Research privacy notice
Your privacy and protection of your personal information is very important to us, and we are committed to robust compliance with the retained EU law version of the General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
This Privacy Notice explains what Nottingham Trent University (“NTU”, “we”, “us” or “our”) does with your personal information, your rights and how we protect it.
This Privacy Notice applies to all individuals (“you” or “your”) whose personal information is collected as part of research studies and projects that we run. The information published in this Privacy Notice is intended to supplement the specific information that you will be given (for example, as set out in a participant information sheet or a consent form) in connection with your participation in a research study or project run by researchers at NTU. In the unlikely event that there is any contradiction between this general information and the specific information that you have already been given about a particular research study or project, the specific information takes precedence.
On this page
Who we are
For the purposes of the UK GDPR, NTU is a “controller” which means we are responsible for deciding how we hold and use personal information about you.
You can find us in the Information Commissioner’s register of organisations who have paid the controller fee.
If you have any questions about the use of your personal information within research undertaken by NTU, or wish to exercise your rights, please contact:
Data Protection Officer
Nottingham Trent University
Address: 50 Shakespeare Street, Nottingham, NG1 4FQ
If you have any questions about the particular research study you are participating in, please use any contact details you have already been supplied with by the research team.
We may need to update this Privacy Notice from time to time. If changes made to this Privacy Notice are considered to be material and during the course of the research, we will notify you of the changes.
NTU is committed to the responsible handling and protection of personal information.
Personal data, or personal information, means any information about an individual from which that person (a “Data Subject”) can be identified. It does not include data where the identity has been removed (anonymous data). The information will be personal data if a person can be identified either directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. For example, personal data may include names, addresses, email addresses and telephone numbers; it may also include images in photographs or films and audio recordings of interviews.
Why we process your personal information
We process your personal information to enable us to undertake research, to assess your suitability to be a participant in such research, and for any other reasons set out in the participant information sheet.
You are not legally or contractually obliged to supply us with your personal information for research purposes and it is entirely voluntary whether you decide to do so.
The research team will inform you, for example in a participant information sheet, as to whether NTU is running the study jointly with other organisations.
Research at NTU is governed by relevant policies and procedures, including those focussed on the ethical dimensions of research studies and projects. An intention of these is to ensure your fair treatment and the protection of your rights. Further information is available on our Research and Impact pages.
We want to be clear about our privacy practices so that you are fully informed and can make choices about the use of your information, and you can contact us at any time with questions or concerns – Data Protection Officer at DPO@ntu.ac.uk.
The personal information we hold on participants
The researcher will always inform you prior to the research commencing about the types of personal information NTU will use in connection with the specific research study you are participating in.
Where applicable, the researcher will inform you of the sources we will collect your data from, any data sharing or international transfer arrangements, and any automated decision-making that may affect you.
Researchers will only collect information that is necessary and proportionate for the purpose of the research. Research data is often anonymised as quickly as possible after data collection so that individuals cannot be recognised, and to ensure your privacy is protected. Once your data has been anonymised, NTU will no longer be able to distinguish your data and as such your rights conferred under data protection legislation may not apply.
How we use your personal information
Every instance of processing personal data under the UK GDPR requires a ‘lawful basis’.
The lawful basis of processing personal data described in this Privacy Notice is:
Article 6(1)(e) Task carried out in public interest
NTU undertakes research as part of its function for the community under its legal status, and the UK GDPR allow us to use personal data for research with appropriate safeguards in place under the legal basis of public tasks that are in the public interest.
Where NTU processes special categories of personal data – which include data concerning your health, your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data concerning your sex life or sexual orientation -we will need to have a condition for processing under Article 9 of the UK GDPR in addition to the basis given above. For special category data processed as described in this Privacy Notice, the condition for processing is:
Article 9(2)(j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes
When relying on Article 9(2)(j), we will also comply with the relevant requirements of data protection law, which allows NTU to process special category data for research related purposes if the processing is:
- necessary for that purpose – it must be a reasonable and proportionate way of achieving the research study’s purpose, and we will not collect more data than needed for that purpose;
- subject to appropriate safeguards for individuals’ rights and freedoms;
- not likely to cause substantial damage or substantial distress to an individual;
- not used for measures or decisions about particular individuals, except for in the case of approved medical research; and
- in the public interest.
Will NTU rely on consent as a lawful basis for processing?
Please note that your informed ethical consent to participate in a particular research study (which we usually request for relevant types of research) is distinct from consent as a lawful basis to process your personal information.
At NTU we do not rely on your consent as the lawful basis to process your personal data for research purposes. Instead, we rely on the lawful basis set out above.
The researcher will inform you as to any specific arrangements relating to any third-party access to your personal data. Unless stated otherwise in the specific information provided to you from the team leading the research study (for example, in the participant information sheet), your personal data may be shared with:
- the immediate NTU research team who are authorised to work on the study and access the information;
- collaborators at other organisations to NTU authorised to work on the study, as will be clearly set out in your participant information sheet;
- supervisors of any student undertaking the research;
- auditors of NTU to the extent the data is required for the purpose of such audits; and
- in the case of complaints about a research study, members of NTU Research Ethics Committees and other relevant University staff may require access to the data as part of the investigation into such complaint.
