CPMS Privacy Notice

What is the ‘data’ journey

We are committed to ensuring that your information is secure.  We use leading technologies and encryption software to safeguard your data, and maintain strict security standards to prevent any unauthorised access to it.  However, given that transmitting information over the internet cannot be completely secure, we can’t guarantee the security of your data in transit. 

CPMS  may contain links to other websites of interest outside the CRNCC.  This privacy policy only applies to our websites, systems and services, and doesn’t cover other websites and services that we may link to.  You should exercise caution and look at the privacy notice applicable to the website/service in question. 

The security of the CPMS is managed by the NIHR Information Systems Function, on behalf of the Department of Health and Social Care. This Function has the appropriate technical expertise to protect against unlawful processing and/or accidental loss of information.

CPMS  is hosted on the Amazon Web Services platform, a cloud-based software platform which provides for disaster recovery processes across its servers, which are all located within the European Economic Area (EEA). None of the data contained within CPMS  will go outside of the UK or the EEA. The CPMS platform is accredited to ISO 27001 security standards. 

We will not sell your personal data.  With the exception of operational support of the system where an IT hosting provider may access your details as part of maintenance and support we will not disclose your personal data to third parties outside of the CRNCC, unless we have your explicit permission, or are required by law to do so. 

We will hold the data for as long as we are providing you services and for as long as you agree to this.  We will retain your data for varying amounts of time depending on the nature of your interactions with CPMS:

• We only store data that is necessary for a specific purposes e.g. audit reporting indicating who is responsible for a study and which users made edits to records in CPMS 

• We will not store your data for longer than is necessary

• Your data will be securely deleted when no longer needed for the purpose(s) 

A single sign on product, the Identity Gateway is used to manage your login credentials for CRNCC services and your registration information and associated cookies held there for authentication purposes. Further information is available on the IDG Privacy Notice pages.

Destruction of Data

• When a disc drive fails or is no longer required for use, this is securely destroyed in accordance with the NHS Code of Practice.

• When an electronic file containing personal identifiable information (i.e. a complaints file) is no longer required it is securely deleted by overwriting the space several times with selected patterns, thus rendering any information unreadable.

• No paper records are kept of personal confidential data