This privacy notice explains your rights to your personal information, what you can expect us (the Cancer Screening and Prevention Research Group) to do with your personal data and our lawful basis for doing so. This notice also explains who you should contact if you have any queries or complaints about how we are processing your personal data.

Under the 2018 UK General Data Protection Regulation (GDPR) and accompanying Data Protection Act (2018) ‘personal data’ is any data that can be linked to an identifiable individual (for a full definition see: Information Commissioner’s Office [ICO] website: What is Personal Data?). Some types of personal data, such as health data, are additionally classified as ‘special category personal data’. The law considers special category personal data to be more sensitive and gives it more legal protection (for more information see: ICO website: Special Category Data). As the Cancer Screening and Prevention Research Group processes (‘processing’ is the term used to refer to collecting, analysing and storing data) health data, much of the personal data we hold is considered to be special category personal data.

Who is responsible for the lawful processing of your personal data?

The GDPR and Data Protection Act define roles and responsibilities for those involved in processing personal data.

The Cancer Screening and Prevention Research Group (hereafter; CSPRG) are a research group at Imperial College London. The CSPRG can be contacted via the Contact us page on this website. The data controller determines the purpose for which and the manner in which personal data is to be processed (see ICO website: Controllers and Processors). For the personal data held by the CSPRG, the data controller is Imperial College London. The data controller’s representative for our data is the Director of Information Governance for Academic Health Sciences. All queries relating to the handling of personal data should be directed to the Imperial College London Data Protection Officer via email at dpo@imperial.ac.uk. Contact details can also be found at the end of this privacy notice.

Why are we processing personal data?

The research focus of the CSPRG is gastrointestinal cancers which includes bowel cancer, also known as colorectal cancer. In the UK, every year around 42,900 people are diagnosed with bowel cancer alone and over 16,000 people die from this disease. Through our research we hope to reduce the number of people being diagnosed with gastrointestinal cancer and dying from this disease. Much of our work focuses on how to help make bowel cancer screening and surveillance programmes more effective and acceptable for patients, and more efficient for the NHS, and other health services internationally. To understand the effectiveness of bowel cancer screening and surveillance programmes, we conduct large scale studies on procedures conducted and the benefits to patients. Identifiable patient data are usually necessary to track long-term health outcomes from participants enrolled in our studies. The CSPRG therefore needs to collect and hold personal data - often special category personal data. Our more specific purposes for processing data for each of our studies are detailed on the Studies pages of our website.

What personal data do we have?

The personal data we hold is special category personal data relating to individual health. For example, for several of our studies we analyse procedure and treatment information, information about cancers occurring, whether they progress and the patients’ long-term health outcomes. In addition, we also often require some basic information about patients such as age and gender to inform our analysis. The full details of the personal data processed for each of our studies can be found on the Studies pages of our website.

To fulfil our research aims, we obtain personal data from a variety of sources. Much of our data is either obtained directly from NHS Trusts, or via national health data providers such as NHS England, national cancer registries such as Welsh Cancer Intelligence and Surveillance Unit and NHS Scotland Public Benefit and Privacy Panel for Health and Social Care (HSC-PBPP). More detailed explanations of our sources of data can be found on our About patient data in our cancer research page and Studies pages of our website.

Where data has been obtained from third-party data providers under section 251 of the National Health act 2006 approval, national data opt-outs have been applied by the provider since 2016.

How do we process personal data?

All personal data we hold are processed in secure systems. For each active study we have completed a Data Protection Impact Assessment that has been approved by the Head of the CSPRG (as the Information Asset Owner) and the Imperial College London Data Protection Officer. No processing performed by the CSPRG involves automated decision-making or profiling. Unless stated otherwise on the Studies pages of our website, all personal data are processed by the CSPRG and certain third parties (see ‘Third-party processing’ below).

The Imperial College London Data Retention Schedule mandates that data is retained for ten years after the end of a study (see Imperial’s Retention Schedule). The expected end of these ten-year retention periods for each of our studies are listed under the under the Studies pages of our website under ‘How long will we retain the data?’ sections.

Third-party processing

For the purposes referred to in this privacy notice and relying on the bases for processing as set out above, we will share your personal data with certain third parties:

  • Other Imperial College London employees, agents, contractors and service providers (for example, suppliers of printing and mailing services, email communication services or web services, or suppliers who help us carry out any of the activities described above). Our third-party service providers are required to enter into data processing agreements with us. We only permit them to process your personal data for specified purposes and in accordance with our policies.

What is our lawful basis for processing personal data?

Processing personal data requires justification under two legal frameworks: the UK GDPR/Data Protection Act 2018 and under the common law duty of confidentiality.

Article 6 of the UK GDPR lays out six valid bases under which personal data can be processed lawfully. We process personal data under lawful basis 6(1)(e) ‘Public task’ as: processing is necessary for you to perform a task in the public interest. We are also required to meet a separate condition for processing the more sensitive special category personal data. Our condition for processing special category personal data is Article 9(2)(j) ‘Archiving, research and statistics (with a basis in law)’.

In addition, health data (such as that the CSPRG hold) require a separate lawful basis under the common law duty of confidentiality. In some of our studies, patients consented to be part of the study and for the CSPRG to process their data. In other studies, consent could not be sought due to practical considerations or the nature of the study. In these studies, we have obtained lawful permission to obtain and process personal data under section 251 of the National Health Act 2006. The common law legal bases for data processing in each study are explained in the Studies pages of our website under the ‘What approvals has the study received?’ sections.

What are your rights concerning your personal data?

The GDPR grants you several individual rights concerning your personal data:

  • Right to be informed (about collection/use of your personal data)
  • Right of access (to have a copy of your personal data we hold about you)
  • Right to rectification (of inaccurate or incomplete data about you)
  • Right to erasure (to have your personal data erased)
  • Right to restrict processing (to request the restriction/suppression of your personal data)
  • Right to data portability (to obtain/reuse your personal data for your own purposes)
  • Right to object (to the processing of your data in certain circumstances)
  • Rights related to automated decision making including profiling

If you think that we might be processing your data and you wish to exercise any of the rights listed above, please get in touch using the details on the Contact us page or by contacting the Imperial College London Data Protection Officer via email at dpo@imperial.ac.uk. Though it may not always be possible for us to fulfil your request, we will respond to your query within one month. For more information on your GDPR rights, please see guidance provided by the Information Commissioner’s Office.

Please note that your usual statutory rights to access, change or move your information are limited, because of exceptions applicable to some types of research, and also because we need to manage your information in specific, lawful ways in order for the research to be reliable and accurate. If you withdraw from a study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible.

Where can you direct queries or complaints?

Please be aware that individuals also have a right to complain to a supervisory authority – in this case the Information Commissioner’s Office (ICO) – if they feel their data is being used unlawfully. The ICO does recommend that you seek to resolve matters with the data controller – for our data that is Imperial College London – before contacting the Commissioner’s Office. If you wish to raise a complaint on how we have handled your personal data or if you want to find out more about how we use your data, please contact Imperial College London’s Data Protection Officer via email at dpo@imperial.ac.uk, via telephone on 020 7594 3502 or via post at:

Data Protection Officer
Imperial College London
Professional Services Hub
1st Floor The MediaWorks
White City Campus
191 Wood Lane
London W12 7FP

If you are not satisfied with our response or believe we are processing your personal data in a way that is not lawful you can raise your complaint with the Information Commissioner’s Office. The ICO’s postal address is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline number: 0303 123 1113.

Other ways for members of the public to seek ICO advice can be found through Advice services for members of the public.