Your personal information will not be shared for marketing purposes.
Where necessary we will share information required by law or in the public interest, with, for example, the police or HM Revenue and Customs, any relevant regulator or to exercise or defend our legal rights.
Unless stated otherwise in a participant information sheet, we will not transfer personal data outside of the United Kingdom. Where information is shared outside the UK and European Economic Area, we take appropriate steps to ensure that personal information is processed, secured, and transferred according to applicable law. When we transfer personal information from the UK to other countries in which applicable laws do not offer the same level of data privacy protection as in the UK, we take measures to provide an appropriate level of data privacy protection.
This means, your rights and protection remain with your data, i.e.: where appropriate we use approved contractual clauses, multiparty data transfer agreements, and other measures designed to ensure that the recipients of your personal information protect it. If you would like to know more about our data transfer practices, please contact DPO@ntu.ac.uk.
Anonymised data will often form part of a research publication or presentation to effectively communicate the research to the public and to back up any findings. Where the researcher wishes to identify you in a research publication (e.g. an attributable quote or a photograph), they will seek your explicit consent before doing so.
How long we keep your data for
We will not store your personal information for longer than is necessary to fulfil the purposes for which it has been collected. This may mean holding on to your personal information for a certain period of time after you have ceased to have a relationship with NTU, such as for the purposes of satisfying any legal, accounting, or reporting requirements for the research study.
When determining the appropriate period of time to retain your personal information, we consider several factors, including the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of your information, the purposes for which we handle and use your information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of the retention of your personal information in connection with the specific research study will be given in the information sheet for each study, as well as on any re-use of that data for future research. General information about how long different types of information are retained by NTU is published in our records retention schedule. We securely erase your information once it is no longer needed.
NTU will retain research data that would allow others to check and verify our findings. These will be deposited in a data repository, which will preserve data for at least ten years. The information sheet for each study will provide further information about where the data will be archived and how data can be accessed.
Where appropriate, any anonymous data, which could not lead to your identification, may be made publicly available. This will allow anyone else (including researchers, businesses, governments, charities, and the general public) to use the anonymised data for any purpose that they wish, providing they credit the University and research team as the original creators.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes and communicate any such changes to the research study team.
Security of your personal information
We have in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those researchers, employees and other third parties who have a legitimate need to know. Specific information about any third-party access will be presented to you in the participant information sheet.
NTU takes data security seriously and we use appropriate technologies and procedures to protect personal information. For example:
- Policies and procedures – measures are in place to protect against accidental loss and unauthorised access, use, destruction, or disclosure of data.
- Business Continuity and Disaster Recovery strategies that are designed to safeguard the continuity of our service to our clients and to protect our people and assets.
- Appropriate restrictions on access to personal information.
- Monitoring and physical measures, to store and transfer data securely.
- Periodic training on privacy, information security, and other related subjects for employees and contractors.
- Contracts and security reviews/assurance on third-party vendors and providers of services.
Various rights under data protection legislation, including the right to access personal information that is held about you, are qualified or do not apply when personal information is processed solely in a research or archival context. This is because fulfilling them might adversely affect the integrity of, and the public benefits arising from, the research study.
The full list of (qualified or inapplicable) rights is:
- Right to access any personal data held about you (commonly known as a “data subject access request”): this enables you to receive a copy of the personal information we hold about you.
- Right to ask us to correct any inaccurate personal information we hold about you: where this right applies, you can ask us to correct or amend any inaccurate or incomplete information. We will either make the requested amendments or provide an explanation as to why we are not making the changes.
- Right to have your data erased (except if there is a valid lawful reason to retain it): where this right applies, you can request the deletion of your information in advance of our standard retention period.
- Right to have your information restricted or blocked from processing: where this right applies, this enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Right to object to any direct marketing (for example, email marketing or phone calls) by us, and to require us to stop such marketing.
- Right to request the transfer of your personal data: you may be entitled to require us to provide that data to you electronically or to transmit it to another organisation.
If you wish to exercise your personal data rights or have any questions about how we use your data, please get in touch using the contact details at the top of this Privacy Notice.
Please note, there are exemptions included in the UK GDPR and in the Data Protection Act 2018 relating to personal data processed solely in a research or archival context. We will inform you of relevant exemptions we rely on when responding to any request you make.
You should contact us at DPO@ntu.ac.uk if:
- You have a question/query about how your data is being used by NTU;
- You would like to report a data breach (if you believe that your data has been lost or disclosed inappropriately);
- You would like to raise a complaint about how your data is being used.
If you have any questions about how the specific research study you have participated in, you should contact the research team in the first instance. Any enquiries of a confidential nature should be address to the Head of Research Policy and Governance and sent to firstname.lastname@example.org.
You have the right to raise concerns with the Information Commissioner; their website is here: https://ico.org.uk/global/contact-us/
This Privacy Notice was last updated on 13 April 2023.