This document explains why information is collected about you and how your information may be used. This is called a Fair Processing Notice or Privacy Notice. It applies to the information of patients consented to the National Registry of Rare Kidney Diseases (RaDaR) and describes how RaDaR collects, uses and processes your personal data and associated information and how, in doing so, it complies with its legal obligations to patients. Your privacy is important and RaDaR is committed to safeguarding your data privacy rights.
This document should be read in conjunction with the ethically approved study documents found at https://rarerenal.org/radar-registry/criteria-and-consent/.
This notice will address the following areas:
- Key definitions
- What is RaDaR?
- Why RaDaR collects your information
- What personal information does RaDaR collect?
- Where does RaDaR collect your information from?
- How does RaDaR use your information?
- Who your information is shared with
- RaDaR’s lawful basis for collecting your information
- How RaDaR maintains the confidentiality of your information
- RaDaR and partner organisations
- How long your information will be stored
- Your individual rights
- Objections and complaints
- How to contact RaDaR
- Changes to this notice
Data controller – the organisation, person or persons who determine the purposes and means of processing personal data, For the purpose of this notice and how it affects your data the data controllers are the Renal Association (the owner and operator of RaDaR).
Data processor – in relation to your personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data protection officer – an existing employee or externally appointed person in place to assist in monitoring internal compliance, informing and advising on data protection obligations, providing advice regarding Data Protection Impact Assessments (DPIAs) and acting as a contact point for data subjects and the supervisory authority. The contact details for RaDaR’s data protection officer can be found at the end of this notice.
What is RaDaR?
The National Registry of Rare Kidney Diseases (RaDaR) is an initiative designed to pull together information from patients with certain rare kidney diseases. In doing so, it is hoped to develop a better understanding of how these illnesses affect people and support research into these diseases.
RaDaR is operated and governed by The Renal Association (one of the two joint data controllers), a not for profit organisation registered with the Charity Commission as a membership organisation for healthcare professionals caring for people with kidney disease. Full details of their work can be found here: https://renal.org/.
Why RaDaR collects your information
As your condition is rare, it is important that as much data as possible is gathered for analysis. Researchers may want to investigate if certain aspects of your condition (e.g. laboratory results or treatments) are associated with specific benefits or complications. By allowing the research team to link your data with that gathered from other routine health and social care databases and clinical studies, researchers will be able to study the long-term outcome of your condition and any treatments that you receive.
What personal information does RaDaR collect?
If you agree (consent) to take part, personal data including your name, date of birth and NHS number will be collected. In addition, the research team will enter details of your treatment and medications you have been prescribed.
Where does RaDaR collect your information from?
Data can be collected from a number of sources including:
- Your GP and hospital records
- The UK Renal Registry – which collects data on patients with end-stage kidney disease
- PatientView – which, if you have signed up, collects information from your hospital records and makes it available to you via its website or app.
- NHS Digital – which collects, stores and analyses information from a variety of databases including:
- Hospital Episode Statistics (HES) – this includes information about all hospital admissions, including when, why and for how long
- Civil Registration – this provides information on patients who have died, including the date and cause of death
- Public Health England – which collects data on long-term health conditions, infections and vaccination records. (Similar public health databases are linked to in the other countries of the UK.)
- Any other UK-based ethically approved national research studies, registries or bio-banking schemes that you have previously consented to and participated in, or will do so in the future
Like RaDaR, both the UK Renal Registry and PatientView are managed and operated by the Renal Association.
Further information about where your data are collected from can be found in the RaDaR study documents at https://rarerenal.org/radar-registry/criteria-and-consent/.
How does RaDaR use your information?
Your data will only be shared under strictly controlled circumstances. Prior to sharing your data, RaDaR assigns your data a unique number, which will be shared in place of your personal identifiable data (such as your name, date of birth and NHS number) so that you cannot be identified by researchers or other third parties. This process is called “pseudonymisation”.
Any and all data sharing between RaDaR and approved third parties are conducted under strict contractual terms, limiting the types and quantities of information shared and restricting the ways it can be used.
The sharing or linking of your information will only take place between organisations whose information security procedures and data protection measures have been approved by our data protection officer.
Your information is only transferred to approved organisations via secure means making full use of available technology and practices to ensure your information remains safe.
Who your information is shared with
Doctors and other researchers who are interested in your specific condition are working together as part of a Rare Disease Group (RDG). They have access to RaDaR to view your pseudonymised data and that of others with the same condition.
By joining RaDaR you give permission for UK-based researchers to use your pseudonymised past, present and future clinical data for ongoing and future ethically approved research into kidney disease and related conditions.
Your pseudonymised data may be shared with other researchers, including those from Universities and commercial organisations, who are investigating your condition. You will not be able to be identified or contacted by any of these researchers.
