Participant privacy notice

< General Privacy Notice

Information about Our Future Health

We are grateful to every person who joins Our Future Health. Our Future Health will collect information from millions of volunteers right across the UK to create one of the most detailed pictures we’ve ever had of people’s health. Researchers will be able to use this information to make new discoveries about human health and disease.

Our Future Health Limited is the Data Controller responsible for your personal data. We are registered with the UK Information Commissioner’s Office (the ICO) number ZA769724. Our data protection officer (“DPO”) is responsible for handling questions that relate to this privacy notice. You can contact the DPO by email on [email protected] or by post to DPO, Our Future Health, 2 New Bailey, 6 Stanley Street, Manchester M3 5GS.

Our Future Health collects, stores and links many data sources, with the aim of providing a resource for health researchers to make new discoveries about human health and disease. “We, us, our” is Our Future Health Ltd, and “You, your” is an individual who has chosen to participate in Our Future Health.

This privacy notice explains how we process and protect the personal data of individuals who have chosen, and provided their Informed Consent, to participate in Our Future Health.

What personal data we collect

In this section, we explain the types of data that we process and why, along with any data that third parties process on our behalf. We collect, use, store and transfer the following types of data:

  • Profile Data includes your participant ID, feedback, survey responses, data from devices that are linked to your account, and all other data linkages you have consented Our Future Health to access.
  • Special Category Data includes personal data which reveals your racial or ethnic origin, genetic data, biometric data for the purpose of uniquely identifying you, data concerning health or data concerning your sex life or sexual orientation.
    • Biological Data is a type of special category data. It includes physical samples and data derived from analysis of biological samples you have provided to us, such as blood, saliva as well as imaging scans and other clinical data.

This data is required to enable researchers to make new discoveries about human health and disease. For more information, please refer to the Participant information in your Account page.

Sometimes we ask third parties, including suppliers and partners, to carry out business functions on our behalf. Where we are required to share personal data with these third parties, we conduct robust due diligence assessments to ensure that they have appropriate security standards in place that protects your personal data, and we enter into a written contract imposing appropriate security and usage standards on them. When directed by you, we may also share your personal data with other third parties.

You can view a current list of third-party processors, and details of the processing they do for Our Future Health here.

↑back to top

How we collect your personal data

We use a variety of ways to collect data from participants, and we try to make this as easy and convenient as possible. As a participant you may provide data in any of the following ways:

  • By filling in a questionnaire about yourself. We will ask you to complete an online questionnaire including questions about your lifestyle and health (for example, through our website or via the Our Future Health smartphone app)
  • By giving a sample of your blood or saliva
  • By giving your informed consent to participate, you allow Our Future Health to access, store and link to health-related records about you held by NHS Digital and other UK NHS bodies. We will keep collecting this information as the study goes on, for many years.
  • By connecting devices which collect health and fitness data, such as a Fitbit or Apple Watch, or smartphone and/or web applications.
  • By linking to other non-health data sources, for which you have given us consent.

↑back to top

In accordance with data protection legislation all collection and processing of personal data must be legally justified with what is called a “legal basis”.

When processing the personal data from participants involved in Our Future Health, the legal basis, under GDPR and the Data Protection Act 2018, is as follows:

Our legal basis and purpose for processing your data
Purpose / Activity Type of Data Lawful Basis and Summary
Purpose / Activity Processing personal data that identifies a participant Type of Data Name
Participant ID Number
Date of Birth
Email Address
Home Address
Lawful Basis and Summary

Article 6.1(f) of the GDPR:
We process this information to achieve our legitimate interests in order to:

  • Conduct scientific research
  • Communicate with you and provide you with information in accordance with your preferences
  • Respond to your queries
  • Capture feedback
  • Ensure the best operation of Our Future Health
Purpose / Activity Processing Special Categories Data* from a participant Type of Data Health, Biometric and Genetic Data Lawful Basis and Summary

Article 9.2(j) of the GDPR:
We process this information in the public interest in the area of public health relating to scientific or historical research purposes or statistical purposes.

