Privacy notice

Privacy Information (v1.4, dated 12th August 2019) 

In order to undertake the National Survey into Health Outcomes in the Electricity Supply Industry research project, we have been provided information about you from various sources. Some of this information is your personal data. Under data protection law, where we have processed your personal data which we have obtained from someone other than you, we have to provide you with very specific information about the source of that information, what we do with it and what your rights are.

The sole purpose of this study is to seek for any evidence of occupational exposures in the electricity supply industry being involved in health risks.

The University of Birmingham’s web page ‘Data Protection - How the University Uses Your Data’ sets out much of this information, including how to ask any questions you may have about how your personal data is used, exercise any of your rights or complain about the way your data is being handled. The rest of the key information you need to know about how we used your personal data is set out below.

Who is the Data Controller?

The University of Birmingham, Edgbaston, Birmingham B15 2TT is the data controller for the personal data that we process in relation to you.

What data are we processing and for what purpose will we use it?

We collected and processed your personal data in order to conduct the National Survey into Health Outcomes in the Electricity Supply Industry research project which involves statistical analyses of causes of death and cancer diagnoses among some 84,000 employees of the former Central Electricity Generating Board (CEGB). All employees had worked in the industry for at least six months with some employment in the period 1973-82. The sole purpose of this study is to seek for any evidence of occupational exposures in the electricity supply industry being involved in health risks.

The data collected comprises information on month and year of birth (not full date of birth), work histories (CEGB locations, job grades and full dates), causes and dates of deaths and cancer incidence particulars (site of cancer and dates of diagnosis). The University no longer has any information on names, addresses, postcodes, National Insurance (NI) numbers or NHS numbers. 

We collected data relating to you from the successor companies of the CEGB. These data were your month and year of birth and your work histories in the electricity supply industry. We also collected data relating to you from NHS Digital and its forerunners. These data were details of deaths and diagnoses of cancer.

What is our legal basis for processing your data?

The legal justification we have under data protection law for processing your personal data is that it is necessary for our research, which is a task we carry out in the public interest. These data will not be used to make decisions about you.

Who will my personal data be shared with?

We will not share your data with any third party.

Sometimes, external organisations assist us with processing your information, for example, in providing IT support. These organisations act on our behalf in accordance with our instructions and do not process your data for any purpose over and above what we have asked them to do. We make sure we have appropriate contracts in place with them to protect and safeguard your data.  If your personal data are transferred outside the European Union (for example, if one of our partners is based outside the EU or we use a cloud-based app with servers based outside the EU), we make sure that appropriate safeguards are in place to ensure the confidentiality and security of your personal data.

How will my personal data be kept secure?

The University takes great care to ensure that personal data is handled, stored and disposed of confidentially and securely. Our staff receive regular data protection training, and the University has put in place organisational and technical measures so that personal data is processed in accordance with the data protection principles set out in data protection law.

The University has an Information Security Management System based on ISO27001 with a range of controls covering the protection of personal information. Annual security awareness training is mandatory for staff and the University is accredited under the NHS Information Governance Toolkit, the Payment Card Industry Data Security Standard and is in the process of gaining Cyber Essentials Plus for defined services.

In relation to this project, data are stored in a restricted area of the University computer server, that is only available to specified members of the survey team. Staff computers are timed out after ten minutes of non-use and require a password to be re-activated. Staff buildings are locked throughout the day and require swipe card access and staff rooms are locked when unoccupied.   

How long will my personal data be kept?

Your data will be retained for 10 years after the last publication from the project.

Are changes made to this webpage?

This privacy notice is effective from 12th August, 2019, and is reviewed when necessary. Any changes will be published here.

Privacy Information  (v1.4, dated 12th August, 2019)