You may occasionally be contacted by a member of the central RaDaR team or the RDG lead for your condition. This may include invitations to patient information days, details of further research studies that you may be eligible to join or requests to re-consent to RaDaR if any changes are made in the future. To do this, these individuals will need access to your identifiable information. From time to time RaDaR may engage a third party mailing house to produce and send out the above information to you.
We will also share information as required by law, for example, to comply with a court order.
The lawful basis for processing your information
RaDaR processes information under a number of lawful bases:
- We have a ‘legitimate interest’ in processing your data in order to provide you with a service which benefits you and others using NHS services (Article 6(1)(f) of the General Data Protection Regulation (GDPR))
- We process your ‘special category’ information for reasons of public interest in the area of public health (Article 9(2)(j) of the GDPR)
- The consent form that you completed when you agreed to participate in RaDaR, is a legal basis under the common law duty of confidentiality
The RaDaR consent documents can found at https://rarerenal.org/radar-registry/criteria-and-consent/.
How RaDaR maintains the confidentiality of your information
RaDaR is committed to protecting your privacy and will only use information collected lawfully in accordance with the:
- Data Protection Act (2018)
- General Data Protection Regulation (2018)
- Human Rights Act (1998)
- Access to Health Records Act (1990)
- NHS Act (2006)
- Health and Social Care Acts (2001) & (2012)
- Common Law in England & Wales, Scots Law in Scotland, and Northern Ireland Law in Northern Ireland
- NHS Codes of Confidentiality, Information Security and Records Management.
RaDaR will keep your information secure in accordance with its legal responsibilities; including taking reasonable steps to safeguard against your information being accessed unlawfully or maliciously by a third party, accidently lost, destroyed or damaged.
With the exception of the approved third parties, RaDaR will not disclose your information to anyone without your consent unless there are exceptional circumstances such as situations when the health and safety of others is at risk, or where the law permits information to be passed on. Anyone who receives information from RaDaR is also under a legal duty to keep it confidential.
All employees working on RaDaR are asked to sign a confidentiality agreement as part of their employment contract. If a sub-contractor acts as a data processor for RaDaR an appropriate contract will be established for the processing of your information.
RaDaR and partner organisations
RaDaR has no partner organisations.
How long your information will be stored
Your data will be stored by RaDaR indefinitely for research purposes. However, you are able to exercise your rights (as listed below) under data protection legislation at any time by contacting us using the details at the end of this notice.
Your individual rights
This section describes how you can access, amend, erase, and move your personal data, withdraw your consent and object to or complain about the data that RaDaR holds on you.
Right to access your data (data subject access requests)
You have the right to receive a copy of your personal information held by RaDaR by making a written request to the address at the end of this document. We will normally provide your information within one month of receiving all the information needed from you to respond to your request.
Right to rectification (right to amend your data)
You have the right to have your information amended. Please contact your GP/renal unit/hospital if you want information on RaDaR corrected.
Right to withdraw consent and have your information erased
You can withdraw from RaDaR at any time. You can either contact RaDaR in writing via the address at the end of this document. Your information will no longer be updated and you would receive no further contact from RaDaR or the RDG. We will keep the information (including identifiable data) about you that we have already gathered, to ensure the reliability of any research that has already taken place.
Right of data portability (right to move your data)
You have the right to request a secure transfer of your data from RaDaR to another data controller. RaDaR will transfer your data to your renal unit/hospital for them to transfer on to the new data controller. You should make the request in writing to RaDaR (see the section ‘How to contact RaDaR’ for our contact details). No fee will be payable and the information will be transferred within one calendar month.
Right to object
RaDaR uses your information for the purposes outlined in the RaDaR information sheet, the consent form you signed to join RaDaR, the additional participant information on the rarerenal.org website, and in this privacy notice. If you do not agree with any of these purposes you have the right to object. See the section below on ‘Objections and complaints’ that explains who to contact if you have an objection. RaDaR will respond to your objection within a month (although we may be allowed to extend this period in certain cases).
Objections and complaints
Should you have any concerns about how your information is managed, please contact the data protection officer for the Renal Association in writing (see section below ‘How to contact RaDaR). If you are still unhappy following a review by the data protection officer, you have a right to lodge a complaint with the Information Commissioner.
Tel: 01625 545745
How to contact RaDaR
If you have any questions regarding this privacy notice, how your data are used, or wish to exercise your rights, you can contact RaDaR on the details below.
The data protection officer is Mr Tom Gray
He can be contacted by:
c/o The Renal Association
Learning and Research Building
Tel: 0117 4148 157
Alternatively, you can contact:
The senior information risk owner – Dr Retha Steenkamp
The Caldicott Guardian – Dr James Medcalf
Changes to this notice
RaDaR may amend this privacy notice from time to time. If you are dissatisfied with any aspect of this privacy notice, please contact the data protection officer.