Our Commitment to Data Privacy and Confidentiality
Data Controller
For the purposes of any applicable data protection laws in England, Wales and Scotland, including the EU General Data Protection Regulation 2016/679 (GDPR), Imperial College London becomes the Data Controller of your personal information once your data has been made available to us. The College is registered with the Information Commissioner’s Office under Z5940050.
Who we are
What we do
The kind of information we hold about you
The personal information we hold about you comes from a number of data providers, including records collected by NHS England, the Office for National Statistics (ONS), the Welsh Cancer Intelligence & Surveillance Unit (WCISU) and other national sources. We hold information about birth and death registrations, cancer and tumour diseases, visits to hospital - emergency care, hospital admissions, and data from other NHS services.
The data we receive do not include your name. However, they may include information such as NHS Number, Postcode, Address, Date of Birth, Date of Death, Ethnicity and Gender as well as coded information about your health condition, illnesses and treatments.
How is your personal information collected?
Legal basis for processing your personal information
Under data protection legislation, we have responsibilities as a ‘data controller’. This means that we need a legal basis when using personal information. Our legal basis for using different types of personal information, including health information is as follows:
1. Personal data
Where it is necessary for the performance of a task carried out in the public interest in the area of public health
2. Special Categories of data
When necessary for processing in the public interest for aims that are proportionate and respect people’s rights, like scientific research or statistical purposes
We will only use your personal information when the law allows us to in the following circumstances:
All our research applications are reviewed by an expert independent scientific committee - National Research Ethics Service (NRES) every five years with an annual report submission to the committee to report progress and any changes. SAHSU requests data for its research database from England, Wales and Scotland.
England and Wales
Scotland
We seek approval from the Public Benefit and Privacy Panel for Health and Social Care (PBPP), the governance structure of NHS Scotland to access patient information from the NHS Board in Scotland. Our application undergoes proportionate governance review in terms of information governance, confidentiality and data protection by PBPP during the approval process.
How we use your information
- To develop and maintain databases of health data, environmental exposures and socio-demographic factors
- To carry out substantive research studies on environment and health issues including studies of the relationship between socio-economic factors and health, in collaboration with other scientific groups as necessary
- In collaboration with other scientific groups, to build up reliable background information on the distribution of environmental exposure, socio-economic data and disease among small areas
- To develop methods for analysing and interpreting health outcomes related to small areas
- To act as a centre of expertise, disseminating information on developments in spatial epidemiological methods to national and regional groups
- To respond rapidly, with expert advice, to ad hoc queries from the Department of Health and Social Care and UK Health Security Agency about unusual clusters of disease, particularly in the neighbourhood of industrial installations
Our confidentiality pledge – Keeping your information secure and confidential
We hold national health data on a secure network, with restricted access, no internet links or connection to the College network. There are rigorous controls in place which enable us to access your information and use it responsibly. These include restricting access to trained researchers and ensuring data in research outputs do not identify you as an individual. In order to use your data, we have to meet strict conditions that we are legally required to follow, which include making a written commitment to our data providers.
We ensure anyone who has access to your personal information has had compulsory training on data security awareness and confidentiality. All staff have contractual confidentiality obligations, enforceable through disciplinary procedures. In addition, they are required to comply with the appropriate Data Protection legislation to ensure your personal information is handled and stored securely.
Information provided to us will only be used for the purposes stated in our data applications. We undertake strict organisational and technical measures to ensure your personal information is held securely at all times. We have a robust information governance framework which sets a high standard in the way we handle and process your information.
We protect your information using the following security measures:
- We do not share your information with third parties.
- We will remove your information at the end of our research or when our data sharing agreements with our data providers have ended or at your request.
- We recognise that you share personal information with us and we will treat it as confidential.
- We use your information for statistical purposes and are committed to protecting your privacy.
- We adhere to and conform to national guidelines to suppress small numbers in all our publications and we will not publish anything that may identify you personally.
- We maintain the security of our systems and our premises so that your data remain secure at all times.
- We keep our Information Technology (IT) systems up-to-date to protect us from viruses and other threats.
- We restrict access to your information by using passwords or swipe cards to control access to data. We also use encryption so your personal data can only be read with a code.
- All of our staff receive training to ensure they remain aware of their responsibilities.
- Only a limited number of authorised staff have access to personal data where it is appropriate to their role. They are obliged to uphold confidentiality, and may face disciplinary procedures if they do not do so.
Data Sharing
Data Retention – How long your information is kept
Your rights regarding personal information
As part of the aforementioned framework, and due to the information held by the Small Area Health Statistics Unit being provided directly by organisations holding health and social care data on a national basis, you can read about the choices you have, including the national data opt out, via the following which gives you more control and confidence over how your data is used.- Refer to Opting out of sharing your confidential patient information for the choices regarding your information
- Further information on opt-out can be found at https://www.nhs.uk/your-nhs-data-matters
If you decide to opt out of your confidential patient information being used for research, your decision will only apply within the health and care system in England. Following your decision to opt-out, NHS England and other organisations will respect and uphold your decision.
If you decide to opt out of the SAHSU research database, you will need to write to the Data and Information Services Manager, Hima Daby as per the details further below.
Request access to SAHSU health data holdings
If you require access to the health records that the Small Area Health Statistics Unit holds about you, you will need to send a written request to the Director of SAHSU.
Professor Paul Elliott
Director, Small Area Health Statistics Unit (SAHSU),
Department of Epidemiology and Biostatistics, School of Public Health, School of Public Health Building, White City campus, 90 Wood Lane, London, W12 0BZ
What we may need from you
Raising a concern
Hima Daby
Data and Information Services Manager, Small Area Health Statistics Unit (SAHSU)
Department of Epidemiology and Biostatistics, School of Public Health, Faculty of Medicine,
Imperial College London, St Mary's Campus, Norfolk Place, London W2 1PG
Contact us
Data Protection Officer details
Email: dpo@imperial.ac.uk
Telephone: 020 7594 3502
Postal Address: Data Protection Officer, Imperial College London, Faculty Building Level 4, London SW7 2AZ
If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner’s Office (ICO). The ICO does recommend that you seek to resolve matters with the data controller (Imperial College) first before involving the regulator.