General privacy notice
Who are we?
Our Future Health collects, stores and links many data sources, with the aim of providing a resource for health researchers to make new discoveries about human health and disease.
Our Future Health Limited is the Data Controller responsible for your personal data. We are registered with the ICO (ZA769724). “We, us, our” is Our Future Health Ltd, and “You, your” is an individual who has chosen to interact with Our Future Health.
Our data protection officer (“DPO”) is responsible for handling questions that relate to this privacy notice. You can contact the DPO, at any time, by email on dpo@ourfuturehealth.org.uk or by post to DPO, Our Future Health, 2 New Bailey, 6 Stanley Street, Manchester M3 5GS.
This privacy notice explains how we process and protect your personal data if you are an individual who registers to open an Information-Only account with Our Future Health, a website user, a researcher, a healthcare professional in one of our clinics or any other third party who interacts with us.
Please note that if you are a participant in Our Future Health, please refer to our Participant Privacy Notice, as this has more specific information on how we collect, store, transfer and use data as part of the research programme.
Introduction
We are committed to the highest standards of data protection, and to making sure that our privacy notices are easy to understand. If there is anything in our privacy notices which you would like to discuss, please contact our support team.
As well as our commitment to complying with all relevant data protection legislative requirements, we also work collaboratively with members of the public across the UK to ensure that how we manage and protect your data is in line with public expectation. This work includes co-design panels, public advocacy groups and public testing of our information materials and focus groups. If you would like to learn more about our public participation activities, please contact our support team.
It is possible to register to receive more information and updates from Our Future Health without consenting to join the research programme. We call this an Information-Only account.
The personal data we collect about you
In this section, we explain the types of data that we process and why. We collect, use, store and transfer the following types of data when you interact with us:
- includes your name, title, date of birth and where applicable any unique user ID we may assign you.
- includes your address, email address, telephone number and any communication we have had with you (including emails, phone calls, voicemail and conversations you may have had with our support team).
- Technical Data includes your IP address, browser type and version, time-zone setting and location, language preference, operating system and platform, and other information related to the devices you use to access the website.
If you are a researcher or a healthcare professional engaged in one of our clinics, when you create an account, register or make an application to access the resource or an Our Future Health system, or if you have publications of interest to Our Future Health containing your details, we may also collect, use, store and transfer the following:
- Profile Data includes feedback, survey responses and testimonials.
- Event Registration Data includes information about your dietary requirements or accessibility requirements when you attend an event.
- Usage Data includes information about how you use our website.
- Researcher Data includes your name, CV, publications, any professional or scientific complaints made against you, your department and affiliated institution(s) / employer(s), allocated unique identifying number (if applicable) and Access Management System credentials (such as username and password).
Our website sometimes includes links to third-party websites and applications. Clicking on those links may allow third parties to collect or share data about you. We do not control third-party websites and are not responsible for their privacy statements. We recommend you read the privacy notice of third-party websites and applications.
How your personal data is collected
We use different methods to collect data from and about you, these include:
- Directly from you: You may give us your identity data and/or contact data when you contact us, give us feedback or register for more information. If you are a researcher this will include personal data you provide us when you make an application to access the resource or register with Our Future Health.
- Your employer: If you are a healthcare professional engaged in one of our clinics, your employer will give us your identity data and/or contact data to enable us to grant you access to an Our Future Health system.
- When you give permission to other organisations to share it or when it is publicly available: If you are a business stakeholder of Our Future Health, we may receive information about you from third party organisations we work closely with (including, for example, business partners). The personal information we get from these third parties may depend on the responses you give to them. We may also use information about you that is publicly available.
- Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your device, browsing actions and patterns. However, the type of information that we collect is dependent on your choices when using the Cookie Banner when you visit the Our Future Health website.
How we use your personal data
In accordance with the UK GDPR, the use of personal data must be justified. This justification is called a “legal basis” and Our Future Health apply the following legal bases when processing personal information:
- To fulfil the performance of a contract.
- Where we have a legal obligation.
- To achieve our legitimate interests, provided that this does not unduly affect your rights as a data subject.
- Where you have been asked to provide your consent.
The table below describes how we use your personal data, and the legal bases we rely on to process your data.
