Privacy notice

Information about EXCEED

The Extended Cohort for E-health, Environment and DNA Study (“EXCEED”) is a longitudinal, population-based health study being conducted by the University of Leicester (“the University”) into the genetic causes of long-term health conditions.

EXCEED is being conducted with the benefit of funding from the Medical Research Council, National Institute for Health and Care Research and Wellcome Trust and under the governance of the University of Leicester a nd University Hospitals of Leicester NHS Trust Joint Research and Development Support Office (see: le.ac.uk/research/regi/joint-research-office).

The NHS Health Research Authority Research Ethics Committee issued a favourable opinion in relation to EXCEED on 2nd July 2013 under reference 13/EM/0226 and EXCEED is following the UK Policy Framework for Health and Social Care Research (See: www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/uk-policy-framework-health-social-care-research/uk-policy-framework-health-and-social-care-research/). In terms of its constitution and governance, EXCEED has: a Patient and Public Involvement Group; Management, Scientific and Data Access Committees; and an Independent Scientific Advisory Board. For more information, see its website: exceed.org.uk

The University is the Data Controller in connection with EXCEED and it has a number of Privacy Notices in place in connection with various other aspects of its operation (see: le.ac.uk/policies/privacy). However, this Privacy Notice relates specifically to EXCEED.

The Data Protection Officer (“DPO”) for is: Parmjit Singh Gill, University of Leicester, University Road, Leicester, LE1 7RH, dop@le.ac.uk.

This Privacy Notice: uses “we, us, our” to refer to EXCEED and “you, your” to refer to its voluntary and unpaid participants; explains how we use your personal information in accordance with, and your related rights under, the UK General Data Protection Regulation (“UK GDPR”); and applies alongside our Participant Information Sheet (“PIS”) (see: exceed.org.uk/pis/).

What is personal data?

Personal data is any information about a living individual that can be used to identify them, for instance, name, address, date of birth, email address, qualifications. It may also include what are known as special categories of personal data. This is information concerning an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data or data concerning their sex life or sexual orientation.

For the avoidance of doubt, biological samples are not themselves information or, therefore, personal data and our handling of such samples is not dealt with in the Privacy Notice.

The personal data we collect about you

We collect, record, store, transfer and use information about your identity, contact details, NHS number, participation in and communications with EXCEED, physical condition, health and lifestyle, including special category data about your health and DNA.

We also collect, use, store and transfer information about the identity, contact details, work histories, qualifications and roles of our study team, support staff and third parties we interact with and our communications and interactions with all such persons.

How and why we collect your personal data

We use different methods to collect data from and about you (with your consent) including:

  1. Directly from you when you communicate with us, agree to participate in the study, respond to lifestyle questionnaires or provide us with information about your physical condition, health and lifestyle.
  2. From accessing your past and future electronic patient healthcare records, including records created by any NHS COVID-19 related websites or web applications and information about blood results, diagnoses, prescriptions, referrals and vaccinations.
  3. By deriving genetic and other health data from analysis of biological samples of your blood or saliva which you make available or provide to us.

We only collect data that is deemed necessary for the research study and that you would reasonably expect us to collect.

How we use your personal data

We use your personal data in order conduct our research and to check it is being conducted properly.

Unless a member of the study team or support staff needs to communicate with you or have access to information which identifies or could be used to identify you for some other reason, your information will only be made accessible or available to them on a “pseudonymised” basis, that is to say, any identifying information such as your name, contact details and NHS number will be removed and replaced with a unique identifier.

Information which identifies or could be used to identify you, or link you to a unique identifier, is stored separately and securely on University of Leicester and Leicester University Hospitals sites and is not disclosed to third parties.

We will prepare and publish any reports or results of our research and any related statistics in a form which means that your identity or participation in the study will not be disclosed or discoverable to any other person.

If you agree to take part in the study, we may invite you to take part in future studies, depending on your health status or your DNA. Details of these studies will be sent out when a study is ready to recruit participants. You will not have to take part – this will be your choice if and when contacted.

In accordance with the UK GDPR, the use of personal data must be justified and have a “legal basis” and we rely on the following legal bases when processing your personal information:

  1. Our processing of personal data is necessary for the performance of a task carried out in the public interest, namely, the achievement of our research and study objectives, including the advancement, preservation and improvement of public health and an increase of knowledge (UK GDPR, article 6(1)(e)). In this regard, section 13(b) of the University’s Charter gives it an express power to make provision for research (see: le.ac.uk/about/who-we-are/governance/documents/charter).
  2. (if and insofar as not falling within (1) above) our processing is also necessary for the purpose of meeting our legitimate interests in the achievement of those objectives, provided that this does not unduly affect your rights as a data subject (UK GDPR, article 6(1)(f)).

