The Dudley Group NHS Foundation Trust (The Trust) is the main provider of hospital and adult community services to the populations of Dudley, significant parts of the Sandwell borough and smaller, but growing, communities in South Staffordshire and Wyre Forest.

The Trust covers provides a full range of secondary care services and some specialist services for the wider populations of the Black Country and West Midlands region. The Trust also provides specialist adult community-based care in patients’ homes and in more than 40 centres in the Dudley Metropolitan Borough Council community.

The Trust has responsibility for ensuring that the information processed across these sites and services, which includes your personal and sensitive (special category) data is processed in accordance with the principles of Data Protection Legislation.

Supporting our highly motivated investigators from both internal and external organisations, our Research and Innovation (R&I) Directorate provides a comprehensive service ensuring that all research and innovation activity is undertaken safely, ethically, legally and efficiently. Our researchers are engaged in broad areas of research activity, often crossing between different specialities.

We are committed to protecting the privacy and security of your personal information at all times.

We are registered with the Information Commissioner’s Office (ICO) to process personal and special category information under the following registration number: Z8909702.

Definitions

• GDPR

General Data Protection Regulation (2016/679).

• Data Controller

Data controller means the organisation that determines or decides the purposes, conditions and means of the processing of personal data. The Trust is a Data Controller.

• Personal data

Personal data means information relating to a living person, which can be used to identify the person either directly or indirectly when put together with other information likely to be available. This provides for a wide range of information to constitute personal data, for example:

– Name
– Identification number
– Social media posts
– Location data
– Online identifiers

• Special category of personal data

Special category of personal data means information which is thought to be extra sensitive, such as ethnicity, data concerning health, biometric data, sexual orientation and religious or philosophical belief.

• Processing

Processing means anything that is done with the personal data we hold including storing it.

• Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the data can no longer be attributed to a specific person without the use of additional information (key).

• Information Commissioner’s Office

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under data protection and freedom of information legislation.

Why do we process your data?

Clinical research is a core part of the NHS service and aims to improve the health and wealth of the nation by producing better methods of disease diagnosis, prevention and treatment that are both safe and effective. This can only be achieved by patients participating in research studies and trials to allow existing and new methods to be investigated.

We may use your personal information to carry out health and social care research in the public interest. This means that we have to demonstrate that our research serves the society as a whole, for example by improving existing services or introducing new treatments. We may also feed into wider national research.

Our lawful basis for processing

The way in which we use your information is governed by law. The principal legislation that applies is the EU General Data Protection Regulation (GDPR) 2016/679 which is supplemented by the UKs Data Protection Act 2018.

When we use are using your information for research, we rely on:

‘Article 6.1 (a): “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”);’

‘Article 6.1 (e): “processing is necessary for the performance of a task carried out in the public interest”)’

Due to the sensitive nature healthcare information is further categorised, under data protection regulations, as special category data. Where we collect this type of data we do so using the following additional legal basis:

‘Article 9.2 (a): “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”);’

‘Article 9.2 (j): “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes”) of the General Data Protection Regulation (GDPR) in combination with Schedule 1, Part 1, Article 4 Data Protection Act (DPA) 2018.’

Patient recruitment to research studies is carried out by an ‘informed consent’ process which means that we advise you about the benefits and risks associated with a particular research study so as to enable you to decide whether you wish to participate in (consent to) the research study or not. You have the right to withdraw your consent at any time.

Where you have formally consented to take part in research, this consent process will also satisfy the common law duty of confidentiality. In situations where it has been impracticable to obtain your consent, we will have sought approval from the Secretary of State by means of the Confidentiality Advisory Group (CAG) under section 251 of the National Health Service Act 2006.The Confidentiality Advisory Group (CAG) provides independent advice on specific research projects which will use confidential medical information.

You may also have a right to ‘opt-out’. The national data opt-out right emanates from the Caldicott principles and entitles you to object to be contacted about new research for which it was not possible to obtain your ‘informed consent’, unless this right been waived by the Secretary of State for Health and Social Care or the Health Research Authority. Further information about the national data opt-out can be found here: National data opt-out programme.

Certain research studies also have to be approved by the Research Ethics Committees (REC) which is another independent group which ensures that all our research is ethical.

