JDR Privacy Notice

Introduction

Join Dementia Research is a service provided to the UK public for the purposes of researchers contacting people about potential dementia research opportunities. This privacy notice tells you what to expect when Join Dementia Research collects personal information. It applies to information we collect about:

  • Those who register with the Join Dementia Research service
  • Visitors to our website 
  • Those who contact us via our contact us form
  • Those who request a call back via our Callback form

The Department of Health and Social Care  ("DHSC”) is the Data Controller for Join Dementia Research under the Data Protection Act 2018, the UK GDPR, and the General Data Protection Regulation (EU) 2016/679 ("Data Protection Laws"). 

The Consortium of the University of Leeds and Guy’s and St Thomas’ NHS Foundation Trust is the Data Processor for the Join Dementia Research. The Consortium provides the National Institute for Health and Care Research (NIHR) Clinical Research Network Coordinating Centre (CRNCC) on behalf of the Department of Health and Social Care and the CRNCC is responsible for the processing of your personal data when you visit the Join Dementia Research website. 

In addition, our partners Alzheimer’s Society, Alzheimer’s Research UK and Alzheimer Scotland may collect and store personal information when you contact them for support via the Join Dementia Research helpdesk numbers. Alzheimer’s Research UK also processes our paper application forms on behalf of the data controller, DHSC.

The information we collect

At Join Dementia Research, we may use technology to collect information both directly and indirectly. 

We collect personal information directly from users via:

  • The Join Dementia Research online registration form (including when you register over the phone with our helplines)
  • Join Dementia Research paper applications, details of which are both transferred to the online service and stored as a paper copy
  • The Join Dementia Research Contact us form
  • The Join Dementia Research Callback form

When you sign up to Join Dementia Research, we request the following personal details from you directly via our registration forms:

  • Name
  • Home address
  • Telephone number
  • Email address
  • Date of birth
  • Sex at birth and gender identity
  • Ethnicity
  • Health, healthcare and any disabilities you may have
  • Any caring responsibilities you may have
  • Any other personal information you choose to share
  • Your contact preferences for Join Dementia Research

In addition, once you are registered to the Join Dementia Research service, we use the information you provide to match you to potential research studies. We therefore retain information about which studies you match to and whether you have taken part in these studies.

When you use the Join Dementia Research Contact us form we request the following personal details from you directly:

  • Your name
  • Email address
  • Telephone number
  • Any personal information you provide as part of your your query

When you use the Join Dementia Research Callback form we request the following personal details from you directly:

  • Your name
  • Telephone number(s)
  • The reason you would like us to call you back
  • Where you have been referred from if a healthcare professional is referring you to the service

The website also uses cookies that save and retrieve information about your visit to our site, such as how you navigated through the site and what information was of interest to you, all of which help us to develop the service going forward. The cookies used identify you only as a number but you can disable them by changing the settings in the preferences or options menu of your internet browser. However, disabling cookies may affect our ability to provide services to you, if certain cookies are disabled you may not be able to access the service. Please see our Cookie Policy for more information.

Finally, when you use the Join Dementia Research website we collect information indirectly such as your internet address, which is commonplace across all internet services. This information is then kept in internet access logs.

The personal data we collect may vary depending on the nature of your interaction with Join Dementia Research. However, we always protect your personal data within the terms of this Privacy Notice.

How and why we use your personal data

We collect and use your personal data so that:

  • We can provide you with the Join Dementia Research service and match you appropriately to potential research opportunities
  • Researchers across the UK can contact you about taking part in their research studies
  • We can provide you with responses to queries via our Contact Us form
  • We can call you back to discuss the service via our Callback form
  • We can report on the numbers and types of volunteers who are registered to the service
  • We can contact you with updates about the service by email or post, as requested by you (you can unsubscribe from such contact at any time). This may include communications that come from across our public digital services: Join Dementia Research, Be Part of Research Volunteer Service and the Vaccine Research Registry.
  • We can tailor services provided to you, including keeping you informed
  • We can continue to improve the Join Dementia Research service for users and to ensure that the data we hold is accurate and up to date.
What is the lawful basis for processing data?

Data protection laws mean that each use we make of your personal information must have a “lawful basis” for the processing of that information.  The relevant lawful bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK Data Protection Act 2018.

 

Whilst we are asking you to give your consent to the creation of an account on Join Dementia Research, consent will not be used as the lawful basis for processing your data under the data protection legislation. Rather, the legal basis for processing your personal data under the data protection legislation will be as follows:

 

  • Article 6.1 (e) performance of a task in the public interest or in the exercise of official authority vested in controller; 
  • Article 9.2 (j) - research purposes. The NIHR funds, enables and delivers world leading health and social care research that improves people's health and wellbeing and promotes economic growth. The NIHR CRNCC acts as an agent of the DHSC in this endeavour. The Secretary of State for Health and Social Care has a duty to promote health and care research and a public sector equality duty; thus this service falls right within the public interest task of the DHSC.   

For further information please refer to the ICO’s website page on lawful basis for processing.

If you register an account on Join Dementia Research and you then decide you wish to withdraw from the service, you can do this at any time.

Your contact preferences

When you register, we invite you to tell us how you would like to be contacted. We ask:

  • Whether you would like to receive automated study alerts
  • The best way for a researcher to contact you to discuss their study: by email, phone or not at all
  • Whether you would like to receive the quarterly newsletter and annual survey, and whether by email, post or not at all
  • Whether you would like to hear about ethically-approved non-dementia studies 
  • Whether you would like to opt-out of any contact from the service.

You can log into your account or contact the helpdesks to change your preferences at any time.