When processing special category personal data about your health and DNA, we also rely on the processing being necessary for scientific research purposes within the meaning of article 9(2)(j) of the UK GDPR and in accordance with article 89(1) of the UK GDPR and sections 10 and 19 of, and paragraph 4 of Schedule 1 to, the Data Protection Act 2018. In this regard, the processing is (a) in the public interest (for the reasons already mentioned), (b) unlikely to cause you substantial damage or distress and (c) subject to safeguards which ensure that technical and organisational measures are in place in order to ensure respect for the right to data protection and, in particular, the “principle of data minimisation” through the use of pseudonymisation and anonymisation / de-identification to the fullest extent possible.

Some of our collection, recording, storage, transfer and use of your personal data is ancillary or incidental to the achievement of our primary research and study objectives. To this end, we may need to retain a basic record of your identity, contact details, consent, communications, participation and, where relevant, withdrawal for compliance, governance, regulatory and validation purposes and so that we can comply with our legal obligations, respond to any complaints or legal claims, resolve disputes, enforce our agreements or protect our legal rights.

While participation in the study is voluntary and informed consent and the right to withdraw are important from the perspective of legal and ethical obligations of confidentiality and medical and research ethics, we are not replying upon consent as a legal basis for processing for the purposes of the UK GDPR.

How we share your personal data

With the approval of our Data Access Committee - overseen and advised by our Independent Scientific Advisory Board and Scientific Committee as necessary - we may make your information available to third party researchers working in academic institutions, charities or commercial companies in the UK or overseas. Although such information will be labelled with a unique identifier, no information which identifies or could be used to identify you, or link you to a unique identifier, will be disclosed with the result that the information will be anonymised / de-identified in the hands of the recipient. From their perspective it will therefore not be personal data at all.

Our Data Access Committee will only approve a request or proposal for the transfer of EXCEED data to a third party if it falls within or furthers our purposes and mission. For example, if it allows academic researchers to answer research questions relating to the genetic determinants of health and disease or pharmaceutical and biotech companies to answer research questions relating to the genetic determinants of health and disease with the goal of improving diagnosis or treatments.

If approved, all such transfers are facilitated under a Data and Material Transfer Agreement governing and prescribing the purposes, means, safety and security of the processing and the publication and use of research results.

In the future, we may be able to share your data with third parties by way of a specialist platform known as a “Trusted Research Environment” or “Data Safe Haven.”

International transfers

Where processing activities require your personal data to be transferred outside the UK and European Economic Area, we will only make that transfer if:

  1. the country to which the personal data is to be transferred ensures an adequate level of protection for personal data;
  2. we have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient;
  3. the transfer is necessary for one of the purposes referred to above.

Partnership with UK Longitudinal Linkage Collaboration (UK LLC)

EXCEED is part of the UK Longitudinal Linkage Collaboration (UKLLC). UK LLC is a collaboration of UK longitudinal studies, universities, the NHS and UK statistical authorities, funded by UK Research and Innovation through the Medical Research Council and Economic and Social Research Council. Although UKLLC was established to support COVID-19 research, it now enables researchers to undertake any legitimate research for the public good.

UK LLC provides a national Trusted Research Environment in which data from EXCEED is stored and securely linked to health and environmental information about you. The Trusted Research Environment meets the highest Information Security Standards ISO27001 and Digital Economy Act Accreditation. Participants’ personal identifying information is securely shared with the NHS in order to link to health records. Address and postcode data is securely shared with researchers at the University of Leicester to enable linkage to environmental data, such as air pollution and noise data. More detail about this is available from UKLLC’s privacy notice: ukllc.ac.uk/privacy-policy.

Accredited, UK-based researchers may apply for access to the de-identified linked data held in UK LLC in order to undertake research in the public interest. Data in the Trusted Research Environment are deidentified, meaning it does not include details that can identify you, such as name or address. All research projects must be reviewed and approved by EXCEED’s data access committee before they can use your data. Deidentified data never leaves the Trusted Research Environment.

Some studies in UKLLC will also link to additional datasets, such as education and employment data, if their participants already agreed to this. EXCEED will not link to this additional data, and will continue to link only to health data. Only research projects about health will be able to use EXCEED.

UK LLC’s activities are reviewed by a panel of data owners and data experts and a panel of public contributors. UK LLC make a set of key commitments which they promise to abide by (ukllc.ac.uk/our-promises).

