Our Commitment to Data Privacy and Confidentiality  

Imperial College (the “College”, “we” or “our”) is committed to protect your personal information privacy and security. The College takes your confidentiality and privacy rights very seriously. This notice explains who we are and what we do. It also explains the type of information we hold about you as well as how we use, store and protect your personal information. This notice forms part of our accountability and transparency to you under the General Data Protection Regulation (GDPR) 2018 and the Data Protection Act 2018. This notice applies in addition to the College's relevant policies, including the College’s Data Protection and Information Security Codes of practice  and Information Security Policy.
 

Data Controller

For the purposes of any applicable data protection laws in England, Wales and Scotland, including the EU General Data Protection Regulation 2016/679 (GDPR), Imperial College London becomes the Data Controller of your personal information once your data has been made available to us. The College is registered with the Information Commissioner’s Office under Z5940050.

Who we are

The Small Area Health Statistics Unit (SAHSU) is a long-standing and internationally recognised centre of excellence in spatial and environmental epidemiology. SAHSU was established in 1987 following a recommendation from the Black Enquiry into clusters of leukaemia and lymphoma around the Sellafield nuclear power plant. For further information, please refer to the ‘About Us’ page.
 

What we do

SAHSU undertakes statistical analyses of health, environmental, and demographic and socioeconomic data. The focus of SAHSU’s research programme is to investigate key public health issues associated with environmental factors at a small area level. In addition, our work provides evidence about population health risks to inform public health policy. 
 

The kind of information we hold about you

The personal information we hold about you comes from a number of data providers, including records collected by NHS England, the Office for National Statistics (ONS), the Welsh Cancer Intelligence & Surveillance Unit (WCISU) and other national sources. We hold information about birth and death registrations, cancer and tumour diseases, visits to hospital - emergency care, hospital admissions, and data from other NHS services.

The data we receive do not include your name. However, they may include information such as NHS Number, Postcode, Address, Date of Birth, Date of Death, Ethnicity and Gender as well as coded information about your health condition, illnesses and treatments.

How is your personal information collected?

All the information we collect about you is controlled by legally binding data sharing contracts between the data providers and the College. Data extracts are transferred to us via the data providers’ secure electronic file transfer service to a named individual – the Data and Information Services Manager of SAHSU.
 

Legal basis for processing your personal information

Under data protection legislation, we have responsibilities as a ‘data controller’. This means that we need a legal basis when using personal information. Our legal basis for using different types of personal information, including health information is as follows: 

1.   Personal data
Where it is necessary for the performance of a task carried out in the public interest in the area of public health

2.   Special Categories of data
When necessary for processing in the public interest for aims that are proportionate and respect people’s rights, like scientific research or statistical purposes 

We will only use your personal information when the law allows us to in the following circumstances:

All our research applications are reviewed by an expert independent scientific committee - National Research Ethics Service (NRES) every five years with an annual report submission to the committee to report progress and any changes. SAHSU requests data for its research database from England, Wales and Scotland.

England and Wales

The Health Research Authority’s Confidentiality and Advisory Group (CAG) - an independent body who protect and promote the interests of patients and the public - has given us limited permission to use confidential patient information when it is necessary for our research work. This approval is given under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 – also known as Section 251 of the NHS Act 2006 and is based on the advice of CAG.
 
The NHS England interim Data Advisory Group, and other Caldicott Committees e.g. UK Health Security Agency, the Wales Cancer Intelligence and Surveillance Unit assess advice from the CAG and NRES to approve our data applications before releasing your information to us.
 

Scotland

We seek approval from the Public Benefit and Privacy Panel for Health and Social Care (PBPP), the governance structure of NHS Scotland to access patient information from the NHS Board in Scotland. Our application undergoes proportionate governance review in terms of information governance, confidentiality and data protection by PBPP during the approval process.

How we use your information

Your information is invaluable to us. Without it, we would not be able to conduct research and surveillance to protect public health and support improvements in health and care outcomes. We are committed to protect your confidentiality rights. Having information on the entire population is essential to investigate national environmental health concerns, conduct disease surveillance and detect disease clusters.
 
SAHSU has a programme of work agreed with the UK Health Security Agency and is defined by the following terms of reference:
  • To develop and maintain databases of health data, environmental exposures and socio-demographic factors
  • To carry out substantive research studies on environment and health issues including studies of the relationship between socio-economic factors and health, in collaboration with other scientific groups as necessary
  • In collaboration with other scientific groups, to build up reliable background information on the distribution of environmental exposure, socio-economic data and disease among small areas
  • To develop methods for analysing and interpreting health outcomes related to small areas
  • To act as a centre of expertise, disseminating information on developments in spatial epidemiological methods to national and regional groups
  • To respond rapidly, with expert advice, to ad hoc queries from the Department of Health and Social Care and UK Health Security Agency about unusual clusters of disease, particularly in the neighbourhood of industrial installations

Our confidentiality pledge – Keeping your information secure and confidential

We hold national health data on a secure network, with restricted access, no internet links or connection to the College network. There are rigorous controls in place which enable us to access your information and use it responsibly. These include restricting access to trained researchers and ensuring data in research outputs do not identify you as an individual. In order to use your data, we have to meet strict conditions that we are legally required to follow, which include making a written commitment to our data providers.

