Data Management Policy

1. Purpose

This policy outlines the procedures and guidelines for the collection, storage, and use of personal data belonging to staff associated with Clinical Research Facilities (CRFs) across the UK and Ireland within the UK Clinical Research Facility (UKCRF) Network.

The UKCRF Network is hosted by Manchester University NHS Foundation Trust (MFT).

The UKCRF Network is committed to ensuring the security, confidentiality, and responsible handling of CRF staff data in compliance with applicable data protection laws.

2. Data Collection

The UKCRF Network will collect and store the following information from CRF staff members across the UK and Ireland who join the UKCRF Network mailing list, join a work group, register for online training, register for an annual conference, or request access to the Portal.

Name
Email Address
Job Title and/or Workforce Category
CRF Name
Group Membership (where applicable)
Meeting attendance statistics (where applicable)

3. Data Storage

Staff data will be stored in Google Groups and Google Sheets, which is hosted on the National Institute for Health and Care Research (NIHR) Google Suite. Except for meeting attendance which will be stored within the MS Teams account of the meeting organiser, and training and event attendance which will be stored within the Operation Team’s private shared drive (hosted on MFT servers).

Email addresses will also be added to the MS Team(s) for any work group the CRF staff member has joined.

4. Data Sharing

For work group members, contact information will be shared with other members of the same group via Google Sheets. This sharing is limited to the relevant group members for effective collaboration. This will be made clear when a staff member joins a work group.

When attending the conference, a staff members information may also be shared with other delegates using a conference app or printed programme. This will be made clear to each delegate via the registration process.

No other individual data will be shared outside of the UKCRF Network’s operation and leadership teams (see section 5.).

5. Data Access

Access to CRF staff data will be restricted to the following authorised individuals or groups within the UKCRF Network:

UKCRF Network Operations Team
Operational Delivery Lead and Deputy (Work Package 1)
Involvement and Inclusion Deputy Lead for EDI (Work Package 4)
Work Group Chairs and Deputies (across all work packages)
Group Members of the corresponding group (where applicable – see section 4)
Conference delegates (if application – see section 4)

Access to data will be granted based on the principle of least privilege, ensuring that individuals only have access to the data necessary for their roles.

6. Data Usage

The collected data will be used for the following purposes:

Distributing newsletters and announcements
Sending requests for information
Sharing best practice and facilitating collaboration
Managing Work Groups
Facilitating access to the UKCRF Network Portal, the Network’s private Google Site for sharing information and documents
Monitoring engagement, membership and impact for annual reporting (to the NIHR, the UKCRF Network’s funder) and making improvements to services (data will be collated and anonymised for reporting purposes)
Circulating information about, and resources from, an annual conference
Issuing training certificates and sending training updates

7. Data Retention

The UKCRF Network will retain staff data only for the duration necessary to fulfil the purposes outlined in this policy. Regular reviews will be conducted to ensure that data is accurate, up-to-date, and still required for the specified purposes.

Membership data will be circulated to CRFs annually to check accuracy and update records.

8. Consent, Updates and Withdrawal

CRF staff members providing their data will consent to the outlined data processing activities, when submitting a request form or when joining a group/mailing list by email. The following statement will be used to gain consent:

“By [submitting this form/joining this group], you give your explicit consent for the UK Clinical Research Facility (UKCRF) Network to store and use the information you provide (staff name, email address, job title, and CRF name). This data will be used to share important news and updates with you and to assess UKCRF Network membership and engagement. Please note that data collected for these purposes will be combined and made anonymous for reporting. Your contact details will be shared with other members of the group you’ve joined to facilitate effective communication and collaboration. You have the right to withdraw your consent at any time by emailing [email protected]. For more details on how your data is handled, please refer to our Data Management Policy”.

To update or withdraw staff data stored by the UKCRF Network, the individual needs to write to [email protected] and should provide their name, job role, email address and organisation. If the staff member is part of a Work Group, withdrawing consent will be mean being removed as a member of that group.

When an individual withdraws, their data is removed from the Google Group and Google sheet(s) where it has been stored. Confirmation will be sent to this individual once complete. It’s important to note that the following data will remain, if applicable:

Records of meeting attendance stored on MS Teams, which may contain the individuals name and work email address.
Acknowledgement in any published documents or resources, which may contain the individual’s name, job role and organisation.
Archived certificates, which may contain the individuals name, job role and organisation.

9. Security Measures

The UKCRF Network will implement appropriate technical and organisational measures to safeguard staff data against unauthorised access, disclosure, alteration, and destruction. This includes encryption, access controls, and regular security assessments.

10. Review and Updates

This policy will be reviewed annually to ensure its continued relevance and compliance with data protection laws. Updates will be made as necessary, and CRF staff members will be informed of any significant changes.

11. Your Rights

Individual Usage Rights:

Accessing your information (Right of Access): You have the right of access to the personal data we hold on you. This is sometimes referred to as a Subject Access Request. To help us process your request we will require you to provide proof of your identity and some clarity about the information you require. A form is available to help with the request on our external website (www.mft.nhs.uk)

Other Rights:

In addition to the Right to be Informed (i.e. this privacy notice) and the Right of Access, which is documented above, you also have the:

Right to Rectification
Right to Erasure (Right to be forgotten)*
Right to Object Review Date: March 2024 v0.7 16 Produced by: Group Informatics
Right to Restrict Processing
Right to Data Portability
Right not to be subject to automated decision-making including profiling

*The right to erasure and right to data portability are not applicable when processing on the lawful basis of a public task.

If you would like to exercise any of these other rights, please contact:

The Data Protection Officer
Manchester University NHS Foundation Trust (MFT)
Group Informatics,
3rd Floor, Cobbett House,
Cobbett House, Oxford Road,
Manchester,
M13 9WL
Telephone: 0161 701 0375
Email: [email protected]

They will consider your request and respond to you within a calendar month.

If you would like independent advice about data protection or if you are not satisfied with the handling of your rights under data protection, you can contact:

The Information Commissioner’s Office
Wycliffe House, Water Lane,
Wilmslow, Cheshire,
SK9 5AF,
Tel: 0303 123 1113
Email: [email protected]
Website: www.ico.org.uk