This privacy policy provides information on how Health Data Research UK (“HDR UK”, “we”, “us” or “our”) collects and processes your personal data. It also describes your data protection rights, including a right to object to some of the processing which HDR UK carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
SOURSD is a cloud-based web-tool which we provide to validate information provided by Users (either on behalf of themselves as a Researcher or on behalf of a Research Organisation) who wish to access sensitive data held on Trusted Research Environments (“TREs”) and NHS Research Secure Data Environments (“SDEs”), which are managed by Data Custodians.
For information on how SOURSD operates please see [video and tech spec].
HDR UK is a limited company registered in England and Wales under company number 10887014. Its registered office is at 215 Euston Road, London, England, NW1 2BE.
HDR UK is the controller and responsible for the personal data of SOURSD users including Researchers, Organisations, and Data Custodians, who populate information within the SOURSD tool (user personas described under Data we collect about you).
HDR UK has a dedicated team responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights as set out in this privacy policy, please contact: DataProtection@hdruk.ac.uk
Personal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data. For users/researchers of SOURSD, we will collect, use, and store the following kinds of personal data:
For delegates from Data Custodians and Organisations, SOURSD will collect:
Provision of certain information is mandatory for you to be able to set up an account. SOURSD will indicate which information is mandatory or optional within the tool when a user completes their profile.
We use different methods to collect data from you and validate this information including through:
We will use your personal data for the following purposes:
SOURSD does not make any decisions related to User or Organisational data access.
Wherever we rely on your consent, you will always be able to withdraw that consent at any time, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out above.
SOURSD is designed to share:
SOURSD does not make any decisions as to whether Researchers and/or Research Organisations are considered ‘safe people’ (as defined in the Five Safes Framework), nor does SOURSD make any decisions regarding the grant of access to sensitive data held on TREs and SDEs. SOURSD holds a User’s profile data in a centralised location for convenience purposes only and records the decisions made by Data Custodians.
We may share your personal data with external third-party system providers who provide services including IT, online training, system administration, and cloud-based software services.
We will not share your personal data with other third parties, unless you give your consent for us to do so, and we will not share your information with any other organisations for their own marketing, market research or commercial purposes.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may share your personal information with regulators or other authorities if we have a legal obligation to do so.
If HDR UK is transferred or integrated with another business, your details will be disclosed to our advisers and the other party’s advisors.
Some of our external third-party system providers are based in the United States or other countries outside the UK and EEA so their processing of your personal data will involve a transfer of data. Whenever we transfer your personal data out of the UK and EEA, we ensure a similar degree of protection is afforded to that personal data by ensuring at least one of the following safeguards is implemented:
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for. Data will be retained for a period of five years from the date of user account creation for legitimate purposes.
Where we process your personal data based on your consent we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests).
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
The lifespan of the cookies we use is explained in our [cookie policy].
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including:
If you wish to exercise any of these rights, please contact DataProtection@hdruk.ac.uk.
These rights may be limited, for example, if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to the Information Commissioner, the UK’s data protection authority.