We may use other legal bases to identify patients for a study or for anonymised research such as legitimate interests or where we are required to by law.

We will often get the necessary information directly from you.

In other cases, we might already hold the required information due to the healthcare we provide to you. For information we are likely to already hold about you due to the care we provide, please refer to our  privacy notice for patients.

For research purposes, we may use your information anonymously in reports or presentations or share such information with other NHS bodies.

All information made public will be presented in aggregated format which means that you will not be identifiable from this information.

Some information about you may be linked to other information shared by primary care providers (e.g. GP Practices) and secondary care providers (e.g. Acute Trusts) with the view to creating a more complete information set which will enable medical research for the benefit of public health.

We may use information collected as part of one research project for further research. However, where this information identifies you, we can only use the information for new purposes which are compatible with the original purpose to which you have consented or ethical approval was granted. Where the new purpose is considered to be substantially different, we will obtain separate consent from you or seek new ethical approval.

We will not:

• share your identifiable data with third parties for marketing purposes
• sell your identifiable data

Where we are required to transfer identifiable information about you internationally outside the UK/EU, we will make sure that an adequate level of protection is to be satisfied before the transfer.

When you agree to take part in a research study, the information about your health and care may be provided to researchers running research studies here at the Trust and other third-party organisations.

These external organisations may be non-commercial partners such as other hospitals or commercial companies involved in health and care research or new treatments in this country or abroad.

Your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research and all will be bound by appropriate security arrangements.

There will be someone responsible for the overall research study. Usually, this is someone who works directly with you, such as a doctor or nurse. They are the person responsible for the conduct and day to day running of a research study. As part of this responsibility, they will also ensure that only appropriate staff and third parties will be able to access your personal information, in line with the approved research protocol.

Your personal information is held in both paper and electronic will be kept for as long as it is required, to meet the objectives and requirements of the particular research project you have taken part in, and / or to meet the legal and/or ethical requirements under vigorous regulations governing clinical research. The retention schedule for each study may be different and this will be outlined to you at the outset.

It is important for us to retain research data so that we are able to refer back to it to ensure the integrity of the project and the safety of the participants is maintained.

Under data protection law, you have certain rights to manage your data as you see fit and can exercise your rights according to the lawful basis used for processing.

These rights are that individuals have the right to:

• be informed about how your information is being processed (this notice)
• access a copy of your personal information (known as Subject Access)
• rectification if your personal information is inaccurate or changes
• erasure in certain circumstances
• restrict processing in certain circumstances
• object to processing in certain circumstances
• portability: to obtain and reuse your personal data for your own purposes
  not be subject to a decision based on automated processing, including profiling

However, for the purpose of research your rights to access, object, change, transfer and or delete/erase your information are limited. We may keep the information about you that we have already used for a particular research project to ensure research integrity is maintained in the public’s interest and that publicly funded research meets is goals. To safeguard your rights, we will strive to use the minimum personally-identifiable information possible following your withdrawal of consent.

You can stop being part of a research study at any time, without giving a reason, but the research team may keep the research data about you that they already have (this will be included in the consent form).

In some studies, once you have finished treatment the research team will continue to collect some information from your doctor or from central NHS records over a few months or years so the research team can track your health.  If you do not want this to happen, you can say you want to stop any more information being collected.

If you have any questions or concerns regarding how your data is being processed, or require this privacy notice in a alternative format or languages, please contact Trusts Data Protection Officer at the below.

The Data Protection Officer
Information Governance Team
South Block, 2nd  Floor,
Russells Hall Hospital,
Pensnett Road,
Dudley, West Midlands
DY1 2HQ
Telephone: 01384 456 111 Ext: 1208
Email: dgft.dpo@nhs.net

For a more detailed privacy notice for patients, please click here.

If you are still dissatisfied the way the Trust handles your personal information you can complaint to the Information Commissioner’s office using the details below:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

Telephone: 0303 123 1113
Telephone: 01625 545 745
Fax: 01625 524 510
Email: casework@ico.org.uk

Your duty to inform us of any changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us. This includes changes to your contact numbers and circumstances.

We may update this privacy notice from time to time. The latest version will always be available on Trusts website. This published version is the most up to date version.

It was last updated in February 2025.