Privacy Policy

Privacy Policy image

Home » Privacy Policy

This privacy notice describes what we do with your personal information for the purposes of health and care research within the West Midlands Secure Data Environment (WMSDE). It tells you what information we collect about you, how we store it, how long we retain it and with whom we might share it.

It is important that you read this notice, together with any other privacy notice or specific information you may already have been given (for example, in participant information booklet/leaflets or any consent forms), so that you are aware of how and why we are using information about you.


Data controller means the organisation that determines or decides the purposes, conditions and means of the processing of personal data.

De-identified means the removal of personal identifying information from data.

Information Commissioners Office means the body that regulates public bodies under data protection and freedom of information legislation.

UK GDPR “UK GDPR” means the General Data Protection Regulation (2016/679).

Personal data/information means information relating to a natural (living) person or “data subject”, which can be used to identify the person. This provides for a wide range of information to constitute personal data, for example:

  • name
  • identification number
  • social media posts
  • location data
  • online identifier

Processing means anything that is done to the personal data we hold.

Sensitive Information/Special category of personal data means information that is thought to be ‘extra sensitive’, such as:

  • ethnicity
  • data concerning health
  • biometric data
  • sexual orientation
  • religious or philosophical beliefs

Who we are

The West Midlands Secure Data Environment (WMSDE) is an NHS England-funded programme that supports the creation of a secure platform for data analysis. This platform is made available to researchers across the region.

Through the West Midlands Secure Data Environment, partner organisations will make the information they hold on you available to researchers. This will only be made available under the correct ethical framework. The partner organisations to whom this applies are listed on this website’s ‘Your Local Area’ pages. The areas covered are:

  • Birmingham and Solihull
  • Black Country
  • Coventry and Warwickshire
  • Herefordshire and Worcestershire
  • Shropshire, Telford and Wrekin
  • Staffordshire and Stoke-on-Trent

Each partner organisation is bound by a duty of confidentiality and must abide by the Data Protection Act 2018 and UK GDPR.

Each organisation is required to hold and maintain a registration with the Information Commissioner’s Officer (ICO) as Data Controller of the personal data it collects on you as part of providing direct care.

University Hospitals Birmingham (UHB) will act as the host organisation for the WMSDE programme and is registered with the Information Commissioner’s Office (ICO) to process personal and special category information under registration number Z5568104.

How will your personal information be used?

High-quality data is essential to ensure health and social care research is accurate and successful. We will use your personal information to carry out research in the interests of the public. This means that each research project will be required to demonstrate that the research will have meaningful impact on the population; for example by improving existing services or introducing new treatments. The personal data held by a partner organisation will be anonymised before access is granted to the individuals conducting the research.  

We might also use your personal information to carry out your request to opt out of allowing your health information to be used for research projects supported through the WMSDE, or to opt back in, should you make one of these requests to us. Please see the section called ‘Your rights’ below.

What personal information will we collect about you and how will we collect it?

Each research project conducted within the WMSDE is required to specify the information that is necessary to fulfil the project’s aim.  

In most cases, a partner organisation/s may already hold the personal information required for a specific research project due to the healthcare we provide to you.

The information that we already hold about you, or that may be collected from you, may include sensitive information such as:

  • ethnicity
  • information concerning your health
  • biometric data
  • sexual orientation
  • religious or philosophical beliefs

If you make a request to opt out of allowing your health information to be used for research projects supported through the WMSDE, or to opt back in, we will need you to give us some information to enable us to carry out your request. We will ask you to provide the following:

  1. Full name
  2. Date of birth
  3. NHS number
  4. Address
  5. Email address
  6. Signature as part of a signed declaration

We will collect this through a form you can download from our Local Data Opt-Out page and, when completed, send to us at either the email or postal address on that page. We are also setting up a way you can give us your details by phone if you would prefer us to complete the form for you. We will publish details of how you can do so on our Local Data Opt-Out page as soon as this service is available.

