General Data Protection Regulation (GDPR) - Participant Information

The University of Aberdeen is the sponsor for this study based in the United Kingdom. We will be using information from you and/or your medical records in order to undertake this study and will act as the data controller for this study. This means that we are responsible for looking after your information and using it properly. The University of Aberdeen will keep identifiable information about you for 10 years after the study has finished.

Your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible.

You can find out more about how we use your information http://www.abdn.ac.uk/privacy and/or by contacting the University Data Protection Officer: dpa@abdn.ac.uk  

Your NHS rheumatology department collected information from you and/or your medical records for this research study in accordance with our instructions. Your NHS rheumatology department used your name, NHS number and contact details to contact you about the research study, and make sure that relevant information about the study was recorded for your care, and to oversee the quality of the study. Individuals from the University of Aberdeen and regulatory organisations may look at your medical and research records to check the accuracy of the research study. Your NHS rheumatology department has passed these details to the University of Aberdeen along with the information collected from you and/or your medical records. The only people in the University of Aberdeen who had access to information that identifies you were the people who needed to contact you to send you Study Questionnaires or audit the data collection process. The people who analysed the information are not able to identify you and are not able to find out your name, NHS number or contact details.

Your rheumatology department will keep identifiable information about you from this study for 10 years after the study has finished.

For more information about our compliance with the General Data Protection Regulation (GDPR) and sharing please follow this link to the BSRBR-AS Participant Transparency Information Sheet.

What do we do with your data?

The University of Aberdeen, as data controller for BSRBR-AS study, is responsible for processing your data fairly and lawfully according to the General Data Protection Regulation (2018). Processing data means collecting, using and sharing the data you provided in your study questionnaires and diary cards, plus the data your rheumatology team collected for the study from your usual clinical care. Data processing will only ever be for the purposes of this study. When you signed the consent form to participate in the BSRBR-AS study you gave us permission to process these data. It is our responsibility that the data we received from study participants, and their rheumatology teams, have been treated with the utmost confidence.

How have we kept your data secure?

• All study materials identified you using a unique ID number. Your name and contact details have been stored separately from all other study materials.  All data storage (both paper and electronic) has been kept secure at all times.
• We blanked out your name on every diary card we ever received from you before we filed it.
• Only study personnel have had routine access to your data.  There is no public access to the BSRBR-AS offices. A “clear desk and clear screen” policy is in operation.
• Every person working on the study was trained and certified in Good Clinical Practice training which is repeated every 2-3 years to maintain high standards in data protection and handling.

The team at BSRBR-AS maintained high standards in data governance to ensure compliance with the General Data Protection Regulation. We worked closely with the Research Governance Office at the University. Further information can be found in the BSRBR-AS Participant Transparency Information Sheet. The study is open to internal audits by the University of Aberdeen Research Governance Office and external audits can be carried out at any time by study stakeholders including NHS Digital, or NHS Research Scotland. Our secure study database is held at the Robertson Centre for Biostatistics (RCB) at the University of Glasgow. The University of Glasgow has their own Information Security policy which is accessible through their website (https://www.gla.ac.uk/myglasgow/it/informationsecurity/). The RCB have a registered safe haven and are ISO 27001 accredited. Their ISO accreditation is audited and reviewed annually.

Who might we share your data with?

Researchers outside the BSRBR-AS can apply to the British Society for Rheumatology to get access to an anonymised study data set to answer important research questions. Each application undergoes a review process by an expert panel and if the application is successful contracts will be put in place before any data will be passed on. If your information is provided as part of a larger dataset to researchers outside of the BSRBR-AS team, we will not include any information that could identify participants. We will also replace the unique study ID with another random ID number.

Can I withdraw my data?

Your right to withdraw your data is limited. If you notified us that you wish to withdraw from the study before 30th June 2018, we will have stopped collecting data about you.  However, we will use the data collected prior to your withdrawal.