NIHR Learn Privacy Notice

Content last updated 6 March 2025. Changes made include update to name of  organisation from CRNCC to RDNCC under new contract from 1 April 2024.  All affected sections updated for contract change(s). Sections reordered to improve readability.

The Department of Health and Social Care  ("DHSC”) is the Data Controller for the NIHR Learn under the Data Protection Act 2018, the UK GDPR, and the General Data Protection Regulation (EU) 2016/679 ("Data Protection Laws"). 

The University of Leeds (“The Host Organisation”) is the Data Processor for the "[NIHR Learn]". The University of Leeds provides the National Institute for Health and Care Research (“NIHR”) Research Delivery Network Coordinating Centre (“RDNCC”) on behalf of the Department of Health and Social Care and the RDNCC is responsible for the processing of your personal data. 

About the NIHR Research Delivery Network Coordinating Centre 

The NIHR Research Delivery Network Coordinating Centre (RDNCC) is a service provided by the University of Leeds, with contracted maintenance by PA Consulting Services Limited.

The RDNCC manages the NIHR Research Delivery Network ("RDN") on behalf of the Department of Health and Social Care.  The RDN makes it possible for patients and health professionals across England to participate in clinical research studies within the NHS.  The RDN provides the infrastructure that allows high-quality clinical research funded by charities, research funders and life-sciences industry to be undertaken throughout the NHS.  The RDN works with patients and the public to make sure their needs are placed at the heart of all research, and provides opportunities for patients to gain earlier access to new and better treatments through research participation. The RDN provides practical help in identifying and recruiting patients for clinical research studies, so that researchers can be confident of completing the study on time and as planned.

The RDN supports around 5,000 clinical research studies each year.  

Introduction

This Privacy Notice is aimed at users, (including learners, administrators and other stakeholders) of the NIHR Learn platform and relates to personal data, as defined by the General Data Protection Regulations (GDPR)  and the UK Data Protection Act 2018. The document explains what user information is held by the Moodle Learning Management System, how it is gathered and how it used in connection with the operation of the learning platform. 

Who provides the NIHR Learn platform and what is it for?

The NIHR Learn platform was introduced in July 2015 and is built on the well established, open source Moodle  learning platform, NIHR Learn is the primary source of free, quality assured learning accessed by over 55,,000 learners across the NHS and partner organisations every year.

Content and administration of the the NIHR Learn platform is managed by the Workforce and Learning team within the NIHR Research Delivery Network Coordinating Centre (RDNCC). System Administration and hosting of the platform is managed by PA Consulting, the technical partner of the NIHR Research Delivery Network explained below. Additional course administration, content management and face to face learning is managed by local administrators across 12  Regional Research Delivery Networks (RRDNs).

The core platform for NIHR Learn is Moodle. Regular updates are made to ensure this operates as the most up-to-date stable version of the software. In March 2024 the live environment was updated to Moodle 4.3 to enable compliance with GDPR.

The information we collect

The RDNCC collects your personal data on behalf of and as directed by the Department of Health and Social Care.

The RDNCC collects information directly and indirectly. When you use NIHR Learn, we use technology to collect information indirectly - such as your internet address. This is commonplace across all internet services to enable the investigation of issues such as malicious use. This information is then kept in our internet access logs. 

We collect information directly from you in a number of ways. One way is by using cookies. Cookies are small files of information that save and retrieve information about your visit to our site, such as how you entered our site, how you navigated through the site and what information was of interest to you. This information is collected for a number of reasons, for example, to help develop the website and associated services. 

The cookies we use identify you only as a number. If you are uncomfortable about the use of cookies, you can disable them by changing the settings in the preferences or options menu in your internet browser. However, disabling cookies may affect our ability to provide services to you: if certain cookies are disabled you may not be able to access the service.

Data stored on NIHR Learn will  include cookie ID, IP address or device identifier information that the system collects when you access the system. Specifically:

• Navigation data – data on how you move around our site and the hyperlinks you click upon

• The IP address of your device and, if applicable, the website you originated from

• Personal information, specifically your email address is held within your NIHR Learn Profile.

Your data will be stored on the Amazon web services.

The personal data we collect may vary depending on the nature of your interaction with RDN. Routinely, we capture the following information about all learners accessing the system, specifically:

• First Name*

• Last Name*

• Email address*

• Primary Geographic Region*

• In what way do you work with the NIHR*

• In what way are you Involved in research 

• Professional Registration in Healthcare*

• What is your role in research?*

• Clinical Specialty*

• How long have you held a role in clinical research?*

• I meet the definition of an Early Career Researcher 

• Do you have any accessibility needs? 

• Accessibility Contact 

• Job Title 

• Mobile contact number 

* Fields are mandatory

However, we always protect your personal data within the terms of this Privacy Notice. 

How and why we use your personal data

NIHR Learn stores personal contact details for all registered users of the platform. In addition learning activity records are stored which includes, courses completed, course dates, module completion and where relevant quiz scores.

We use this personal data in the following ways:

• Analytics - to produce summarised  management information to the Department of Health in order to fulfil contract requirements

• Communication - to allow course information and follow up materials to be sent to learners

• Certification - to allow certificates to be generated and reprinted by learners successfully completing learning

• Enhancements - using system analytics to measure completion rates and module access to improve course design

• Personalisation - use navigation data and personal information to enable us to tailor the services we provide to you including keeping you informed

• Data Security - we use usernames and passwords to ensure you only access appropriate data

• Assurance and review - we and other bodies e.g. the HRA may use this data to provide assurance of learning undertaken by individuals,  to review numbers accessing training, provide training records and ascertain which courses users value and complete, or where engagement may be lost to assess if training is delivering what is required.

