Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

Data protection

In the course of getting involved with PPI at the Pandemic Sciences Institute, University of Oxford, you have provided information about yourself (‘personal data’). We (the University of Oxford) are the ‘data controller’ for this information, which means we decide how to use it and are responsible for looking after it in accordance with the General Data Protection Regulation and associated data protection legislation. 

This privacy notice describes how we collect and use personal information about you during and after your relationship with us, in accordance with the applicable data protection legislation (the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR”)) and the University’s Data Protection Policy.

This notice applies to members of the public who take part in PPI activities. We may also supply you with a project specific privacy notice. It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

We may update this notice at any time.

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection.

We may collect, store, and use the following categories of personal information about you:

 

Type of data

Why we may collect this data

Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses

To provide you with the information and/or services that you request from us.

To contact you in relation to you taking part in public involvement and engagement activities including for the purposes of feedback.

To provide you with relevant news by email, phone or post where you have consented to receive this information.

To administer and fulfil requirements as agreed in any governance documents relating to your involvement in our public involvement and engagement activities and any related terms of reference  

To ensure the information we hold about you is up to date and accurate.

To reimburse you for expenses related to a PPI activity you have been involved in or to pay you for your time.

Gender, age, highest level of education, whether you have caring responsibilities

Equal opportunities monitoring. We may collect this information to ensure that we involve people from as many different backgrounds as possible in shaping and advising on our research.

Bank account details, payroll records, postal address, national insurance number, nationality and tax status information. PPI compensation history

 

We may collect this information to reimburse you for expenses related to a PPI activity you have been involved in or to pay you for your time.

To ensure we meet any and all legal obligations with regards to the service we provide to you for the duration of your involvement with us.

Paying you for your time and reimbursing your expenses, and if you are an employee, deducting tax and National Insurance contributions.

To prevent fraud.

The dates you took part in a PPI activity

We may collect this information to reimburse you for expenses related to a PPI activity you have been involved in or to pay you for your time.

Projects you have been involved in

We may collect this information to reimburse you for expenses related to a PPI activity you have been involved in or to pay you for your time.

Photographs and video

We will only collect this type of information with your explicit consent. We will ask your permission before recording meetings or taking photographs. 

We may also collect, store and use the following "special categories" of more sensitive personal information:

Information about your race or ethnicity, religious beliefs and sexual orientation 

 

Equal opportunities monitoring. We may collect this information to ensure that we involve people from as many different backgrounds as possible in shaping and advising on our research.

Information about your health, including any medical condition

We may collect this information to ensure that we involve people from as many different backgrounds as possible in shaping and advising on our research. 

We may have PPI activities that are focused on a particular medical condition and therefore we will try to ‘match’ individuals to the particular project. 

 

How is your personal information collected?

We collect most of the personal information about you, through you directly.

How we will use information about you and the legal basis for processing your data under the GDPR

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where you have consented to the processing
  • Where the processing is necessary for you to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information

Situations in which we will use your personal information

We need all the categories of information in the list above primarily to contact you with regard to the public involvement and engagement activities, to remunerate you for your time and reimburse you for your expenses and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests. We have indicated below the purpose or purposes for which we are processing or will process your personal information, as well as indicating which categories of data are involved.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Data sharing

We may have to share your data with third parties, including third-party service providers. These third parties are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.

Where we share your data with a third party, we will seek to share the minimum amount necessary.

We may transfer your personal information outside the EU.

If we do, you can expect a similar degree of protection in respect of your personal information.

Data security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data retention: How long will you use my information for?

We will only retain your personal information for as long as you are happy to be contacted about PPI activities, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different records the University holds are available in our retention policy which is available on this website: https://compliance.admin.ox.ac.uk/retention-schedules#collapse1098991 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 

We will only store your data for as long as you are involved in a PPI activity or, for as long as you wish to be informed about future related PPI opportunities. Choosing to give your consent to be contacted in future will be entirely optional and you may ask for your contact details to be deleted at any time.  Specific PPI activities will have different retention periods but this information will be provided to you when you register your interest for the project. 

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. 

Rights of access, correction, erasure, and restriction 

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us. 

Your rights in connection with personal information

Under UK GDPR, you have individual rights in relation to the data that we hold about you. You can learn more about this here: https://compliance.admin.ox.ac.uk/individual-rights

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the PPI lead for your activity. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Data Protection Officer

We have appointed a Data Protection Office to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the Data Protection Officer at: data.protection@admin.ox.ac.uk

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

This document was last updated on Thursday 20th June 2024.