General Data Protection Regulation (GDPR)

Here, we explain how we comply with the UK General Data Protection Regulation (GDPR) Please also read our Privacy Notice, which explains what we do with the information we hold about you, how you can request access to this personal data, and other data rights.

Cambridge University Hospitals NHS Foundation Trust is the organisation responsible for the management of the NIHR BioResource Research Tissue Bank.

The University of Cambridge and Cambridge University Hospitals NHS Foundation Trust (CUH) are the sponsors for the NIHR BioResource Rare Diseases study.

They are responsible for looking after your information.


By the term ‘study’ we mean the NIHR BioResource Research Tissue Bank and/or the NIHR BioResource – Rare Diseases.

How will we use information about you?

We will need to use information from you and your medical, healthcare, social care and education records (if applicable) for this research project.

This information will include your

  • Full name;
  • NHS/CHI number;
  • Date of birth;
  • Contact details, including address, phone number and email address;
  • Name and contact details of your GP;
  • Health-related information, e.g., on your lifestyle, medical history, medication etc;
  • Social care and education information, e.g., level of education; for following cohorts only:
    • General Population
    • DNA, Children + Young People’s Health Resource (D-CYPHR)
    • COVID-19
    • Mental Health, including Genetic Links to Anxiety and Depression (GLAD) and Eating Disorders Genetics Initiative (EDGI)
    • Inflammatory Bowel Disease (IBD) BioResource
  • Immune-Mediated Inflammatory Diseases (IMID) BioResource
  • Non-Alcoholic Fatty Liver Disease (NAFLD) BioResource
  • Severe Mental Illness Longitudinal Evaluation (SMILE) BioResource
  • Rare Diseases study
  • Genetic information that will be generated from your blood or saliva samples or provided by, for example, NHS health-related central records, disease registries etc.
  • Electronic copies of all your past and future records from the NHS, your GP and other organisations (such as NHS England and other Public Health bodies);
  • Information about any illnesses or stays in an NHS hospital;
  • Copies of hospital or clinic records, medical notes, social care, and local or national disease registries, and data from other research studies;
  • Relevant images from your NHS or other records, such as MRI scans, X-rays, or medical photographs;
  • Data from other research registries and studies that may be relevant (but only where you have given them your permission to share that information).

People will use this information to do the research or to check your records to make sure that the research is being done properly.

People who do not need to know who you are will not be able to see your name or contact details. Your data will have a code number instead.

Cambridge University Hospitals NHS Foundation Trust (CUH) [and University of Cambridge] are/is the sponsor(s) of this research, and are responsible for looking after your information. We will share your information related to this research project with the following types of organisations:

  • Researcher organisations (such as Universities, Commercial or Pharmaceutical companies) who analyse the data for scientific and research purposes
  • Data centres who will store or back-up your data
  • Commercial/partner organisations who will store, analyse, curate, enrich your data, e.g. using speciality software tools

We will keep all information about you safe and secure by:

  • Keeping identifiers (such as your name, address) separate from your health and genetic information
  • Using accredited data centres to store your information
  • Limit the number of staff who can access the data
  • Training all our staff on Data Protection and Security
  • Adhering to best practices in Data protection and Security
  • Using secure login methods, such as multi-factor authentication, and password complexity policy
  • Monitoring for unauthorised access on a regular basis
  • To safeguard your rights, we will use the minimum personally-identifiable information possible. 
  • Any identifiable information held about you is stored in a secure area in locked filing cabinets [at the University or in the NHS, if on paper.]