Purpose / Activity Recording a participants Informed Consent Type of Data Name
Participant ID Number
Date of Birth
Email Address
Home Address
Lawful Basis and Summary

Article 6.1(c) of the GDPR:
We process this information to comply with a legal obligation.

The overall purpose of Our Future Health is to preserve and advance human health.

*The GDPR defines “special categories data” as information that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; and the processing of genetic data or biometric data for the purpose of uniquely identifying a person; data concerning health or data concerning sex life or sexual orientation. This sensitive data is subject to enhanced protections.

To use the legal basis of legitimate interest to process your data we must demonstrate that:

  1. Our Future Health has a legitimate interest to process this data
    We provide a resource for health-related research, which will benefit the wider public from the discovery and testing of more effective approaches to prevention, earlier detection and treatment of diseases. Our legitimate interest is to preserve and advance human health.
  2. That the data processing is necessary to meet that legitimate interest
    Without the data that participants provide for analysis, we would be unable to establish the resource and researchers would not have the data they need to do the research. We remove identifying information from the data that researchers can use, and we store only that which we need for as little time as necessary (this is known as data minimisation).
  3. That the interests of participants to process the data is balanced
    We are required to conduct an assessment to ensure that our legitimate interests, or need to process your data to conduct the research study, is balanced and proportionate and does not present any risks to you. This means that we only collect data that is deemed necessary for the research study and that you would reasonably expect us to collect. We must also ensure that it is robustly protected and secure.

When you provide your Informed Consent to join Our Future Health, you allow us to collect, store and make available information about you for health-related research for public good. You can review the Informed Consent you gave within your account, on the Our Future Health website.

Our Future Health may from time-to-time choose to link to other datasets which will enable additional health research, for example your fitness-tracking device or data related to diet and exercise. These linkages will be presented with the scientific rationale for extending data collection beyond conventional health data, however, it is entirely your choice as to whether you decide to these additional data linkages.

↑back to top

How we share your personal data

Data provided to Our Future Health is transferred and stored in a highly secure data environment. During data transfer and at rest all data is encrypted to secure your identity and preserve your privacy. Identifying data is then removed, and your information is transferred to a trusted research environment where it is accessed by researchers in a form which does not allow you to be identified.

Our Future Health enables external researchers from around the world to access the de-identified data. Researchers may be working for universities, commercial companies (including diagnostic and pharmaceutical companies) and charities focussed on specific diseases. All of the work undertaken in the trusted research environment is required to be health-related and for public good.

Researchers access the data within a Trusted Research Environment (TRE) hosted by Our Future Health in a secure cloud storage environment. Subsets of de-identified data are also transferred and hosted in other TREs, hosted by partners of Our Future Health, to allow researchers to work with other datasets not available in the Our Future Health environment.

A full list of all TRE environments where your data is stored is available here. All environments where data is transferred and stored meet the same strict accreditation criteria.

All activity in the Trusted Research Environments is verifiably logged so that we (and external auditors) have visibility of the ways the data is accessed, recalled, stored and transferred. We undertake annual audits across all environments. Researchers sign a contract which includes an agreement not to attempt to reidentify participants at any time. Our Future Health only share your data with researchers who have been approved by our Access Review Committee, and who are conducting health research for public good. You can read more about our Access Review Committee here.

Access to the data resource by the police or other law enforcement agencies will be agreed to only under court order.

Our Future Health do not share personal data with insurance companies, or any other third parties without your explicit prior consent.

↑back to top

How we keep your data secure

Your data is transferred and stored in a highly secure data environment. During data transfer and at rest all participant data is encrypted to secure identity and preserve privacy. Once stored in our main database the identifying information is removed, and your information is transferred to a trusted research environment in a form which does not allow anyone to identify you.

