PRIVACY NOTICE FOR RESEARCH PARTICIPANTS
Queen’s University Belfast (“we”, “us” and “our”) is committed to protecting your personal data. The notice is addressed to research participants (“you” and “your”). This Privacy Notice tells you why we need to collect personal information about you, what we will do with it, and how we will look after it. It also tells you about your legal rights in relation to your Personal Data. If you have any questions about this privacy notice, please contact us. Contact details are provided below.
WHO WE ARE
1. We are Queen’s University Belfast, a university with a reputation for excellence in education and research and a member of the Russell Group. Founded in 1845 as Queen's College Belfast, we became an independent university in 1908. We conduct research to the highest standards of research integrity within a research culture that values knowledge-creation for its own sake; for the potential benefits it promises humankind; and for the ways it enriches higher learning.
2. As a consequence, and as stated in our University Charter our research outcomes are in the public interest. All our research is underpinned by policies and procedures that ensure we comply with regulations and legislation that govern the conduct of research. This includes data protection legislation: the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA). In the case of health and social care research, which should serve the public interest, where we have to demonstrate that our research serves the interests of society as a whole.
HOW YOUR PERSONAL DATA IS COLLECTED
3. The type of personal information collected and used will depend on the particular research objectives of the project you are taking part in. Information collected will be proportionate to achieving those objectives and details that are not necessary will not be asked for or collected. The Participant Information Sheet will inform you of what information will be collected about you.
4. The University may process some information about you that is considered to be “sensitive”, this is called “special category” personal data and includes information concerning ethnicity, sexual orientation, gender identity, religious beliefs, or details about your health. These types of information have additional protections.
5. Some specific research projects may collect information about past criminal convictions.
6. Access to, and sharing of, special category and sensitive personal data is controlled very carefully and you will be specifically informed about this in your Participant Information Sheet.
HOW WE USE YOUR PERSONAL DATA
7. We use your Personal Data and Sensitive Personal Data collected for the research purposes as set out in the Participant Information Sheet.
8. In order to protect your rights and freedoms when using your personal information for research and to process special category information the University special safeguards in place to protect your information, and all information is kept in line with our policies and regulatory requirements.
9. In addition to the above University safeguards the GDPR and the DPA also require us to meet the following standards when we conduct research with your personal information:
- the research will not cause damage or distress to someone (e.g., physical harm, financial loss or psychological pain).
- the research is not carried out in order to do or decide something in relation to an individual person, unless the processing is for medical research approved by a research ethics committee.
- the Data Controller has technical and organisational safeguards in place (e.g. appropriate staff training and security measures).
- if processing a special category of data, this must be subject to a further public interest test to make sure this particularly sensitive information is required to meet the research objectives.
LEGAL BASIS FOR COLLECTING AND USING YOUR PERSONAL DATA
10. We will only use your Personal Data if we have valid reasons for doing so. These reasons are known as our “legal basis for processing”.
11. In the context of research, the lawful basis upon which we will process your personal information is usually where “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” (Article 6 of GDPR).
12. Where we also collect and use more sensitive personal information (Special Category data) we only do so where “the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes… which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”. (Article 9 of GDPR).
13. Personal information relating to criminal convictions must also be treated with extra care just like special category information and Schedule 1 of the Data Protection Act 2018 provides a specific condition to allow it to be collected for research purposes if the special safeguards are in place.
14. Where we need to rely on a different legal condition, such as consent, we will inform you of this in the Participant Information Sheet provided to you. In clinical trials or medical studies, for example, we may use the following condition: • “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards”.
WHO WE SHARE YOUR DATA WITH
15. Your information will usually be shared within the research team conducting the project you are participating in. This may include collaborators who are not employed by the University. Where this is the case you will be informed about this in your Participant Information Sheet.
16. It may sometimes be necessary to share your personal information with other researchers for the purpose of achieving the research outcomes. If this is relevant to the research you are involved with, you will be provided with information about this in your Participant Information Sheet. Information shared will be on a need to know basis, not excessive and with all appropriate safeguards in place to ensure the security of your information.
17. We also sometimes use products or services provided by third parties who carry out a task on our behalf, such as a transcribing service. These third parties are known as data processors and when we use them we have contractual terms, policies and procedures to ensure confidentiality is respected. This does not always mean that they access your information. The University remains responsible for your personal information as the Data controller and should researchers use another third party service to process your personal information they will provide you with details about the relationship they have with the service provider/supplier/collaborator on the Participant Information Sheet.
DATA PROCESSING OUTSIDE EUROPE
18. We will not transfer your Personal Data and Sensitive Personal Data outside of the European Economic Area without first advising you within the Participant Information Sheet and we will ensure that they have adequate data protection provision or are part of privacy and security schemes such as the privacy shield in the US.
HOW LONG YOUR INFORMATION WILL BE KEPT
19. Information where you can be identified will be kept for a minimum amount of time and in accordance with research objectives. Researchers will de-identify information, i.e. anonymise or pseudonymise, as soon as possible.
20. Some information, such as signed records of consent, will be kept for the minimum amount of time as required by funders or our policies and procedures. The Participant Information Sheet will details how long your personal information will be kept for.
21. We place great importance on the security of the Personal Data that we hold, including the use of physical, technological and organisational measures to ensure your information is protected from unauthorised access and against unlawful processing, accidental loss, alteration, disclosure, destruction and damage.
22. The DPA provides you with a number of legal rights in relation to your Personal Data, including the right:
- to request access to your Personal Data;
- to request correction of your Personal Data that is wrong or incomplete;
- to request erasure or the restriction of processing of your Personal Data;
- to request the transfer of your Personal Data in a structured; commonly used machine-readable format;
- not to be subject to automated decision making; and
- to withdraw your consent.
23. If you wish to exercise any of the rights set out above, or require further information about any of the rights, please contact us.
24. There may also be times where we cannot stop using your Personal Data when you ask us to, but we will tell you about this if you make a request.
25. If you have any questions or comments about this privacy notice, the University’s Data Protection Officer can be contacted at:
Data Protection Officer
Information Compliance Unit
Queen’s University Belfast
26. You have the right to complain about how we treat your Personal Data and Sensitive Personal Data to the Information Commissioner’s Office (ICO). The ICO can be contacted at:
Information Commissioner's Office
CHANGES TO THIS NOTICE
27. We may update this Privacy Notice from time to time. We will notify you of the changes where we are required by law to do so.