We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal data, your rights in relation to your personal data and on how to contact us and supervisory authorities in the event that you have a query or complaint.
Swansea University is committed to undertaking research to the highest standards of integrity, and this includes compliance with the relevant data protection legislation: the UK General Data Protection Regulation (UK GDPR).
The UK GDPR governs the way in which organisations use personal data, defined as: any information about an individual from which that person can be identified. This commonly includes name and address. It does not include anonymous data where the identifying information has been removed.
Under the UK GDPR there are “special categories” of more sensitive personal data which require a higher level of protection. This includes health data and information about ethnic origin.
This privacy notice explains how Swansea University will process and use personal and special category data collected from you as part of a research project and your rights under data protection.
Collecting and using your personal data for research
As a University we use personally-identifiable information to conduct research as part of the core activities set out in our Charter and Statutes.
The lawful basis under which we will process your personal data for research is called ‘task in the public interest’ (Article 6 of the GDPR). In the cases of ‘special category data’, in addition to Article 6, the lawful basis is for ‘archiving purposes, scientific or historical research purposes or statistical purposes in the public interest’ (Article 9 of the GDPR).
The University will use your information only for the purposes of research and we will not use your information or contact you for any purpose other than research unless you have agreed to this. Should you choose to take part in a research project, you should receive project specific information, in the form of a Participant Information Leaflet. You should also be provided with a Consent Form, and it is important that you read this information carefully so that you understand how and why the University wishes to collect and use your personal data.
Your rights under Data Protection when participating in research projects
As a publicly-funded organisation, we have to ensure that it is in the public interest when we use personally-identifiable information from people who have agreed to take part in research. This means that when you agree to take part, we will use your data in the ways needed to address the aims of the research study. Your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw your participation from the study, you can request that we delete the study data held about you. We will make every effort to comply with this request, but in some cases it will be impractical, such as if the data have been de-identified. To safeguard your rights, we will use the minimum personally-identifiable information possible.
If it is considered necessary to refuse to comply with any of your data protection rights in order to protect the integrity and validity of the research, you will be informed of the decision within one month and you also have the right to complain about our decision to the Information Commissioner.
Processing your personal data
With regards to the processing of your data, in most cases Swansea University will be classified as the ‘Data Controller’. This means that we will be responsible for deciding how your personal information is processed, that is: collected, used, shared, archived and deleted.
The type of personal information collected and used will depend on the research objectives of the particular project you are taking part in, and this should be clearly outlined in the Participant Information Leaflet that you should receive before you participate in the project.
The Participant Information Leaflet will also detail if your data may be used for future research, including impact activities following review and approval by an independent Research Ethics Committee, subject to your consent at the outset of this research project.
Research data will often be anonymised as quickly as possible after data collection. It will not normally be possible to withdraw your data after this point.
Sharing of your personal data
The privacy of your personal data is extremely important to the University. As such, we expect our researchers to operate to the highest standards of data protection and to keep your personal information safe and secure. We will not disclose the information unless there is a justified reason for the purposes of achieving the research outcomes.
The Participant Information Leaflet should outline whom your personal data may be shared with. This could include the research project team and collaborators from external organisation who are also working on the research project.
Most personal information used in research will be de-identified before sharing more widely or publishing the research outcomes. If it is not possible to de-identify your information, we may ask for your consent to share or otherwise make your personal information available to others. If this is the case, it will be specified in the study specific Participant Information Leaflet.
We may be required by law to share your data with authorised bodies if an issue arises which constitutes an over-riding legal obligation or a vital interest.
Keeping your personal data secure
The University keeps your personal data secure at all times using both physical, technical and procedural measures.
The security of your data is of great importance to the University and we therefore have robust controls in place to protect your data.
Together with security standards and technical measures that ensure your information is stored safely and securely, we also have in place policies and procedures that tell our staff and students how to collect and use your information safely and provide training which ensures our staff and students understand the importance of data protection and how to protect your data.
All research projects involving personal data are scrutinised and approved by a research ethics committee. In addition, the University will carry out data protection impact assessments on high risk projects, and when working with external collaborators, we will put in place appropriate contracts to protect your information. Should the proposed research project include collaborators outside Europe, we will ensure that all overseas transfers are risk assessed, taking into consideration the laws of the recipient country as well as ensure an appropriate safeguard is adopted.
Where the University engages a third party to process personal data it will do so on the basis of a written contract which conforms to the security requirement of the GDPR and DPA 2018.
The University takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.
The University also ensures that we have appropriate processes in place to test the effectiveness of our security measures.
Retention of your personal data
The UK GDPR requires that personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed (except in certain specific and limited instances).
The University expects that its researchers will not keep your personal information for longer than is necessary for the purposes of the research and that data will be anonymised or pseudonymised, by removing identifying information and replacing this with an artificial identifier or code, where possible. The duration of time we will store your data is dependent on a number of factors, such as the requirements of the research funder or the nature of the research.
You will usually be provided with information about how long your personal information will be kept within the aforementioned Participant Information Leaflet.
Data subject rights
Various rights under data protection legislation, including the right to access personal information that is held about you, are qualified or do not apply when personal information is processed solely in a research or archival contact. This is because fulfilling them might adversely affect the integrity of, and the public benefits arising from, the research study or project.
The full list of (qualified or inapplicable) rights is: the right to access the personal information that is held about you by the University, the right to ask us to correct any inaccurate personal information we hold about you, to delete personal information, or otherwise restrict our processing, or to object to processing (including the receipt of direct marketing) or to receive an electronic copy of the personal information you provided to us.
Should you wish to exercise your rights, please contact:
Mrs Bev Buckley
Directorate Support Manager and Data Protection Officer
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Who to contact and complaints
We hope that our Data Protection Officer (DPO) can resolve any query, concern or complaint you raise about our use of your personal data on the contact details below:
Mrs Bev Buckley (DPO) can be contacted via e-mail at email@example.com
Or write to:
Data Protection Officer
The UK GDPR also gives you the right to lodge a complaint with the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: [0303 123 1113].
We review the ways we use your information regularly. In doing so, we may change what kind of information we collect, how we store it, who we share it with and how we act on it.
We will keep this policy under regular review to ensure it is accurate and kept up to date. This policy was last updated on 28th November 2022