This sheet explains how personal data will be used within a research project at the University of York. For details specific to the project, please see the participant information sheet given to you by the project team.
For this project, the University of York is the Data Controller. We are registered with the Information Commissioner’s Office. Our registration number is Z4855807.
Please look at the participant information sheet given to you by the person telling you about this project. If you have any questions, you can ask them to explain.
Privacy law (the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018) requires us to have a legal reason to process your personal data. Our reason is we need it to perform a public task[1].
This is because the University has a public function, which includes carrying out research projects[2]. We need to use personal data in order to carry out this research project.
Information about your health, ethnicity, sexual identity and other sensitive information is called “special category” data. We have to have an additional legal reason to use this data, because it is sensitive. Our reason is that it is needed for research purposes[3]. All research projects at the University follow our research ethics policies.
Please look at the participant information sheet given to you by the person telling you about this project. If you have any questions, you can ask them to explain.
The participant information sheet tells you any people and organisations your data will be shared with.
As well as this, we use computer software or systems to hold and manage data. Other companies only provide the software, system or storage. They are not allowed to use your data for their own reasons.
We have agreements in place when we share data. These agreements meet legal requirements to ensure your data is protected.
The University is serious about keeping your data secure and protecting your rights to privacy. We don’t ask you for data we don’t need, and only give access to people who need to know. We think about security when planning projects, to make sure they work well. Our IT security team checks regularly to make sure we’re taking the right steps. For more details see our security webpages.
If your data is stored or processed outside the UK, we follow legal requirements to make sure that the same level of privacy rules still apply.
The University has rules in place for how long research data can be kept when the research project is finished. Please see the participant information sheet given to you by the person telling you about this project for more information.
You have rights over your data. The participant information sheet explains how you can stop participating in the study, and what will happen to your data if you do.
If you want to get a copy of your data, or talk to us about any other rights, please contact us using the details below.
If you have any questions or concerns about how your data is being processed, please use the contact details provided to you by the person telling you about this project.
If you have further questions, the University’s Data Protection Officer can be contacted at dataprotection@york.ac.uk or by writing to: Data Protection Officer, University of York, Heslington, York, YO10 5DD.
If you are unhappy with how the University has handled your personal data, please contact our Data Protection Officer using the details above, so that we can try to put things right.
If you are unhappy with our response, you have a right to complain to the Information Commissioner’s Office. You can also contact the Information Commissioner’s Office by post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or by phone on 0303 123 1113.
________________________________________________________________________________________________________________________________________
[1]This refers to UK GDPR Article 6 (1) (e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
[2] Our charter and statutes states: 4.f. To provide instruction in such branches of learning as the University may think fit and to make provision for research and for the advancement and dissemination of knowledge in such manner as the University may determine.
[3] This refers to UK GDPR Article 9 (2) (j): processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.