Accessibility statement

Privacy notice - Research Participants

This notice explains how personal data is used by research projects at the University of York. For details specific to the project, please see the participant information sheet given to you by the project team.

For projects where this notice applies, the University of York is the Data Controller. We are registered with the Information Commissioner’s Office. Our registration number is Z4855807.

What information do we have, and where do we get your data from?

Please look at the participant information sheet given to you by the person telling you about this project.  If you have any questions, you can ask them to explain.

What is our legal basis for processing your data?

Privacy law (the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018) requires us to have a legal reason to process your personal data. Our reason is that we need it to perform a public task

This is because the University has a public function, which includes carrying out research projects. We need to use personal data in order to carry out this research project.  

Information about your health, ethnicity, sexual identity and other sensitive information is called “special category” data.  We have to have an additional legal reason to use this data, because it is sensitive.

Our additional reason is that it is needed for research purposes. All research projects at the University follow our research ethics policies.

The legal reasons are given in full detail below:

  • Our legal reason "public function" refers to UK GDPR Article 6 (1) (e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 
  • Our public function is defined in Our charter and statutes, which state: 4.f. To provide instruction in such branches of learning as the University may think fit and to make provision for research and for the advancement and dissemination of knowledge in such manner as the University may determine.
  • Our legal reason "because it is needed for research purposes" refers to UK GDPR Article 9 (2) (j): processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

How do we use your data?

Please look at the participant information sheet given to you by the person telling you about this project.  If you have any questions, you can ask them to explain.

Who do we share your data with?

The participant information sheet tells you any people and organisations your data will be shared with. 

As well as this, we use computer software or systems to hold and manage data.  Other companies only provide the software, system or storage. They are not allowed to use your data for their own reasons.

We have agreements in place when we share data. These agreements meet legal requirements to ensure your data is protected.

How do we keep your data secure?

The University is serious about keeping your data secure and protecting your rights to privacy. We don’t ask you for data we don’t need, and only give access to people who need to know. We think about security when planning projects, to make sure they work well. Our IT security team checks regularly to make sure we’re taking the right steps. For more details see our security webpages.

How do we transfer your data safely internationally?

If your data is stored or processed outside the UK, we follow legal requirements to make sure that the same level of privacy rules still apply.

How long will we keep your data?

The University has rules in place for how long research data can be kept when the research project is finished. Please see the participant information sheet given to you by the person telling you about this project for more information.

What rights do you have in relation to your data?

You have rights over your data. The participant information sheet explains how you can stop participating in the study, and what will happen to your data if you do. 

If you want to get a copy of your data, or talk to us about any other rights, please contact us using the details below.

Questions or concerns

If you have any questions or concerns about how your data is being processed, please use the contact details provided to you by the person telling you about this project.

If you have further questions, please contact the University’s Data Protection Officer: 

Right to complain

If you are unhappy with how the University has handled your personal data, please contact our Data Protection Officer using the details above, so that we can try to put things right. 

If you are unhappy with our response, you have a right to complain to the Information Commissioner’s Office:

Changes to our privacy notice

We keep our privacy notices under regular review. This notice was last updated on 4th November, 2021.