Privacy Notice- UK Small Area Health Statistics Unit Research Database (SAHSU)

Our Commitment to Data Privacy and Confidentiality  

Imperial College (the “College”, "we" or "our“) is committed to protecting the privacy and security of your personal information. The College takes your confidentiality and privacy rights very seriously. The purpose of this notice is to explain who we are and what we do, the type of information we collect/hold about you and also how we use, store and protect your personal information.  This notice forms part of our accountability and transparency to you under the General Data Protection Regulation (GDPR) 2018 and the Data Protection Act 2018.  This Notice also applies in addition to the College's relevant policies, including the College’s Data Protection Policy and Information Security Policy.
 

Data Controller

For the purposes of any applicable data protection laws in England, Wales and Scotland, including the EU General Data Protection Regulation 2016/679 (GDPR), Imperial College London is the Data Controller of your personal information once your data has been made available to us. The College is registered with the Information Commissioner’s Office under registration number Z5940050.
 

Who we are

The Small Area Health Statistics Unit (SAHSU) is a long-standing and internationally-recognised centre of excellence in spatial and environmental epidemiology. SAHSU was established in 1987 following a recommendation from the Black Enquiry into clusters of leukaemia and lymphoma around the Sellafield nuclear power plant. For further information, please refer to the ‘About Us’ page on our website: https://www.sahsu.org/content/about-us.
 

What we do

SAHSU undertakes statistical analyses on health, environmental, and demographic and socioeconomic data. Our work assists Public Health England in fulfilling their duties to protect and improve the health of the population. Our research programme is supported by on-going infrastructure funding from Public Health England and the Medical Research Council. The focus of SAHSU’s work is to investigate key public health issues associated with environmental factors at a small area level and provide evidence about population health risks to inform public health policy.
 

The kind of information we hold about you

The personal information we hold about you comes from a number of data providers, including records collected by the Office for National Statistics (ONS), the Welsh Cancer Intelligence & Surveillance Unit (WCISU), Public Health England, NHS Digital, NHSScotland and other national sources. We hold information about birth and deaths registrations, cancer and tumour diseases, visits to hospital - accident and emergency attendances, hospital admissions, and data from other NHS services.
 
The data we receive does not include your names but they may include information such as NHS Number, Postcode, Date of Birth, Date of Death, Ethnicity and Gender as well as coded information about your health condition, illnesses and treatments.
 

How is your personal information collected?

All the information we collect about you are controlled by legally binding data sharing contracts between the data providers and the College. Data extracts are transferred to us via the data providers’ secure electronic file transfer service to a named individual – the Data and Information Services Manager.
 

Legal basis for processing your personal information

Under data protection legislation, we have responsibilities as a ‘data controller’. This means that we need to have a legal basis when using personal information. Our legal basis when we are using different types of personal information, including health information are for the following reasons:

1.   Personal data

Where it is necessary for the performance of a task carried out in the public interest in the area of public health

2.   Special Categories of data

When necessary for processing in the public interest for aims that are proportionate and respect people’s rights, like scientific research or statistical purposes

 
We will only use your personal information when the law allows us to in the following circumstances:
 
All our research applications are reviewed by an expert independent scientific committee - National Research Ethics Service (NRES) every five years with an annual report submission to the committee to report progress and any changes. SAHSU request data for its research database from England, Wales and Scotland.
 

England and Wales

The Secretary of State for Health has given us limited permission to use confidential patient information when it is necessary for our research work. This approval is given under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 – also known as Section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group (CAG).
 
The NHS Digital’s Independent Group Advising on the Release of Data (IGARD), and other data providers' Caldicott Committees e.g. Public Health England, the Wales Cancer Intelligence and Surveillance Unit assess advice from the CAG and NRES to approve our data applications before releasing your information to us.
 

Scotland

We seek approval from the Public Benefit and Privacy Panel for Health and Social Care (PBPP), the governance structure of NHSScotland for the scrutiny of request for access to NHSScotland originated data for a variety of purposes other than direct care. Our application undergoes proportionate governance review in terms of information governance, confidentiality and data protection by PBPP during the approval process.

 

How we use your information

Your information is an invaluable asset to us without which we would not be able to conduct research and surveillance to protect public health and to support improvements in health and care outcomes. We are committed to protecting your rights to confidentiality. Having information on the entire population is essential to allow us to investigate national environmental health concerns, conduct disease surveillance and detect disease clusters.
 