If you wish to opt-out of sharing your data with the UKLLC please get in touch with the Study Team on exceed@leicester.ac.uk.

How we keep your data secure

We have put in place appropriate and robust security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. In addition, we limit access to your personal data to approved members of our study team and support staff who need to have it in accordance with their roles and responsibilities. We have put in place procedures to respond to any suspected personal data breach and will notify you and any applicable regulator of a breach should that be legally necessary.

How long we keep your data

EXCEED will run for a long time and we hope that the information we collect will be of use for many years to come. Subject to the exercise of your data protection rights - see below - we will therefore retain your data for as long as the study is ongoing. We may also retain your data thereafter for compliance, governance, regulatory and validation purposes and so that we can comply with our legal obligations, respond to any complaints or legal claims, resolve disputes, enforce our agreements or protect our legal rights.

Your right to withdraw

You can stop being part of the study at any time, without giving a reason and without this having any impact on your medical care or legal rights.

If you wish to withdraw from the study, please contact a member of the study team who will ask you to sign a withdrawal form to confirm your wishes regarding further contact and use of any samples and data collected from you up to that point. You will be able to opt for (a) no further contact, (b) no further access to your health records or (c) no further use of your samples or personal data. However, it will not be possible to remove your samples or data from any analysis or research already conducted using your samples and data before your withdrawal.

Your data protection rights

As a data subject, depending upon the lawful basis we are relying on, you have a number of rights, in accordance with the UK GDPR, as follows:

  1. Right of access: You have the right to ask for access to your personal data and for other supplementary information. This is sometimes referred to as submitting a “data subject access request.” Health research studies like EXCEED are not required by law to provide participants with their data if it is not in their interests, the interests of the research, or both. Although this is unlikely to arise in connection with EXCEED, this means that, in certain circumstances, it may not be possible to fulfil a participant’s request to obtain a copy of the personal data processed about them during the study. If this is the case, we will respond and let you know.
  2. Right to rectification: You have the right to update, correct or complete your personal data, albeit that this right is unlikely apply to health data which you have made available or provided to us.
  3. Right to erasure and right to be forgotten: On request, data that identifies you personally can be deleted, but there are instances where data will still need to be retained. This is because erasing data when a dataset has been locked for analysis could seriously impair the purposes of the research activity. We will therefore retain data (pseudonymised or anonymised / de-identified if possible) where erasing it would render impossible or seriously impair a researcher’s ability to complete their research. Furthermore, a basic record of your identity, contact details, consent, communications, participation and, where relevant, withdrawal may need to be retained for compliance, governance, regulatory and validation purposes and so that we can comply with our legal obligations, respond to any complaints or legal claims, resolve disputes, enforce our agreements or protect our legal rights.
  4. Right to object: These rights are covered by your ability to withdraw from EXCEED at any time and without having to give a reason.
  5. Right to data portability: This right relates to moving or copying your personal data from one data controller to another in certain circumstances and it is not applicable in relation to EXCEED.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

While exercisable by you, some rights are subject to certain restrictions in legally prescribed circumstances. If we intend to apply a restriction, we will tell you why.

Should you wish to discuss this or exercise any of your rights please contact our DPO.

Cookies

Cookies are small text pieces transferred to your browser when you visit a website or web application. We only use cookies when strictly necessary.

We will not use any cookie if you are only viewing this website for information.

We will use cookies once you have signed up or logged in, to ensure that you have correct access to secure pages and to provide you with validation information when filling forms. The cookies used are listed below.

Cookie Name What this is for?
sessionid Keeps you logged in.
csrftoken Prevents the server from being attacked by untrusted domains.
messages Provides you validation information when filling forms.

Find out more

If you are interested in taking part in the study, you can read more about it in our Participant Information Sheet (see: exceed.org.uk/pis/).

You can also contact us with any questions by sending an email to exceed@leicester.ac.uk or by ringing us on 0116 252 5997.

More information is also available from the NHS Health Research Authority at: www.hra.nhs.uk/.

Contact details

Our DPO is available to answer any questions and address any concerns or complaints you may have about our use of your personal information.

This Privacy Notice was last updated in January 2025. If we make changes to this Privacy Notice, at any time, the most current version will be published here.

How to complain

If you are not satisfied with our response to a complaint about our processing of your personal information or any related matter, you can contact the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues.

The ICO's address: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113

Website: www.ico.org.uk

Supported by
Copyright © 2020-2025 EXCEED @ University of Leicester
v1.40.0