 

How we protect your data

The information you provide to register with Join Dementia Research is stored and processed on a secure MySQL database hosted by Google SQL in the UK and Ireland for the purposes outlined above. We have strict training and terms of use policies for staff and researchers accessing the system for the purposes of matching you to and contacting you about research. We regularly review our terms of use and access policies, as well as access roles for all staff and researchers.

Our study account verification, welcome pack, study matching and forgotten password emails are processed and stored electronically by us via SendGrid in the USA. Please see the SendGrid Security Policy  and SendGrid Privacy Policy for information on how your data is used and protected. Data we process via SendGrid is stored for 30 days only and is never passed on to third parties.

Personal information entered into our Callback form is stored in a protected Google sheet and is accessible only to authorised Join Dementia Research staff. We will store your personal data for a maximum of six months. We process your data from our website to Google sheets using Zapier software. The data is processed using servers based in the USA. Zapier is a GDPR compliant company. Data we process via Zapier is stored for 30 days only and is never passed on to third parties.   

Our email newsletters are processed and stored electronically via Mailchimp in the USA. Please see the Mailchimp Privacy Policy for further information on how your data is processed and protected. We will store your data in Mailchimp for a maximum of six months. Data processed and stored in Mailchimp is never sold to third parties.

Our postal Welcome Pack and Newsletters are processed via our third party contracted printers. Once your data has been used by our printers for the purposes of sending you this information it is immediately electronically deleted.

When you use the Contact us form on our contact page, or if you contact us using the following email addresses:

  • research.jdr@nihr.ac.uk
  • joindementiaresearch@nihr.ac.uk 
  • comms.jdr@nihr.ac.uk
  • manager.jdr@nihr.ac.uk
  • comms.jdr.servicenow@nihr.ac.uk
  • jdr.professionals@nihr.ac.uk

We will respond to your queries through the Servicenow email management platform. Servicenow securely processes and stores the information you provide and all data is processed within the UK.

 

Who do we share your personal data with?

Your personal data is used for the purposes described above and shared with third parties as specified in the “How we protect your data” section. 

Once you register with Join Dementia Research, your data is viewable by Join Dementia Research staff who administer the service. It is also viewable by researchers involved in dementia research, for the purpose of contacting you about dementia research opportunities. The researchers include NHS staff and approved researchers working in commercial research organisations, or academic institutions.

The information on Join Dementia Research is held separately from your medical  records kept by your GP and/or your hospital. In some cases, your medical records may help researchers to see if you are a suitable volunteer to take part in their study. Therefore, when signing up to Join Dementia Research, we ask for your permission for your medical records to be accessed. Only approved researchers and NHS staff who have been assessed in accordance with “Research in the NHS Human Resource (HR) Good Practice” will be allowed to access your medical records, and those accessing your medical records must follow the NHS Confidentiality Code of Practice and the Data Protection Act 2018. 

Non-NHS organisations (commercial research organisations, or academic institutions) who wish to use the service must sign a Data Sharing Agreement, which prevents them from sharing your data with other non-authorised third parties and provides for the secure disposal of your data once processed by their researchers.

NIHR CRNCC provides a number of volunteer services on behalf of DHSC, Join Dementia Research, Be Part of Research Volunteer Service, and the Vaccine Research Registry (in partnership with NHS Digital). As such, we shall, on occasion, share your email address between these services to ensure you do not receive duplicate communications from NIHR CRNCC and to streamline your user journey between the services where appropriate. Data sharing of this kind will be time-limited and will only take place on NIHR CRNCC local secure systems.

 
We contact NHS Digital approximately twice a year, Public Health Scotland yearly and the Northern Ireland General Registry Office every two to three years, to identify volunteers who are deceased across England and Wales, Scotland and Northern Ireland respectively. We share basic personal information about volunteers in a secure way with these organisations in order to carry out a search. Once the search is carried out, the information shared and the accounts and all personal information of deceased volunteers are deleted.

Deleting your Join Dementia Research account

You can delete your Join Dementia Research account at any time, either by logging into your account and deleting it under “My account” or by contacting us via our Contact us page.

Once your account is deleted we retain an anonymised audit log of your history. This is to ensure that we can trace all changes made to any account, and use anonymised information to report over time and improve the website. Access to the audit log is restricted to those managing Join Dementia Research and a record of all investigations is maintained. Information in the audit log cannot be used to create another account.

Your rights over your personal data

The Data Protection Officer for the CRNCC is:

  • Name of Data Protection Officer: Lee Cramp
  • Address: Department of Health and Social Care, 1st Floor North, 39 Victoria Street, Westminster, London, SW1H 0EU
  • Email - data_protection@dhsc.gov.uk

As a data subject, you have the following rights under the Data Protection Laws:

  • the right of access to personal data relating to you 
  • the right to correct any mistakes in your information
  • the right to ask us to stop contacting you with direct marketing
  • rights in relation to automated decision making  
  • the right to restrict or prevent your personal data being processed
  • the right to have your personal data ported to another data controller (e.g. if you decide to contract with a different supplier).
  • the right to erasure
  • the right to withdraw consent

These rights are explained in more detail on the Individual Rights section of the Guide to the General Data Protection Regulations on the Information Commissioner's Office website.

If you wish to exercise any of your data subject rights, please contact the NIHR Service Desk in the first instance:

  • Write to: The NIHR Service Desk, Back Lane, Melbourn, Royston, SG8 6DP
  • OR email: gdpr_requests@nihr.ac.uk

We will respond in a timely manner to any rights that you wish to exercise, and for Subject Access Requests (SARs) within a month of receiving your request, unless the request is particularly complex.

Contacting the Regulator

It is important that you ensure you have read this privacy notice - and if you do not think that we have processed your data in accordance with this privacy notice - you should let us know as soon as possible.  

Similarly, you may complain to the Information Commissioner's Office. Information about how to do this is available at www.ico.org.uk.