Our Future Health stores all your data securely and to the highest industry and professional standards. Some of the steps we take to maintain secure and robust platforms:

  • Undertake routine security testing of all platforms
  • Commission external experts to regularly test the security of our systems
  • Undertake an annual DPIA (Data Protection Impact Assessment)

Researchers must register with Our Future Health and be approved by a Data Access Committee before they are given access to data. To preserve the privacy of participants all personal identifiers are removed before we transfer data to a trusted research environment, so that individual participants cannot be identified.

Only a small number of approved (and security-checked) staff members at Our Future Health have access to identifiable data. This allows us to add more information to your record as it becomes available, and to manage your account.

↑back to top

How long we keep your data

The Data Protection Act 2018 and GDPR legislation sets out additional rights for data controllers for scientific research, for example data can be stored for research for long periods of time. We aim to balance your rights with the needs of researchers, to allow for maximum value to be extracted from the datasets, for health research in the public interest.

Our Future Health will run for a very long time. We hope to collect as much information as we can about people’s health as they get older, so researchers can look back to find the earliest signs of diseases. On this basis, Our Future Health will retain all data collected unless you fully withdraw from the research study.

↑back to top

International transfers

Where processing activities require data to be transferred outside the UK and EEA, we will only make that transfer if:

  • the country to which the personal data is to be transferred ensures a level of protection for personal data.
  • we have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient.
  • the transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
  • you explicitly consent to the transfer.

↑back to top

How to withdraw from Our Future Health

There are two ways to withdraw from Our Future Health; partial or full withdrawal. You can withdraw at any time without giving us a reason.

  1. Partial withdrawal. This means we will not contact you again, or obtain any further information from your records, but we can continue to store and researchers can continue to analyse the samples and data you provided before you withdrew.
  2. Full withdrawal. This means we will not contact you again and we will destroy all the personal data and samples we collected from you. However, it won’t be possible to remove your data from any research that took place before your exit.

You can read more about withdrawal from Our Future Health here.

You can read more about what happens to your data and samples if you decide to withdraw here.

↑back to top

Your data protection rights

You have rights under data protection laws that relate to the personal data which we hold about you. In this section, we explain what your rights are, as they relate to Our Future Health.

Where we rely on our legitimate interest for health research, some of your standard rights, under GDPR, are affected:

Data subject data protection rights
Your right Definition
Right to access By law, research programmes like Our Future Health are not required to provide participants with their data if it is not in their interests, the interests of the health research, or both. This means that, in certain circumstances, it may not be possible to fulfil a data subjects request to obtain a copy of the personal data processed about them during the study. If this is the case, we will respond to you to let you know.
Rights to object

Right to withdraw
These rights are covered by your ability to withdraw from Our Future Health, at any time for any reason.
Right to erasure

On request, data that identifies you personally can be deleted, but there are instances where de-identified data will be retained. This is because erasing data when a dataset has been locked for analysis would seriously impair the purposes of the research activity. In those circumstances, Our Future Health will retain de-identified data where erasing it would render impossible or seriously impair researcher’s ability to complete their research.

To ensure data governance and security, all data is retained in archival back-ups on a rolling 3-month basis. Therefore, deletion requests will not be fully completed until the archived back-up is replaced.

Please be advised, however, that Our Future Health is legally required to retain details of all participants informed consent, along with the active time period and withdrawal, therefore, this data set cannot be deleted.

Rights to rectification You have the right to update, correct or complete your personal data. This right does not apply to health data which you have provided to us.
Right to data portability This right relates to moving or copying your personal data from one Data Controller to another, which would not be applicable in relation to Our Future Health.

↑back to top

Contact details

Our DPO will be happy to answer any questions and satisfy any concerns about Our Future Health’s use of your personal data and can be contacted, at any time, by email on [email protected].

If you are not satisfied with our response, you can contact the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues (

↑back to top