We take your confidentiality and privacy rights very seriously. This notice explains how we collect, process, transfer and store your health data. It forms part of our duty of accountability and transparency under the General Data Protection Regulation (GDPR) and Data Protection Act (2018) (DPA).
The primary outcome of the Sunflower study requires the linkage of personal (health) data collected during the study (study data) to routinely collected NHS health data (routine data). This will enable the study team at University Hospitals Bristol and Weston NHS Foundation Trust to determine which of the study participants have had a hospital admission for treatment of a complication of their gallstones within 18 months of their randomisation into the study. Linkage of study data to routine data is also required for completion of a health economics analysis as part of the study, which will show how cost effective each treatment strategy is to the NHS. The process of linking study data to routine data is managed by Data Controllers. The University of Bristol and Leeds Teaching Hospitals NHS Trust are the Data Controllers for this study. The University of Bristol and University Hospitals Bristol and Weston NHS Foundation Trust are the Data Processors for this study. Nottingham University Hospitals NHS Trust, Sunderland Royal Hospital, NHS Coventry and Rugby Clinical Commissioning Group and University Hospitals Birmingham NHS Foundation Trust are study collaborators on the collaboration agreement who will not have a role as either data controller or data processor – their role in the study is as co-applicant and these organisations are represented on the study management group.
Patients undergoing gallbladder surgery will be asked for consent to take part in the Sunflower study. This will include consent for their identifiable data to be sent to NHS Digital. Patients who have consented to participate in the study will have their study data (Personal Data) collected by University Hospitals Bristol and Weston NHS Foundation Trust.
In order to link the study data to the routine health data held by NHS Digital, University Hospitals Bristol and Weston NHS Foundation Trust will send study participant’s identifiable data (a pseudonymised Study ID, NHS Number, Date of Birth, Surname, Forename, Gender, Post Code) to NHS Digital. NHS Digital will then link these identifiers to Hospital Episode Statistics (HES) data, Mortality and Diagnostic Imaging Data Sets (DIDS). NHS Digital will then return the required data to University Hospitals Bristol and Weston NHS Foundation Trust for analysis. Data will be pseudonymised to remove all identifiers.
The Sunflower study team will undertake some data cleaning before undertaking data analysis. The analysis will allow the study team to determine the frequency with which study participants are admitted to hospital for treatment of a complication of their gallstones, and to understand what these treatments are. The study can then determine whether the incidence is similar or not between the two groups of participants.
The pseudonymised data will also be securely shared with the health economists at the University of Bristol using encrypted email following the latest NHS Digital guidelines. At no point will the health economists have access to patient identifiable data on the study database. All data will be password encrypted. The health economists will analyse the data to determine the cost effectiveness of the treatments provided to the two groups of participants.
The linked data is held securely on University Hospitals Bristol and Weston NHS Foundation Trust servers and from the end of the study in June 2024 will be securely stored for a further 5 years (as is required in clinical trials) to June 2029.
General Data Protection Regulation (GDPR) Legal Basis for Processing
Your data is being processed under General Data Protection Regulation (GDPR) Article 6(1)(e), processing for a task in the public interest, and Article 9(2)(j), processing for scientific research purposes.
Rights of the Individual
The GDPR provides rights for individuals which we need to make you aware of; the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object to processing and rights in relation to automated decision making and profiling. There is no automated decision making (making a decision solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain things about an individual) involved in this study. The rights available to you depend on the reasons why we are processing your data. In certain circumstances, you have the right to request the restriction of the processing of your personal data. This means that you can limit the way that an organisation involved in this study uses your data. You may contest the accuracy of your personal data, you may feel that your data has been unlawfully processed, you may wish for an organisation to keep your data for a longer period in relation to a legal claim, or you may object to the articles under which an organisation has processed your data.
These requests can be made in writing or verbally. You can contact the Project Manager via email at firstname.lastname@example.org or via telephone 0117 342 2526 / 07929 771395.
We will ask for your consent before using your data for the study. We’ll always explain to you what’s going to happen and give you the choice to go ahead.
You consent has to be:
Voluntary – it’s your decision.
Informed – we have to give you all the information on this study.
You give consent by signing a consent form.
If you wish to withdraw your consent for data to be processed in this study you can do so at any time, without giving a reason, by contacting the Study Manager via email at email@example.com or via telephone 0117 342 2526 / 07929 771395.
Concerns and Complaints
If you have concerns about how an organisation has handled your information, you have the right to lodge a complaint to the Information Commissioner’s Office. Their helpline number is 0303 123 1113 or website: https://ico.org.uk/make-a-complaint/
You can also contact the Project Manager or the relevant Data Protection Officer in the first instance.
If you wish, you can contact the Data Protection Officer at Leeds Teaching Hospitals NHS Trust : Leedsthfirstname.lastname@example.org
If you wish, you can contact the Data Protection Officer at the University of Bristol: email@example.com