International transfers

We may share or provide access to data about you outside the UK for research related purposes to:

  • Support academic and non-academic (commercial/pharmaceutical) researchers who apply to access your data to answer a research question
  • Have the data analysed, enriched or curated by the latest, advanced, cutting-edge tools provided by organisations outside the UK
  • To support international initiatives or archives
  • If this happens, we will only share the data that is needed. We will also make sure you can’t be identified from the data that is shared where possible. This may not be possible under certain circumstances – for instance, if you have a rare illness, it may still be possible to identify you. If your data is shared outside the UK, it will be with the following sorts of organisations:
  • Researcher organisations (such as Universities, Commercial or Pharmaceutical companies) who analyse the data for scientific and research purposes
  • Data centres who will store or back-up your data
  • Commercial/partner organisations who will store, analyse, curate, enrich your data, e.g. using speciality software tools

We will make sure your data is protected. Anyone who accesses your data outside the UK must do what we tell them so that your data has a similar level of protection as it does under UK law. We will make sure your data is safe outside the UK by doing the following:

  • some of the countries your data will be shared with have an adequacy decision in place. This means that we know their laws offer a similar level of protection to data protection laws in the UK
  • we use specific contracts approved for use in the UK which give personal data the same level of protection it has in the UK. For further details visit the Information Commissioner’s Office (ICO) website: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
  • we do not allow those who access your data outside the UK to use it for anything other than what our written contract with them says
  • we need other organisations to have appropriate security measures to protect your data which are consistent with the data security and confidentiality obligations we have. This includes having appropriate measures to protect your data against accidental loss and unauthorised access, use, changes or sharing
  • we have procedures in place to deal with any suspected personal data breach. We will tell you and applicable regulators when there has been a breach of your personal data when this is legally required. For further details about UK breach reporting rules visit the Information Commissioner's Office (ICO) website: https://ico.org.uk/for-organisations/report-a-breach
  • We may undertake auditing and monitoring of organisations who we share data with, to ensure they are only using your data in accordance with the purpose intended
  • We will only share data that is necessary

How will we use information about you after the study ends?

Once we have finished the study, we will keep some of the data so we can check the results. We will write our reports in a way that no-one can work out that you took part in the study.

We will keep your study data for the minimum period of time required by the sponsor organisation. The study data will then be fully anonymised and securely archived or destroyed.

What are your choices about how your information is used?

  • you can stop being part of the study at any time, without giving a reason, but we will keep information about you that we already have
  •  If you choose to stop taking part in the study, we would like to continue collecting information about your health from medical, healthcare, social care and education records. If you do not want this to happen, tell us and we will stop
  • you have the right to ask us to access, remove, change or delete data we hold about you for the purposes of the study. You can also object to our processing of your data. We might not always be able to do this if it means we cannot use your data to do the research. If so, we will tell you why we cannot do this

Where can you find out more about how your information is used?

You can find out more about how we use your information, including the specific mechanism used by us when transferring your personal data out of the UK:

  • by asking one of the research team
  • by sending an email to nbr@bioresource.nihr.ac.uk; , or
  • by ringing us on Freephone 0800 090 2233.

Additional Information about handling and use of personal data in the NIHR BioResource

The NIHR BioResource [and Genomics England for The NIHR BioResource Rare Diseases study] will need to use information from you and your healthcare, social care and education records (if applicable) to support research studies.

We will keep identifiable information about you for 10 years after the NIHR BioResource has finished, and we may approach you to extend this.

All personal data collected for this study will be processed in accordance with the UK GDPR and relevant institutional policies. You have the right to ask us to remove, change (for example, your contact details and contact preferences) or delete your personal data that we hold about you. However, in some cases, we may not be able to do so if it would affect the quality or reliability of the data. If this applies, we will explain why, for example, because we need to manage your information in specific ways for the research to be reliable and accurate.

If you choose to stop taking part in the study, you have two options as outlined in the ‘Withdrawal process’ section. Further information on leaving the BioResource can be found here: [https://bioresource.nihr.ac.uk/participants/members/leave-us/;]

Further information is also available at:

Our Confidentiality Notice: How we keep your information safe;

Our Participant Privacy Notice;

Our Governance and ethics page.

Genomics England’s (GEL) privacy notice available from https://www.genomicsengland.co.uk/privacy-policy

By watching this video from the MRC Clinical Trials Unit at UCL, Penta and the Health Research Authority What is GDPR?