| Purpose / Activity | Type of data | Lawful basis for processing |
|---|---|---|
| Purpose / Activity When you register to open an Information Only account with Our Future Health to receive information and learn more about what we are doing. |
Type of data
Name |
Lawful basis for processing
Article 6.1(a) of the UK GDPR With your consent, we process this information to:
|
| Purpose / Activity To manage our relationship with you and/or your employer, or to grant you access to an Our Future Health system |
Type of data
Name Phone Number Unique User ID |
Lawful basis for processing
Article 6.1(f) of UK GDPR: We process this information to achieve our legitimate interests in order to:
|
| Purpose / Activity For analytical purposes to understand how users interact with Our Future Health |
Type of data
Technical Data Aggregated/ De-identified Data (i.e. does not identify you personally) |
Lawful basis for processing
Article 6.19(f) of UK GDPR: We process this information to achieve our legitimate interests in order to:
|
| Purpose / Activity To manage the Our Future Health website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
Type of data
Technical Data Aggregated/ De-identified Data (i.e. does not identify you personally) |
Lawful basis for processing
Article 6.1(f) of the UK GDPR We process this information to achieve our legitimate interests in order to manage the website, IT services, network security and also to prevent fraud. |
| Purpose / Activity To allow researchers to access the Our Future Health resource |
Type of data
Identity Data Contact Data Technical Data Researcher Data |
Lawful basis for processing
Article 6.1(f) of the UK GDPR Necessary for our legitimate interest (e.g., to verify the bona fides of researcher as part of the application process, for access to the resource and / or Access Management Services (including for authentication purposes if accessing the resource through our third-party provider) and to enable dialogue with researchers regarding research outcomes) |
| Purpose / Activity To carry out user research |
Type of data
Profile Data Technical Data Usage Data |
Lawful basis for processing
Article 6.1(f) of the UK GDPR We process this information to achieve our legitimate interests in order to:
|
Where we have indicated that the processing of your personal data is necessary for our legitimate interests, we conduct a full balancing assessment to ensure that our needs do not unduly affect your data subject rights.
If you no longer wish to receive news and updates about Our Future Health, you can opt-out of communications at any time by using the unsubscribe link in each communication.
The aggregated data we collect about you
We collect, store and share aggregated data, which does not reveal your identity, for example demographic data or statistical data, which helps us to understand how people are using the website. We may aggregate data about how many people use the Our Future Health website to calculate the percentage of people using a specific feature of the website. However, if we combine or connect aggregated data with your personal data, we treat the combined data as personal data which will be processed in accordance with this privacy notice.
How we share your personal data
Sometimes we ask third parties, including suppliers and partners, to carry out business functions for us, for example maintaining and backing up our IT systems’ software, or providing a data analytics platform. Where we are required to share your data with these third parties, we conduct a robust due diligence assessment to ensure that they have appropriate security standards in place that protect your personal data, and we enter into a written contract imposing appropriate security and usage standards on them.
If you are a researcher we may share your personal data with the following parties:
- Our Access Board and Sub-Committees for the purpose of considering your application to access the resource; and
- Our third-party platform provider (DNAnexus) for the purpose of validating your access to the Our Future Health Trusted Research Environment.
If you are a healthcare professional in one of our clinics we may share your identity and profile data with your employer to enable the conduct of investigations into complaints or other feedback from research programme participants.
Your data protection rights
As a data subject, depending upon the lawful basis we are relying on, you have a number of rights, in accordance with the UK GDPR, as follows:
| Your right | What does it mean? |
|---|---|
| Right to access | You have the right to access your personal data. This is sometimes referred to as submitting a “data subject access request”. |
| Right to data portability | This right relates to moving or copying your personal data from one data controller to another. This right would not be applicable in relation to Our Future Health since our lawful basis for processing your personal data is legitimate interests. |
| Rights to rectify | You have the right to update, correct or complete your personal data. |
| Right to object | You have the right to object to or ask us to restrict the processing of your personal data, including direct marketing. |
| Right to be forgotten | You are entitled to have your personal data erased, at any time. From time to time, we may be required to retain data for example to comply with a legal obligation, or exercise or defend legal claims. |
| Right to withdrawal of consent | You have the right to withdraw your consent at any time. |
While exercisable by you, some rights are subject to certain restrictions in legally prescribed circumstances. If we intend to apply a restriction we will tell you why. Should you wish to discuss this or exercise any of your rights please contact our DPO by email on dpo@ourfuturehealth.org.uk or by post by writing to the address above.
International transfers
Where processing activities require data to be transferred outside the UK and European Economic Area (EEA), we will only make that transfer if:
- The country to which the personal data is to be transferred ensures an adequate level of protection for personal data;
- We have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient;
- The transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
- You explicitly consent to the transfer.
How we keep your data secure
We have put in place appropriate and robust security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. In addition, we limit access to your personal data to approved employees and suppliers, who are required to access it in accordance with their roles and responsibilities. We have put in place procedures to respond to any suspected personal data breach and will notify you and any applicable regulator of a breach should that be legally necessary.
How long we keep your data
We retain your data for as long as is necessary to provide you with the services described in this notice, or for as long as you have a registered account with Our Future Health. We may also retain and use your data to comply with our legal obligations, resolve disputes, enforce our agreements and protect Our Future Health’s legal rights
Contact details
Our DPO is available to answer any questions and address any concerns about Our Future Health’s use of your personal data. If you are not satisfied with our response, you can contact the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). This privacy notice was last updated in October 2022. If we may make changes to this privacy notice, at any time, the most current version will be published here.