Your privacy and the protection of your personal information is vital to us. We will comply with the UK General Data Protection Regulation and Data Protection Act 2018.
This Privacy Notice relates to the personal data of participants of research projects performed at, or on behalf of, Canterbury Christ Church University, where the University controls that personal data. This Notice applies to the personal data we collect from you and data passed to us by third parties for research.
We may amend this Privacy Notice. We will include any changes on this page. We last updated this privacy notice in [December 2023].
As each research project or activity is different, those taking part in the research will receive a Participant Information Sheet provided by the researcher before agreeing to participate. Where the terms differ from this Privacy Notice, the researcher will explain them in the Participant Information Sheet.
Research and the University
Like other universities, our staff and postgraduate research students undertake research. The purpose of this research is to make an original contribution to knowledge. Often, our researchers publish their findings to share that knowledge and benefit society and academic study.
Undergraduate and taught postgraduate students may also undertake research projects as part of their course. Usually, these projects do not contribute to knowledge, although they typically have an element of originality. There is no expectation that the student will publish the findings. However, this research is integral to the student’s education, and we include these projects in the definition of research for this Privacy Notice.
We may conduct some research in collaboration with commercial organisations and funders.
Our Data Protection Obligations
When our researchers design and manage research projects, Canterbury Christ Church University will be the controller, which means we will decide how to process your data, which includes collection, usage, sharing, storage, and deletion.
Our researchers will do this to meet the objectives of their research. It ensures they collect what is appropriate and necessary.
For some research projects, the funders may also make decisions regarding the processing of your data. If so, our researchers will explain this in the Participant Information Sheet or dedicated privacy notice.
For some research projects, we may work with one or more universities or research bodies on the same piece of research. We will have an agreement on how we will share our responsibilities. Where there is a shared project, our researchers will explain this in the Participant Information Sheet or a dedicated privacy notice.
Information about you: what we collect, how we use it and how we keep it safe
We collect personal data (including special category data) about our participants to allow researchers to pursue the research aims.
‘Personal data’ is any information which relates to or identifies you as an individual. It includes information that may not explicitly identify you (e.g., where your name does not appear) but makes it possible to recognise you if combined with other available information. For example, from information about age, gender, and specific health conditions, it might be possible to identify you using additional information elsewhere. We would treat these details as personal information.
We aim to conduct research following the highest standards of research integrity. We have policies and procedures in place to ensure we comply with regulations that govern the conduct of research, including data protection and research ethics.
We respect the confidentiality of personal data relating to research participants, whether provided to us directly or obtained from other organisations. We will not use your data in a way that you would not reasonably expect. In the Participation Information Sheet, our researchers will explain how they collect and intend to use your data. The researchers will use your data only for the research you are participating in and will not usually use your
data or contact you for any purpose other than research unless you agree. The Participation Information Sheet and/or Consent Form will make this clear.
Where possible, our researchers will anonymise, pseudonymise (by removing identifiers such as your name and using a unique code) or delete collected personal data as soon as possible. They may provide further information in the Participation Information Sheet.
We commit to keeping your personal information secure.
Personal data we collect about you
The type of personal information collected and used depends on the research project.
The personal data our researchers collect will be proportionate to achieving their research objectives.
The Participant Information Sheet’ will set out the data the researchers intend to collect.
As unnecessary or unrelated personal data is not processed for research purposes, we require all research projects to pass a Public Interest test embedded in our research ethics process.
The public interest test for research aims to justify:
- why the same aims pursued by the research cannot be achieved using non-personal data (i.e. anonymised personal data);
- why collection and processing of the identified personal data is needed to ensure advancement in the particular field the research relates to; and
- that the purposes of the research can be fulfilled whilst complying with technical and organisational safeguards, including pseudonymisation, and to ensure, in particular, the principle of data minimisation.
Our researchers will include the above information clearly within the Participant Information Sheet concerning the specific research project.
For some kinds of research, our researchers may process some data about you that is ‘sensitive’ and requires further protection.
Sensitive Data includes ‘special category’ data,’ e.g. information concerning
your religious beliefs, sexual orientation, ethnicity, gender identity, or health. It may also include criminal conviction data.
The processing of such data is carefully controlled, and an appropriate internal or external ethics committee will approve the arrangements. You will receive explicit information about this in your Participant Information Sheet.
The legal basis for data processing
Data protection legislation requires a legal basis for data processing. Where we process special category or criminal conviction data, we need to establish an additional legal basis for processing that data.
For most research projects, this legal basis will be where “processing is necessary for the performance of a task carried out in the public interest…” (Article 6 of the GDPR). Where the legal basis differs this will be highlighted within the Participant Information Sheet.
When it comes to the collection and processing of special category personal data, we will only do this where “processing is necessary for…scientific or historical research purposes…which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject” (Article 9 of the GDPR).
Third parties with whom we may share your data
Researchers in the project team will share your data to identify you as a participant.
Researchers usually anonymise or pseudonymise research data before sharing it more widely or publishing their findings. If this is not the case, the researchers will explain this in the Participation Information Sheet.
When our researchers work with researchers at other universities or organisations and share your data with them, we will tell you in the Participant Information Sheet’ or dedicated privacy notice. The sharing of data is on a need-to-know basis and will not be excessive. Appropriate safeguards will ensure the security of your information.
We also sometimes use products or services from third parties who carry out a task on our behalf. These third parties are known as data processors. When we use these third parties, we have contractual terms, policies and procedures with them to protect your data. It does not always mean these third parties access your information. Canterbury Christ Church University, as the controller, remains responsible for your personal data.
Should our researchers use another third-party service to process your data, they will explain the relationship in the Participant Information Sheet.
Transfers outside the European Economic Area
Wherever possible, we store your data in the European Economic Area (EEA).
We may transfer your personal data outside the EEA. For instance, we may use a third-party cloud services provider to store your data, which is based outside the EEA.
Should we transfer your data outside the EEA, the third party must agree to put in place safeguards in line with those in the EEA. We do this by using standard contractual clauses supplied by the Information Commissioners Office or equivalent measures. The purpose is to ensure the protection of your personal data is consistent with UK data protection legislation.
Retention Period
The principle underpinning retention of personal data is that this data will be stored for no longer than the minimum period of time the data is needed after all activities related to the research are concluded. Wherever possible, after completion of the research project, all personal data will be made anonymous (i.e. all personal information associated with the data will be removed).
The Participant Information Sheet provided to you before you agree to take part in any CCCU research project will state how long your data will be held after the completion of the project. After this time, we will destroy your data securely.
Safeguards to protect your personal data
To protect your rights when using your data for research, we have specific safeguards, including:
- Policies, procedures and guidance to help our staff and students collect and use your data safely;
- Training to ensure our staff and students understand the importance of data protection and how to protect your data;
- IT security standards and technical measures to ensure the safe and secure storage of your data;
- Scrutinisation and approval of research using personal data by a research ethics committee;
- Contracts with third parties setting out each party’s responsibilities for protecting your data;
- Data protection impact assessments on high-risk projects to protect your privacy, and rights as an individual or freedoms
- Where we use collaborators outside of Europe, we transfer personal data in compliance with data protection legislation.
Who to contact if you have a query
If you have any questions in the first instance please contact the named researcher(s) in the Participant Information Sheet.
The Data Controller and further information
Canterbury Christ Church University is the Data Controller for this personal data.
Please click the link below to access further information regarding:
- The Data Controller
- The name and contact details of the University Data Protection Officer
- Where to make a complaint
- Your rights as a Data Subject
- How to contact the Regulator