Our lawful basis for processing your personal information

The first principle of UK GDPR requires personal data to be processed lawfully, fairly and transparently. As a result, a lawful basis is required when processing personal information and in this instance the following lawful basis will be relied upon:

When we use your information for research, we rely on Article 6(1)e (“processing is necessary for the performance of a task carried out in the public interest”and Article 9(2)j (“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes”) of the General Data Protection Regulation (GDPR) in combination with Schedule 1, Part 1, Art 4 Data Protection Act (DPA) 2018.

In addition, confidential information that you have shared with our staff to enable them to provide your care is governed by the common law duty of confidentiality, as described by NHS England.

Codes of practice for handling information in health and social care (opens in new tab)

Who will have access to your personal information?

Each partner organisation is responsible for the data they make available for access within the West Midlands Secure Data Environment. Personal data within the WMSDE can only be viewed by the organisation providing the data and the support functions within the West Midlands Secure Data Environment. All individuals who can view your personal data must comply with the law and ensure that your personal data is handled in a lawful way.

Your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research.

UK Policy Framework for Health and Social Care Research (opens in new tab)

Researchers and organisations that wish to use your information to conduct research within the WMSDE will only have access to de-identified information.

Some information about you may also be linked to other information shared by primary care providers (eg your GP) and secondary care providers (eg an acute hospital trust) with the view to creating a more complete information set that will enable medical research for the benefit of public health. The West Midlands SDE has Confidentiality Advisory Group (CAG) approval (22/CAG/0025), which provides the correct permissions for the team to link data where appropriate.

If you submit a request to opt out of allowing your health information to be used for research projects supported through the WMSDE, or to opt back in, your personal information supplied as part of this request will only be seen by our staff responsible for processing your request.

How we retain and re-use your information

Your personal information is held in both paper and electronic format, as required, for specified retention periods, as set out in the applicable research protocol. The applicable retention period for research studies may vary and will be outlined within each application.

Following the expiry of the relevant retention period, your personal information will be fully anonymised and archived, or destroyed. Where information is to be destroyed, this will be done in a confidential manner and in accordance with the NHS Records Management Code of Practice. Anonymised archived data may be re-used for scientific or historical research purposes.

If you register an opt out, the details you provide for this will be retained on record to ensure your opt out remains active.

Your Rights

You have the right to determine how your personal information is used and exercise your rights described within UK GDPR. There are some instances where your individual rights under UK GDPR are limited where your information will be used for research.

You are not legally or contractually obliged to supply us with your personal information or to agree that information already held about you for care purposes may be used for research purposes.

Should you not wish information about you to be used for any health research, please see the National Data Opt-Out page on this website, or visit the National data opt-out service.

If you do not want your health information to be used for research projects supported through the WMSDE, please see details of how to opt out of these on the Local Data Opt-Out page of this website.

We are unable to apply the Local Data Opt-Out retrospectively to data that was provided to researchers before we receive and apply your opt-out.

Once we receive your request to opt out through the Local Data Opt-Out service, it may take up to one month from your request being registered to it being fully applied.

If you withdraw your consent to participate in a research project, we may not remove all of your data. We may keep the information about you that we have already used for a particular research project to ensure research integrity is maintained in the public’s interest and that publicly funded research meets is goals. To safeguard your rights, we will strive to use the minimum personally identifiable information possible following your withdrawal of consent.

Where research has been conducted, based on section 251 of the National Health Service Act 2006, via CAG, you have a right to opt out. The national data opt-out right emanates from the Caldicott principles and entitles you to opt out of your data being used for research.  

The Information Commissioner’s Office (ICO) is the body that regulates hospital trusts under data protection and freedom of information legislation.

ICO website (opens in new tab)

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the ICO.

How to make a complaint to the ICO (opens in new tab)

You can use the live chat facility or make a complaint directly through the ICO website.

You can also call the ICO on 0303 123 1113.

Changes to this privacy notice

This page is reviewed when necessary and at least annually. The information on this page will be updated regularly as the programme progresses. Any changes will be published here. Information on the rest of this website will also change at times. We will update relevant pages as the programme progresses.