Privacy
Privacy Notice for NIHR Research Support Service delivered by the University of York and Partners
The NIHR Research Support Service (RSS) delivered by the University of York and Partners is one of eight NIHR RSS Hubs. Our partners are the University of Leeds and the University of Sheffield. The NIHR RSS provides free and confidential advice to develop funding applications. Access to support, advice, and expertise is available for all researchers across England applying to NIHR research programmes or research training awards as well as to non-NIHR funders such as charities. We also provide some post-award advice to award holders.
This privacy notice is for individuals who submit a request for support to the RSS Hub delivered by the University of York and Partners. It sets out the ways in which the University of York, University of Leeds and University of Sheffield gather, use, store, and share your data. It also sets out how long we keep your data and what rights you have in relation to your data under the UK General Data Protection Regulation (GDPR).
For the purposes of this privacy notice, University of York, University of Leeds, and University of Sheffield are Joint Data Controllers as defined in the UK General Data Protection Regulation. Each University is registered with the Information Commissioner's Office (ICO). Our Registration numbers can be obtained from the ICO’s Register of Fee Payers.
Where do we get your data from?
We collect information about you in a variety of ways. These include:
information collected through forms requesting support from our service and documents provided as part of an application;
information collected through any correspondence with you during the request for support process;
What data do we have?
We collect personal data to triage your support request and to assess the type and level of support you require. We may allocate you an Advisor from within our Hub, or provide information to answer your question or link you with collaborators you need, such as in a Clinical Trials Unit.
We may also use the information you provide for annual reporting purposes to our funder, NIHR. This information includes measuring progress and performance outputs of the RSS Hub. The information gathered from these reports is used by the Department for Health and Social Care to support decisions on future funding requirements; and various Teams in the NIHR Coordinating Centre (NIHR CC), NIHR Business Development and Collaborations Teams to inform activities.
Data we share with NIHR may include; name, organisation, organisation type, job title, email address, professional background, the funding body that you are considering applying to, your ORCiD & NIHR ID, and details pertaining to your project/study/proposal.
How do we use your data and what is our legal basis for processing?
The data you provide to us is used to assess and provide support to you in your research funding application.
Privacy law (the UK GDPR and Data Protection Act 2018) requires us to have a legal reason to process your personal data. Our reason is we need it to perform a public task*.
This is because the University has a public function, which includes supporting the development and delivery of research projects. We need to use personal data in order to carry out this project**.
Evaluations
From time to time, we will ask you anonymously, to evaluate the service that you have received, whether it is project support or, for example, event attendance. The feedback we receive is used to improve our service and quotes may be used as feedback to our funders.
Who do we share your data with?
Your data may be shared with our partners at the University of Sheffield and the University of Leeds. If you have informed us that your study requires collaboration with a Clinical Trials Unit (CTU), we may share the information you have provided with a CTU based at the University of York, the University of Sheffield and/or the University of Leeds.
We will also share your details with our funder, the National Institute of Health and Care Research (NIHR) to evaluate and manage the delivery of the NIHR Research Support Service.
How do we keep your data secure?
The University takes information security extremely seriously and has implemented appropriate technical and organisational measures to protect personal data, see our information on IT security. Access to information is restricted on a need-to-know basis and security arrangements are regularly reviewed to ensure their continued suitability.
How do we transfer your data safely internationally? - Is this relevant? Or is is required?
In certain circumstances, it is necessary to transfer your Personal Data (including Special Category Data) outside the European Economic Area. In respect of such transfers, the University will comply with our obligations under Data Protection Law and ensure an adequate level of protection for all transferred data.
How long will we keep your data?
The University will retain your data in line with legal requirements or where there is a business need. The retention period is five years after the end of the current Work Programme, which ceases on 30 September 2028. Retention timeframes will be determined in line with the University’s Records Retention Schedule.
What rights do you have in relation to your data?
Under the UK GDPR, you have a right of access to your data, a right to rectification, erasure (in certain circumstances), restriction, objection or portability (in certain circumstances). You also have a right to withdraw consent; see your individual rights.
Questions or concerns
If you have any questions about this privacy notice or concerns about how your data is being processed, please contact the NIHR RSS Hub delivered by the University of York at nihr-rss@york.ac.uk. Questions or concerns can also be reported to the University of York’s Data Protection Officer at dataprotection@york.ac.uk.
Right to complain
If you are unhappy with the way in which the University has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the ICO, see information on reporting a concern to the ICO.
Changes to our privacy notice
We keep our privacy notice under regular review. This notice was last updated on 19 March 2024.
*This refers to UK GDPR Article 6 (1) (e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
** Our charter and statutes states: 4.f. To provide instruction in such branches of learning as the University may think fit and to make provision for research and for the advancement and dissemination of knowledge in such manner as the University may determine.