We ensure anyone who has access to your personal information has had compulsory training on data security awareness and confidentiality. All staff have contractual confidentiality obligations, enforceable through disciplinary procedures. In addition, they are required to comply with the appropriate Data Protection legislation to ensure your personal information is handled and stored securely.

Information provided to us will only be used for the purposes stated in our data applications. We undertake strict organisational and technical measures to ensure your personal information is held securely at all times. We have a robust information governance framework which sets a high standard in the way we handle and process your information.

We protect your information using the following security measures:

  • We do not share your information with third parties.
  • We will remove your information at the end of our research or when our data sharing agreements with our data providers have ended or at your request.
  • We recognise that you share personal information with us and we will treat it as confidential.
  • We use your information for statistical purposes and are committed to protecting your privacy.
  • We adhere to and conform to national guidelines to suppress small numbers in all our publications and we will not publish anything that may identify you personally.
  • We maintain the security of our systems and our premises so that your data remain secure at all times.
  • We keep our Information Technology (IT) systems up-to-date to protect us from viruses and other threats.
  • We restrict access to your information by using passwords or swipe cards to control access to data. We also use encryption so your personal data can only be read with a code.
  • All of our staff receive training to ensure they remain aware of their responsibilities.
  • Only a limited number of authorised staff have access to personal data where it is appropriate to their role. They are obliged to uphold confidentiality, and may face disciplinary procedures if they do not do so.

​Data Sharing

Your personal data is only used for the purposes agreed in legally binding data sharing contracts issued by our data providers. We do not share your personal information with third parties. We do not transfer your personal information outside the College’s secure information systems. 
 

Data Retention – How long your information is kept

We will only keep personal information for as long as necessary to fulfil the purposes described in the section above ‘How we use your information’. When the retention period as stated in legally binding Data Access Agreements issued by our data providers has expired and the personal information is no longer necessary for the stated purpose, the information will be destroyed.
 
Processed data that do not contain any identifying information and is used for research studies for reporting, accounting, or legal purposes may be stored in accordance with the College's retention schedule - (refer to page 6 for research studies).
 

Your rights regarding personal information

As part of the aforementioned framework, and due to the information held by the Small Area Health Statistics Unit being provided directly by organisations holding health and social care data on a national basis, you can read about the choices you have, including the national data opt out, via the following which gives you more control and confidence over how your data is used.
 

If you decide to opt out of your confidential patient information being used for research, your decision will only apply within the health and care system in England. Following your decision to opt-out, NHS England and other organisations will respect and uphold your decision.

If you decide to opt out of the SAHSU research database, you will need to write to the Data and Information Services Manager, Hima Daby as per the details further below.

Request access to SAHSU health data holdings

If you require access to the health records that the Small Area Health Statistics Unit holds about you, you will need to send a written request to the Director of SAHSU.

Professor Paul Elliott
Director, Small Area Health Statistics Unit (SAHSU),
Department of Epidemiology and Biostatistics, School of Public Health, School of Public Health Building, White City campus, 90 Wood Lane, London, W12 0BZ

 

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. 
 

Raising a concern

If you have a concern regarding the way your records are managed or to learn more about how we use, manage and maintain the confidentiality of your information, please contact:
 

Hima Daby
Data and Information Services Manager, Small Area Health Statistics Unit (SAHSU)
Department of Epidemiology and Biostatistics, School of Public Health, Faculty of Medicine,
Imperial College London, St Mary's Campus, Norfolk Place, London W2 1PG

 

Contact us

If you wish to raise a complaint about how we have handled your personal data or if you want to find out more about how we use and process your information, please contact Imperial College London’s Data Protection Officer as per details below. 

 

Data Protection Officer details

The College has appointed a Data Protection Officer, whose duties include monitoring internal compliance and advising the college on its data protection policies, can be contacted via the following methods:

Email: dpo@imperial.ac.uk
Telephone: 020 7594 3502
Postal Address: Data Protection Officer, Imperial College London, Faculty Building Level 4, London SW7 2AZ

If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner’s Office (ICO). The ICO does recommend that you seek to resolve matters with the data controller (Imperial College) first before involving the regulator. 

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information. 
MRC Centre for Environment and Health