IDG Privacy Notice

Content last updated: 14 May 2024. Changes made to address change of legal body from CRNCC to RDNCC under new contract from 1 April 2024.  Minor change to "Destruction of Data" section - first bullet point. Change of presentation on site to show all content on one page but also leave distinct site links to separate pages.

The Department of Health and Social Care  ("DHSC”) is the Data Controller for the Identity Gateway "IDG" under the Data Protection Act and, after 25 May 2018, the General Data Protection Regulation (EU) 2016/679 ("Data Protection Laws"). 

The University of Leeds (“The Host Organisation”) is the Data Processor for the Identity Gateway Service"[IDG]". The University of Leeds provides the National Institute for Health and Care Research (“NIHR”) Research Delivery Network Coordinating Centre (“RDNCC”) on behalf of the Department of Health and Social Care and the RDNCC is responsible for the processing of your personal data. 

About the NIHR Clinical Research Network Coordinating Centre

The NIHR Research Delivery Network Coordinating Centre (RDNCC) is a service provided by the University of Leeds, with contracted maintenance by PA Consulting Services Limited.

The RDNCC manages the NIHR Research Delivery Network ("RDN") on behalf of the Department of Health and Social Care.  The RDN makes it possible for patients and health professionals across England to participate in clinical research studies within the NHS.  The RDN provides the infrastructure that allows high-quality clinical research funded by charities, research funders and life-sciences industry to be undertaken throughout the NHS.  The RDN works with patients and the public to make sure their needs are placed at the heart of all research, and provides opportunities for patients to gain earlier access to new and better treatments through research participation. The RDN provides practical help in identifying and recruiting patients for clinical research studies, so that researchers can be confident of completing the study on time and as planned.

The RDN supports around 5,000 clinical research studies each year.  

The information we collect

The  RDNCC collects your personal data on behalf of and as directed by the Department of Health and Social Care.

The RDNCC collects information directly and indirectly. When you use ”IDG” system, we use technology to collect information indirectly - such as your internet address. This is commonplace across all internet services to enable the investigation of issues such as malicious use. This information is then kept in our internet access logs. 

We collect information directly from you in a number of ways. One way is by using cookies. Cookies are small files of information that save and retrieve information about your visit to our site, such as how you entered our site, how you navigated through the site and what information was of interest to you. This information is collected for a number of reasons, for example, to help develop the website and associated services. 

The cookies we use identify you only as a number. If you are uncomfortable about the use of cookies, you can disable them by changing the settings in the preferences or options menu in your internet browser. However, disabling cookies may affect our ability to provide services to you: if certain cookies are disabled you may not be able to access the service.

The only data stored on ”IDG” will be:

• Navigation data – data on how you move around our site and the hyperlinks you click upon

• The IP address of your device and, if applicable, the website you originated from

• Personal information (only if you register on ”IDG”) –  such as your first name, last name, email address and other personal information you choose to provide

• Your Username and password for this system

Your data will be stored on the ”IDG” service.

The personal data we collect may vary depending on the nature of your interaction with RDN.  However, we always protect your personal data within the terms of this Privacy Notice. 

How and why we use your personal data

• Use of personal data

• Analytics – Your data may be used to provide usage and activity reports for the service

• Your user account may will be managed by service desk personnel for the expressed purpose of administering your account such as password resets.

• Data Security - We use usernames and passwords to ensure you only access appropriate data.

Your personal data is used to enable you to use IT Services provided by RDNCC. Their Privacy Notices are : 

• Open Data Platform (ODP) Privacy Notice

• NIHR Learn Privacy Notice

• Central Portfolio Management System (CPMS) Privacy Notice

• CRN Finance Tool (FT) Privacy Notice

• Integrated Workforce Framework

• Sponsor Engagement Tool Privacy Notice

The following services which are used within RDNCC are also accessed through IDG. 

• Hornbill Service Manager

How we protect your data

We are committed to ensuring that your information is secure.  We use leading technologies and encryption software to safeguard your data, and maintain strict security standards to prevent any unauthorised access to it.  However, given that transmitting information over the internet cannot be completely secure, we can’t guarantee the security of your data in transit. 

”IDG” is hosted on the Amazon Web Service platform, a cloud-based software platform which provides for disaster recovery processes across its servers, which are all located within the European Economic Area (EEA). None of the data contained within ”IDG”  will go outside the UK or the EEA. The ”IDG” platform is accredited to ISO 27001 security standards. 

We will not sell your personal data.  We will not disclose your personal data to third parties outside of the RDNCC, unless we have your explicit permission, or are required by law to do so. 

We will hold the data for as long as we are providing you services and for as long as you agree to this.  We will retain your data for varying amounts of time depending on the nature of your interactions with the ”IDG” service

• We only store data that is necessary for a specific purposes 

• We will not store your data for longer than is necessary

• Your data will be securely deleted when no longer needed for the purpose(s) 

Destruction of Data

• This services falls within the scope of NIHR RDNCC's  ISO27001:2022 and Cyber Essentials certifications

• When an electronic file containing personal identifiable information (i.e. a complaints file) is no longer required it is securely deleted by overwriting the space several times with selected patterns, thus rendering any information unreadable.

• No paper records are kept for personal confidential data

Who do we share your personal data with

• We will never share personal information with other third parties without your consent

• Navigation data and usage reporting is shared with trusted third parties providing analytics such as Google Analytics.

• All partner organisations are either contractually obliged or have signed up to a Data Processing Agreement, which prevents them from sharing your data with other non-authorised third parties and provides for the secure disposal of this data.

Your rights over your personal data

The Data Protection Officer for the RDNCC is:

• Name of Data Protection Officer: Lee Cramp

• Address: Department of Health and Social Care,  1st Floor North, 39 Victoria Street, Westminster, London, SW1H 0EU

• Email - data_protection@dhsc.gov.uk 

As a data subject, you have the following rights under the Data Protection Laws: 

• the right of access to personal data relating to you 

• the right to correct any mistakes in your information

• the right to ask us to stop contacting you with direct marketing

• rights in relation to automated decision making  

• the right to restrict or prevent your personal data being processed

• the right to have your personal data ported to another data controller (e.g. if you decide to contract with a different supplier).

• the right to erasure

• the right to withdraw consent

These rights are explained in more detail on the Individual Rights section of the Guide to the General Data Protection Regulations on the Information Commissioner's Office website.

If you wish to exercise any of your data subject rights, please contact the NIHR Service Desk in the first instance - either:  

• Write to The NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP

• or Email: gdpr_requests@nihr.ac.uk 

We will respond in a timely manner to any rights that you wish to exercise, and for Subject Access Requests (SARs) this has to be  within a month of receiving your request unless the request is particularly complex.

Contacting the Regulator

It is important that you ensure you have read this privacy notice - and if you do not think that we have processed your data in accordance with this privacy notice - you should let us know as soon as possible.  

Similarly, you may complain to the Information Commissioner's Office. Information about how to do this is available at www.ico.org.uk.