Critical Care Research Group Data Privacy Policy
The University of Oxford Critical Care Research Group is committed to protecting the privacy and security of personal information. This notice describes how we collect and use personal data submitted to us online, by email, on paper or face-to-face, in accordance with the General Data Protection Regulation (GDPR) and associated data protection legislation.
Data Privacy Policy
DATA CONTROLLER
The University of Oxford is the “data controller" for the information that you provide to us. This means that we decide how to use it and are responsible for looking after it in accordance with the General Data Protection Regulation (GDPR).
DATA PROTECTION OFFICER
The University’s Data Protection Officer can be contacted at data.protection@admin.ox.ac.uk
The University's full Privacy Policy is on the University website.
ACCESS TO YOUR DATA
Access to your personal data within the University will be provided to those staff who need to view it as part of their work.
WHERE WE STORE OR USE YOUR DATA
We may store the data we collect in hard copy or electronically. The data is stored on secure servers and/or in our premises within the UK. We may share your data with third parties or transfer your data outside the EAA under certain circumstances.
RETAINING YOUR DATA
We will only retain your data for as long as we need it to fulfil our purposes, including any relating to legal, accounting, or reporting requirements.
Website
Some data is automatically collected about your visit to this website.
This includes:
- Type of device and unique device identifier
- IP address
- Browser type and version
- Time zone
- Browser plug-in types
- Operating system
- Mobile Network information and platform
- URLs (web addresses) of pages visited
- Clicks around the website
- Page response times
- Download errors
- Length of visit
- Page interaction
This information is provided to us by your browser when you visit a webpage and passed to a third-party provider, Google Analytics. We take all possible steps to ensure that no personally identifiable information is processed.
THE PURPOSE AND LAWFUL BASIS FOR PROCESSING
Data collected for purposes arising from your use of this website is to ensure that we understand how our site is used, to improve our site, and ensure it is secure. This processing occurs because it is necessary to meet our legitimate interests in operating this website.
We will only use your data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose.
Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Research Participants
The Critical Care Research Group (CCRG) is part of the Nuffield Department of Clinical Neurosciences which is part of the Medical Sciences Division of the University of Oxford. As such, we are fully compliant with their privacy policies:
University of Oxford Compliance
Medical Sciences Division Data Privacy Notice
The CCRG may use your personal information (including, where appropriate, sensitive personal information) to carry out academic and/or translational research in the public interest. In general, the legal basis for processing is “a task in the public interest”. We may have asked for your consent to process your personal information for research purposes. You will have been informed of this when you gave consent. This is explained on the Medical Sciences privacy notice, link above.
Some studies within the CCRG have issued more specific guidance on how they use personal data; please consult the relevant page for the particular research study you are participating in.
WHO CAN I CONTACT?
If you have any questions or concerns about the particular research study you are participating in, or wish to withdraw from the study, please use any contact details you have already been supplied with, or use your preferred internet search tool to look for the study name together with “Oxford”. If you are unable to find the relevant contact details, please contact the University’s Information Compliance Team (data.protection@admin.ox.ac.uk).
If you have any general questions about how your personal information is used by the Department, or wish to exercise any of your rights, please consult the University’s data protection webpages. If you need further assistance, please contact the University’s Information Compliance Team (data.protection@admin.ox.ac.uk).
Sharing personal data with third parties
We may share your data with third parties who provide services on our behalf.
All our third-party service providers are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.
We may also share your personal data with third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property or safety of our site, our users, and others.
Where your data is shared with third parties, we will seek to share the minimum amount necessary.
TRANSFERS OUTSIDE THE EEA
There may be occasions when we transfer your data outside the European Economic Area (EEA). Such transfers will only take place if one of the following applies:
- the country receiving the data is considered by the EU to provide an adequate level of data protection;
- the organisation receiving the data is covered by an arrangement recognised by the EU as providing an adequate standard of data protection e.g. transfers to companies that are certified under the EU US Privacy Shield;
- the transfer is governed by approved contractual clauses;
- the transfer has your consent;
- the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract; or
- the transfer is necessary for the performance of a contract with another person, which is in your interests.
Individual Rights
Your rights under the General Data Protection Regulation
Under the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, you have the following rights in relation to the information that we hold about you (your ‘personal data’).
- The right to request access to your data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
- The right to request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
- The right to request erasure of your data. This enables you to ask us to delete or remove your data in certain circumstances for example, if you consider that there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
- The right to object to the processing of your data, where we are processing it to meet our public tasks or legitimate interests (or the legitimate interests of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your data for direct marketing purposes.
- The right to request that the processing of your data is restricted. This enables you to ask us to suspend the processing of your data, for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your data to another party
Further information on these rights is available from the Information Commissioner’s Office.
Depending on the circumstances and the nature of your request it may not be possible for us to do what you have asked, for example, where there is a statutory or contractual requirement for us to process your data and it would not be possible to fulfil our legal obligations if we were to stop. However, where you have consented to the processing (for example, where you have asked us to contact you for marketing purposes) you can withdraw your consent at any time by emailing the department that is processing your data.
If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, you should contact the University’s Information Compliance Team. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.