SAHSU has a programme of work agreed with Public Health England and are defined by the following terms of reference:
  • To develop and maintain databases of health data, environmental exposures and socio-demographic factors
  • To carry out substantive research studies on environment and health issues including studies of the relationship between socio-economic factors and health, in collaboration with other scientific groups as necessary
  • In collaboration with other scientific groups, to build up reliable background information on the distribution of environmental exposure, socio-economic data and disease amongst small areas
  • To develop methods for analysing and interpreting health outcomes related to small areas
  • To act as a centre of expertise, disseminating information on developments in spatial epidemiological methods to national and regional groups
  • To respond rapidly, with expert advice, to ad hoc queries from the Department of Health and Public Health England about unusual clusters of disease, particularly in the neighbourhood of industrial installations
 

Our confidentiality pledge – Keeping your information secure and confidential

We hold national health data on a secure network, with restricted access, no internet links or connection to the College network. There are rigorous controls in place which enable us to access your information and to use it responsibly. These include restricting access to trained SAHSU researchers and ensuring data in research outputs will not identify you as an individual. In order to use your data, we have to meet strict conditions that we are legally required to follow, which include making a written commitment to our data providers.
 
We ensure anyone who has access to your personal information has had compulsory training on data security awareness and confidentiality. All staff have contractual obligations of confidentiality, enforceable through disciplinary procedures and they are required to comply with required by Data Protection legislations to ensure your personal information is handled and stored securely.
 
Information provided to us will only be used for the purposes stated in our data applications. We undertake strict organisational and technical measures to ensure your personal information is held securely at all times. We have a robust information governance framework which sets a high standard with the way we handle and process your information.
 
We protect your information using the following security measures:
  • We do not share your information with any third parties.
  • We will remove your information at the end of our research or our data sharing agreements with our data providers have ended or at your request.
  • We recognise that you are sharing personal information with us and we will treat it as confidential.
  • We use your information for statistical purposes and we are committed to protecting your privacy.
  • We adhere and conform to national guidelines to supress small numbers in all our publications and we will not publish anything that may identify you as an individual.
  • We maintain the security of our systems and our premises so that your data remain secure at all times.
  • We keep our Information Technology (IT) systems up-to-date to protect us against viruses and any other threats.
  • We restrict access to your information by using passwords or swipe cards to control access to data, and using encryption so your personal data can only be read with a code.
  • All of our staff receive training to ensure they remain aware of their responsibilities.
  • Only a limited number of authorised staff have access to personal data where it is appropriate to their role and they are obliged to uphold confidentiality, and may face disciplinary procedures if they do not do so.
 

Data Sharing

Your personal data is only used for the purposes agreed with legally binding data sharing contracts issued by our data providers. We do not share your personal information with any third parties. We do not transfer your personal information outside the College’s secure information systems.
 

Data Retention – How long your information is kept

We will only keep personal information for as long as is necessary to fulfil the purposes described in the section above ‘How we use your information’. When the retention period as stated in legally binding Data Access Agreements issued by our data providers has expired and the personal information is no longer necessary for the stated purpose, the information will be destroyed.
  
The processed data which do not contain any identifying information used for particular research/studies for the purposes of satisfying any legal, accounting, or reporting requirements may be stored in accordance with the College's retention policy which is available at https://www.imperial.ac.uk/media/imperial-college/administration-and-support-services/records-and-archives/public/RetentionSchedule.pdf (refer to page 12 for research studies).
 

Your rights in connection with personal information

As part of the aforementioned framework, and due to the information held by the Small Area Health Statistics Unit being provided directly by organisations holding health and social care data on a national basis, you can read about the choices you have, including the national data opt out, via the following which gives you more control and confidence over how your data is used.
 
If you decide to opt out of your confidential patient information being used for research, your decision will only apply within the health and care system in England. Following your decision to opt-out, this will be respected and upheld by NHS Digital and other organisations providing health and care information to us.

 

Request access to SAHSU health data holdings

If you require access to the health records that Small Area Health Statistics Unit hold about you, you will need to send a written request to the Director of SAHSU.
 
Professor Paul Elliott
Director, Small Area Health Statistics Unit (SAHSU),
MRC-PHE Centre for Environment and Health,
Department of Epidemiology and Biostatistics, School of Public Health, Faculty of Medicine,
Imperial College London, St Mary's Campus, Norfolk Place, London W2 1PG
 
 

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
 

Raising a concern

If you have a concern regarding the way your records are managed or to learn more about how we use, manage and maintain confidentiality of your information, please contact:
 
Hima Daby
Data and Information Services Manager
Small Area Health Statistics Unit (SAHSU), MRC-PHE Centre for Environment and Health,
Department of Epidemiology and Biostatistics, School of Public Health, Faculty of Medicine,
Imperial College London, St Mary's Campus, Norfolk Place, London W2 1PG
 
 

Contact us

If you wish to raise a complaint on how we have handled your personal data or if you want to find out more about how we use and process your information, please contact Imperial College London’s Data Protection Officer as per details below.
 

Data Protection Officer details

The College has appointed a Data Protection Officer, whose duties include monitoring internal compliance and advising the college on its data protection obligations, can be contacted via the following methods:
Telephone: 020 7594 3502
Postal Address: Data Protection Officer, Imperial College London, Faculty Building Level 4, London SW7 2AZ
 
If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can complain to the Information Commissioner’s Office (ICO). The ICO does recommend that you seek to resolve matters with the data controller (Imperial College) first before involving the regulator.
 

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.