included at all.

Where participants change their mind (e.g. tell a study they do not want their NHS records used, or they want to withdraw from the study) then this information is regularly fed to the UK LLC and records will be deleted from the core UK LLC dataset. Where the data is already being used in research projects it is not possible to delete it, but we will make sure the data is not used in any new projects.

5. Collaborating studies and their contact details

This list will be completed as studies migrate copies of their data into the UK LLC database. Currently there is no data in the UK LLC secure research database.

6. How long the UK LLC will retain your data

The UK LLC will hold your data for the indefinite future. This is appropriate and proportionate as it is for scientific public good purposes and it is specifically designed to support longitudinal research which takes place across very long time frames. We (UK LLC) respect the right of all participants to change their mind about how they participate in their study or if they want to withdraw. We will implement changes in a timely manner.

7. Your personal identifiers are shared by your study with the following organisations:

The Digital Health & Care Wales (DHCW) who will act as Data Processors tasked with securely distributing identifiers to relevant UK data owners; and to encrypt the identifiers into a de-identified list of individuals and to manage the encryption keys. This process is critical in allowing the UK LLC to function in a de-identified way.

In turn the Digital Health & Care Wales (DHCW) will share identifiers with:

• The UK NHS authorities who share records with researchers (including NHS Digital in England, Public Health Scotland/eDRIS/National Records of Scotland in Scotland, SAIL databank in Wales, NHS Northern Ireland Business Development Organisation in NI). They will use these identifiers to find study participant records within their databases and to extract relevant information from these, de-identify these extracts and make them available to the UK LLC for research purposes. This process will not alter the health record (it will only take a copy) and will not impact on service provision;
• The UK statistical agencies (including the Office for National Statistics in England and Wales, eDRIS/National Records of Scotland in Scotland, Northern Ireland Statistics & Research Agency in NI). They will use these identifiers to find study participant records within their databases and to extract relevant information from these, de-identify these extracts and make them available to the UK LLC for research purposes. This process will not alter the underlying record (it will only take a copy) and will not impact on service provision. This process will not be a way in which government departments will find out new information about members of the public;
• The University of Leicester will receive address data only in order to link this to precise location of the property and then map information to the property; such as air pollution, noise data, services and the amount of greenspace around the property. The University of Leicester will not know which address relates to any person or their involvement in any study. Randomly selected real UK addresses will be added to the list to make sure nothing can be inferred from this process.

8. Where your data is stored

The data will be stored on secure servers controlled by the University of Bristol and located at the University of Swansea (data processors to University of Bristol for the UK LLC.) The University of Swansea are UK leaders in providing this type of secure research server in the UK and internationally. The servers are managed to Information Security best practice standards (ISO27001) and are regularly audited by IT and security professionals, the NHS and the UK statistics authorities.

9. How your data are being used

We will provide a full list of who is using UK LLC data, who they are employed by, what purpose they have, which data they are using and what the outcomes of their research investigations are. For this information you can email project-infoukllc@bristol.ac.uk

It applies to information we collect when you:

• Visit our website (launching April 2021)
• Post information on social media (launching April 2021)
• Complete an online proposal form (researchers)
• Complete a data access agreement, data transfer agreement, material transfer agreement, confidentiality agreement or data user responsibilities agreement (researchers)
• Submit a manuscript for review (researchers)

It also applies to the way we handle, process and store your information in:

• Sending mail and email
• Providing research data for use in scientific research

10. How you can withdraw consent for us (UK LLC) to hold your data

You need to contact your study to let them know you wish to withdraw consent for the UK LLC to hold your data. Your study will then notify the UK LLC with this information and your data will be withdrawn. Your study is responsible for your consent preferences.

11. Your rights

The UK LLC aims to meet the highest standards when collecting and using personal information. We encourage people to tell us if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving the way we handle your personal details.

The General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 provides individuals with rights over how their data are used. The UK LLC supports these rights.

Those who use the UK LLC or those accessing our website have a right to access their personal information, to object to the processing of their personal information, to rectify, to erase, to restrict and to port their personal information. Please visit the University of Bristol website pages on fair processing for further information in relation to your rights.

If you would like to complain about our handling of your data, contact the University’s Information Rights Officer via email at data-protection@bristol.ac.uk.

Or by post to:Data Protection Officer
University of Bristol
Beacon House
Queens Road
Bristol BS8 1QU
UK

If you remain dissatisfied, it is your right to complain directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
ico.org.uk

12. Changes to our privacy policy

Please note that UK LLC (University of Bristol) may change this notice by updating this page. This notice is Version 1 and was updated on the 31st March 2021.