CPMS Privacy Notice
Content last updated : Mid April 2023. Various sections of Privacy Notice updated and inclusion of lawful basis for processing. Presentation format also updated to include content all on one page and links to separate sections on separate pages.
The Department of Health and Social Care ("DHSC”) is the Data Controller for the Central Portfolio Management System "[CPMS]" under the Data Protection Act 2018, the UK GDPR, and the General Data Protection Regulation (EU) 2016/679 ("Data Protection Laws").
The Consortium of the University of Leeds and Guy’s and St Thomas’ NHS Foundation Trust (“The Consortium”) is the Data Processor for the "[CPMS]". The Consortium provides the National Institute for Health Research (“NIHR”) Clinical Research Network Coordinating Centre (“CRNCC”) on behalf of the Department of Health and Social Care and the CRNCC is responsible for the processing of your personal data.
The NIHR Clinical Research Network Coordinating Centre (CRNCC) is a service provided by the Consortium, supported by a wider partnership which includes King’s College London, Imperial College London, Newcastle University, University of Liverpool and PA Consulting Services Limited
The CRNCC manages the NIHR Clinical Research Network ("CRN") on behalf of the Department of Health and Social Care. The CRN makes it possible for patients and health professionals across England to participate in clinical research studies within the NHS. The CRN provides the infrastructure that allows high-quality clinical research funded by charities, research funders and life-sciences industry to be undertaken throughout the NHS. The CRN works with patients and the public to make sure their needs are placed at the heart of all research, and provides opportunities for patients to gain earlier access to new and better treatments through research participation. The CRN provides practical help in identifying and recruiting patients for clinical research studies, so that researchers can be confident of completing the study on time and as planned.
The CRN supports around 5,000 clinical research studies each year.
The CRNCC collects your personal data on behalf of and as directed by the Department of Health and Social Care.
The CRNCC collects information directly and indirectly. When you use CPMS, we use technology to collect information indirectly - such as your internet address. This is commonplace across all internet services to enable the investigation of issues such as malicious use. This information is then kept in our internet access logs.
We collect information directly from you in a number of ways. One way is by using cookies. Cookies are small files of information that save and retrieve information about your visit to our site, such as how you entered our site, how you navigated through the site and what information was of interest to you. This information is collected for a number of reasons, for example, to help develop the website and associated services.
The cookies we use identify you only as a number. If you are uncomfortable about the use of cookies, you can disable them by changing the settings in the preferences or options menu in your internet browser. However, disabling cookies may affect our ability to provide services to you: if certain cookies are disabled you may not be able to access the service.
See our separate Cookies statement for more information on the cookies we use.
Data stored on CPMS will include cookie ID, IP address or device identifier information that the system collects when you access the system. Specifically:
Navigation data – data on how you move around our site and the hyperlinks you click upon
The IP address of your device and, if applicable, the website you originated from
Personal information, specifically your email address is held within your CPMS Profile.
Your data will be stored on the Amazon web services.
The personal data we collect may vary depending on the nature of your interaction with CRN. Specifically, we may capture the following information about study contacts (including Research Activity Coordinators, Study Coordinators and Chief Investigators):
- Title
- First Name *
- Last Name *
- Business Email Address *
- Organisational affiliation
- ORCiD (Open Researcher and Contributor ID)
- Business Address, including postcode
- Business Telephone number
- Business Mobile number
- Affiliations with studies on the portfolio, including the role that the person plays in that study
* Fields are mandatory
However, we always protect your personal data within the terms of this Privacy Notice.
Use s made of personal data:
Analytics – CPMS uses Google Analytics for navigation and usage reporting.
Personalisation – Uses navigation data and personal information to enable us, to tailor the services provided to you, including keeping you informed.
Data Security - We use usernames and passwords to ensure you only access appropriate data.
Information is only shared with third parties to enable system support and is only used by them for this purpose.
Information such as contact details is collected and retained for the purpose of contacting the person or people who is/are responsible for the studies on our portfolio and for the information in the study record in CPMS, as per the Terms and Conditions.
Data protection laws mean that each use we make of your personal information must have a “lawful basis” for the processing of that information. The relevant lawful bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK Data Protection Act 2018.
The lawful basis for processing your personal data under the data protection legislation for CPMS is as follows:
Article 6.1 (e) performance of a task in the public interest or in the exercise of official authority vested in the controller.
