NIHR RSS PIER Privacy Notice for the public

Public Involvement Engagement Resource (PIER) Privacy Notice for public contributors

What is the purpose of this document? 

Imperial College London, University College London, Queen Mary University of London and Kings College London (‘the Group’) are “joint data controllers".  This means that we are responsible for deciding how we hold and use personal information about you. Under data protection law we have to tell you about the information contained in this privacy notice. 

These universities have joined together as a group set up by the National Institute for Health and Care Research (NIHR), the research part of the NHS. This group is called the Imperial College London and Partners hub. The hub provides a free advisory service to researchers applying for funding https://www.nihr.ac.uk/suppt-and-services/research-support-service 

This notice applies to clients (researchers) who are applying for the Public Involvement and Engagement Resource fund with the hub. This notice is not part of any contract of employment or other contract to provide services. We may update this notice at any time. 

It is important that you read this notice, together with any other privacy notice we may provide you with at specific times when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information. 

Examples of linked Privacy Notices are: 

• https://www.imperial.ac.uk/about/university-secretary/institutional-compliance-and-risk-management/information-governance/privacy-notices/ which explains how the university processes the personal data of people attending events (including public lectures, demonstrations, tours and online events such as webinars). 

• https://www.imperial.ac.uk/nihr-research-support-service/nihr-research-support-privacy-notice/ which explains how the Imperial College London and Partners hub processes data from researchers who use their services. 

The kind of information we hold about you 

Personal data, or personal information, means any information about a person from which that person can be identified (find out who they are). 

We may collect, store, and use the following types of personal information about you: 

• Personal contact details such as name, job role, title, addresses, telephone numbers, and email addresses. 

• Financial information so that we can reimburse you for expenses from your involvement and engagement activities e.g. bank account details 

• Details about your research project and your involvement or engagement activities 

How is your personal information collected? 

We collect most of the personal information about you when you apply for the Public Involvement and Engagement Resource fund. We may also collect additional information from if you are awarded the fund to arrange payment to reimburse you and also to evaluate the activities you carried out with the fund. 

How we will use information about you  

The full name for the current data protection law is the General Data Protection Regulation or GDPR.  

We can only use your personal information where the law allows us to. This is called the ‘legal basis’. Usually this will be in one of the following ways: 

1. Where it is necessary for the performance of a task carried out in the public interest (of importance to the public) or in the exercise of official authority vested in us (that we have been given special responsibility for).

This might be to process your Public Involvement and Engagement Resource fund application and the evaluation of your activity, to provide you with news, to invite you to events or training sessions or to give you information and services that you ask us for. It might be if we ask you to take part in a survey or to give us your views on out how well an activity has gone. 

2. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Such as to check how you are using our computer systems to make sure this is within our rules. 

1. Where you have consented to the processing. 

Such as to reimburse you for costs associated with your involvement or engagement activities. 

1. Where it forms part of a legal obligation(s) 

Such as to ensure we meet legal obligations with regards to the service we provide to you for the duration of your involvement with us. 

Where we need to perform a contract we have entered into with you or in order to take steps at your request prior to the entry into a contract 

Change of purpose 

We will only use your personal information for the uses which we collected it for, unless we reasonably feel that we need to use it for another reason and that reason matches well with the original purpose. If we need to use your personal information for a different purpose, we will tell you and we will explain the reason which allows us to do so. 

Please note that we may also process your personal information without your knowledge or consent, following the above rules, where this is needed or allowed by a separate law or a legal obligation placed upon the universities. 

Data sharing 

We may have to share your information with organisations outside our universities who provide a service, other organisations involved in the NIHR Research Support Service and/or other entities in our group of universities. 

We require third parties to respect the security of your data and to treat it in accordance with the law. 

We may transfer your personal information outside the UK/EU. 

If we do, you can expect a similar degree of protection in respect of your personal information. 

Why might you share my personal information with third parties? 

We may share your personal information with other institutions where required by law, where it is necessary to keep the relationship with you or where we have another valid interest in doing so. 

How secure is my information with third-party service providers and other entities in our group? 

All our third-party service providers and other entities in our group of universities are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only allow them to process your personal data for specified purposes and in accordance with our instructions. 

Data security 

We have put in place measures to protect the security of your information. 

Organisations who will have access to your information will only process it on our instructions, if they are providing a service, or where they have agreed to utilise the information in line with their own legal obligations. 

Data retention 

How long will you use my information for? 

We will only keep your personal information for as long as necessary to complete the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In this instance, the personal data collected as part of your involvement with the NIHR RSS will be retained for one year after the end of successive RSS agreements / projects. 

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. 

The rights of access, correction, removal, and restriction 

Under certain circumstances, by law you have the right to: 

• Request access to your personal information (commonly known as a "data subject access request").  

• Request correction of the personal information that we hold about you.  

• Request erasure of your personal information. Under certain circumstances this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. 

• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.  

• Request the restriction of processing of your personal information.  

• Request the transfer of your personal information to another party.  

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing. 

No fee usually required 

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee for your request for if it is clearly unfounded or excessive.  

What we may need from you 

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).  

The right to withdraw consent 

 If you have given your consent to the collection, processing and transfer of your personal information for a specific purpose and then decide you would like to withdraw your consent for that specific processing please contact the NIHR RSS or the Data Protection Officer via the details listed below. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you agreed to, unless we have another reason for doing so in law. 

How to contact us 

If you wish to contact the group delivered by the Imperial College London and Partners to ensure that your contact details are correct and up-to-date or to ask for your contact information to be removed from our records, please contact us at: 

email: nihrrss@imperial.ac.uk 

If you have any complaints or are worried about the way that this group processes your personal information you can make a complaint to: 

Data Protection Officer 

We have a Data Protection Officer who helps us comply with data protection legislation. If you have any questions about this privacy notice or how we look after your personal information, please contact the Data Protection Officer at: 

Imperial College London 
Data Protection Officer 
Exhibition Road 
Faculty Building Level 4 
London SW7 2AZ 

email: dpo@imperial.ac.uk 

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection. 

Changes to this privacy notice 

We have the right to update this privacy notice at any time, and we will provide you with a new privacy notice if we make any significant updates. We may also contact you in other ways from time to time about the processing of your personal information.