The use of your personal information in the above ways is necessary for the business interests of the NIHR RDN in operating and improving the learning we offer, analysing its use, and ensuring security.  Where you enter your personal information into an online form on any of our websites for any specified purpose, you will be told about the use we will make of that information (e.g. to send you newsletters or to enable your attendance at an event). However the way we protect your personal data is always within the terms of this privacy notice. 

The lawful basis for processing data

Data protection laws mean that each use we make of your personal information must have a “lawful basis” for the processing of that information. The relevant lawful bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK Data Protection Act 2018.

The lawful basis for processing your personal data under the data protection legislation for NIHR Learn  is as follows:

• Article 6.1 (e) performance of a task in the public interest or in the exercise of official authority vested in the controller.

How we protect your data

We are committed to ensuring that your data is secure.  We use leading technologies and encryption software to safeguard your data, and maintain strict security standards to prevent any unauthorised access to it.  However, given that transmitting information over the internet cannot be completely secure, we can’t guarantee the security of your data in transit. 

NIHR Learn may contain links to other websites of interest outside the RDNCC.  This privacy policy only applies to our websites, systems and services, and doesn’t cover other websites and services that we may link to.  You should exercise caution and look at the privacy notice applicable to the website/service in question. 

 NIHR Learn  is hosted on the Amazon Web Services (AWS) platform, a cloud-based software platform which provides for disaster recovery processes across its servers, which are all located within the European Economic Area (EEA). None of the data contained within NIHR Learn  will go outside the UK or the EEA. The Amazon Web Services (AWS) platform is accredited to ISO 27001 security standards. 

We will not sell your personal data.  We will not disclose your personal data to third parties outside of the RDN, unless we have your explicit permission, or are required by law to do so. 

We will hold the data for as long as we are providing you services and for as long as you agree to this.  We will retain your data for 7 years after the end of the RDNCC’s current contract with the Department of Health and Social Care in order to provide ongoing access to learning certificates previously awarded. Archived training  records from before 2015 are also retained and certificates attained between 2012 and 2015 are available through a request process.

• We only store data that is necessary for a specific purposes 

• We will not store your data for longer than is necessary

• Your data will be securely deleted when no longer needed for the purpose(s) 

A single sign on product, the Identity Gateway is used to manage your login credentials for RDNCC services and your registration information and associated cookies held there for authentication purposes. Further information is available on the IDG Privacy Notice pages.

Destruction of Data

• This services falls within the scope of NIHR RDNCC's  ISO27001:2022 and Cyber Essentials certifications

• When an electronic file containing personal identifiable information (i.e. a complaints file) is no longer required it is securely deleted by overwriting the space several times with selected patterns, thus rendering any information unreadable

• No paper records are kept of personal confidential data

Who do we share your personal data with

• We will never share personal information with other third parties without your consent

• Summarised information is shared with Department of Health and Social Care  and NIHR Management Teams for the purpose of business planning and reporting. 

• Nominated NIHR Learn Administrators in Regional Research Delivery  Networks manage and report learner information and learning activity records relevant to their local regions and courses. This information is shared with RRDN Management teams for the purpose of business planning and reporting. 

• Navigation data, such as standard internet log information and details of visitor behaviour patterns is shared with Google Analytics. For information about how Google Analytics uses your personal information, please see Google Privacy and Terms and Safeguarding your Data. This can also help system administration and bug tracking. 

• Personal information will be used by the Workforce and Organisational Development and PA Consulting help desk support teams to contact you during investigation of a fault or following a request for support. 

• Personal information will also be used by other bodies e.g. the HRA to provide assurance of required learning,  but this and any other sharing is governed by an appropriate data sharing agreement.

• All partner organisations are either contractually obliged or have signed up to a Data Sharing Agreement/Data Processing Agreement, which prevents them from sharing your data with other non-authorised third parties and provides for the secure disposal of this data.

• Existing learner information may be used to actively direct you to further learning related to your role or completed courses.  However you will not be contacted for any unrelated learning outside of this provision.

Your rights over your personal data

The Data Protection Officer for the RDNCC is:

• Name of Data Protection Officer: Lee Cramp

• Address: Department of Health and Social Care,  1st Floor North, 39 Victoria Street, Westminster, London, SW1H 0EU

• Email - data_protection@dhsc.gov.uk 

As a data subject, you have the following rights under the Data Protection Laws: 

• the right of access to personal data relating to you 

• the right to correct any mistakes in your information

• the right to ask us to stop contacting you with direct marketing

• rights in relation to automated decision making  

• the right to restrict or prevent your personal data being processed

• the right to have your personal data ported to another data controller (e.g. if you decide to contract with a different supplier).

• the right to erasure

• the right to withdraw consent

These rights are explained in more detail on the Individual Rights section of the Guide to the General Data Protection Regulations on the Information Commissioner's Office website.

If you wish to exercise any of your data subject rights, please contact the NIHR Service Desk in the first instance - either:  

• Write to The NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP

• or Email: gdpr_requests@nihr.ac.uk 

We will respond in a timely manner to any rights that you wish to exercise, and for Subject Access Requests (SARs) this has to be  within a month of receiving your request unless the request is particularly complex.

Contacting the Regulator

It is important that you ensure you have read this privacy notice - and if you do not think that we have processed your data in accordance with this privacy notice - you should let us know as soon as possible.  

Similarly, you may complain to the Information Commissioner's Office. Information about how to do this is available at www.ico.org.uk.