We are committed to ensuring that your information is secure. We use leading technologies and encryption software to safeguard your data, and maintain strict security standards to prevent any unauthorised access to it. However, given that transmitting information over the internet cannot be completely secure, we can’t guarantee the security of your data in transit.
CPMS may contain links to other websites of interest outside the CRNCC. This privacy policy only applies to our websites, systems and services, and doesn’t cover other websites and services that we may link to. You should exercise caution and look at the privacy notice applicable to the website/service in question.
The security of the CPMS is managed by the NIHR Information Systems Function, on behalf of the Department of Health and Social Care. This Function has the appropriate technical expertise to protect against unlawful processing and/or accidental loss of information.
CPMS is hosted on the Amazon Web Services platform, a cloud-based software platform which provides for disaster recovery processes across its servers, which are all located within the European Economic Area (EEA). None of the data contained within CPMS will go outside of the UK or the EEA. The CPMS platform is accredited to ISO 27001 security standards.
We will not sell your personal data. With the exception of operational support of the system where an IT hosting provider may access your details as part of maintenance and support we will not disclose your personal data to third parties outside of the CRNCC, unless we have your explicit permission, or are required by law to do so.
We will hold the data for as long as we are providing you services and for as long as you agree to this. We will retain your data for varying amounts of time depending on the nature of your interactions with CPMS:
We only store data that is necessary for a specific purposes e.g. audit reporting indicating who is responsible for a study and which users made edits to records in CPMS
We will not store your data for longer than is necessary
Your data will be securely deleted when no longer needed for the purpose(s)
A single sign on product, the Identity Gateway is used to manage your login credentials for CRNCC services and your registration information and associated cookies held there for authentication purposes. Further information is available on the IDG Privacy Notice pages.
Destruction of Data
When a disc drive fails or is no longer required for use, this is securely destroyed in accordance with the NHS Code of Practice.
When an electronic file containing personal identifiable information (i.e. a complaints file) is no longer required it is securely deleted by overwriting the space several times with selected patterns, thus rendering any information unreadable.
No paper records are kept of personal confidential data.
We will never share personal information with other third parties without your consent
Navigation data and usage reporting is shared with trusted third parties providing analytics such as Google Analytics.
All partner organisations are either contractually obliged or have signed up to a Data Processing Agreement, which prevents them from sharing your data with other non-authorised third parties and provides for the secure disposal of this data.
If you are responsible for a study (such as the Chief Investigator, Study Coordinator or Research Activity Coordinator), we will share your contact details with our partners through our APIs. The APIs are not public, only our specified partners will be able to access them. Our partners currently include Local Portfolio Management Systems procured by the NIHR Local Clinical Research Networks (specifically, EDGE, ReDA, R-Peak, DOCUMAS and StudyLine), the Sponsor Engagement Tool, the ISRCTN registry and the Be Part of Research website.
Contact details of the Study Coordinator are also made available through the public dashboard on the Open Data Platform.
The First and Last Name of the Chief Investigator of non-commercial studies recorded in CPMS is shared with and displayed in the Sponsor Engagement Tool
The Data Protection Officer for the CRNCC is:
Name of Data Protection Officer: Lee Cramp
Address: Department of Health and Social Care, 1st Floor North, 39 Victoria Street, Westminster, London, SW1H 0EU
Email - data_protection@dhsc.gov.uk
As a data subject, you have the following rights under the Data Protection Laws:
the right of access to personal data relating to you
the right to correct any mistakes in your information
the right to ask us to stop contacting you with direct marketing
rights in relation to automated decision making
the right to restrict or prevent your personal data being processed
the right to have your personal data ported to another data controller (e.g. if you decide to contract with a different supplier).
the right to erasure
the right to withdraw consent
These rights are explained in more detail on the Individual Rights section of the Guide to the General Data Protection Regulations on the Information Commissioner's Office website.
If you wish to exercise any of your data subject rights, please contact the NIHR Service Desk in the first instance - either:
Write to The NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP
or Email: gdpr_requests@nihr.ac.uk
We will respond in a timely manner to any rights that you wish to exercise, and for Subject Access Requests (SARs) this has to be within a month of receiving your request unless the request is particularly complex.
It is important that you ensure you have read this privacy notice - and if you do not think that we have processed your data in accordance with this privacy notice - you should let us know as soon as possible.
Similarly, you may complain to the Information Commissioner's Office. Information about how to do this is available at www.ico.org.uk.
Here are the Terms and Conditions of Use for CPMS