Skip to main content

How We Use Personal Data

How the CTRU Uses Personal DataGeneral Website Privacy (University of Leeds)

CTRU Personal Data Notice

The Clinical Trials Research Unit (CTRU) is part of the Leeds institute of Clinical Trials Research (LICTR) at University of Leeds. CTRU carries out research projects including clinical trials, other health research, and academic teaching.

In order to conduct our research projects we collect and use data in electronic databases and paper filing systems. Some of this data is considered ‘personal data’ according to the European Union General Data Protection Regulation (GDPR) and the UK 2018 Data Protection Act. This means this data is about people and it is sometimes possible to identify those people from the data (either directly through their name, or indirectly through other data such as NHS number).

Why do we collect and use personal data?

Broadly speaking, we collect data for two different purposes:

  • Data collected and analysed in our research projects. This is usually data about patients participating in our clinical trials.
  • Data needed to support our research projects and the overall aims and functions the CTRU. This is usually about collaborators, including patients who are involved in helping us run our trials.

How do we follow data protection principles?

  • Data are used lawfully: as mentioned below, all our use of personal data has a clear ‘lawful basis’.
  • Data are used fairly and transparently: before we use people’s data, we make clear to them what the data will be used for, how it will be handled, what their rights are and how they can act on those rights.
  • We only collect and use data for clear and specific purposes: for our research or for further, similar research in the public interest (see below), or to support the work of our organisation.
  • We only collect as much data as we need for these purposes, and no more.
  • We spend a lot of time and effort making sure the data are accurate, as this is vital to the reliability of our research.
  • We only keep data as long as we need it. Once a research project is over, we need to store data for a certain length of time in order to comply with laws and policies around research data (the exact length of time will depend on the research project). We sometimes ask other organisations to store this data for us, away from the CTRU or the University of Leeds. When we do this, the data is held very securely and the organisation storing the data is not able to access the contents of the data or identify any individuals from the data.
  • We ensure data are stored and used in ways that keep it secure and confidential, and only accessible to people who need to access it for specific, valid reasons.

Sharing data when the research has finished

Collecting data for research takes a lot of time and money to do. One way we can get the most benefit from this work is to make data available, when the research has finished, to other researchers who would like to use it for other research projects. These other researchers may be at the CTRU or University of Leeds, or in other organisations such as universities, NHS organisations or companies involved in health and care research. They may be in the UK or abroad.

If we get requests to use our research data, we will only agree to share it for valid and worthwhile research projects in healthcare or medicine. The data we share does not identify individuals and is not combined with other data in a way that means individuals could be identified. We only share data with qualified researchers who agree to store data securely.

Any data we share cannot be used to contact individuals and does not affect anyone’s care. It is not used to make decisions about future services available to individuals, such as insurance.

Information governance and individuals’ rights

By law, we are required to identify a ‘lawful basis’ for dealing with people’s personal data.

For our research data, this is usually ‘task in the public interest’, or in other words, we are collecting data that we need in order to complete our research, which aims to improve healthcare for the general public. All our projects are ethically approved, and receive funding from charities or public bodies. All our projects involve patients or patient groups in how they are designed and run.

For all of our projects we need to collect data about people’s health, which is by law a ‘special category’ of personal data. We need an additional lawful basis to justify collecting and using this. In our case, this lawful basis is that the use of the data is necessary for scientific research purposes.

Because we use personal data to support scientific research in the public interest, individuals participating in our research do not have the same rights regarding their personal data as they would in other situations. The laws mentioned above say that data being used for research needs to be protected to make sure the research results are reliable and useful to the public. This means that the following rights are limited for individuals who participate or have participated in our research:

  • The right for an individual to access data held about them
  • The right for an individual to have data about them corrected
  • The right for an individual to restrict how data about them are used
  • The right for an individual to object to their data being used (as long as they previously said it could be)
  • The right for an individual to ask for data held about them to be deleted

We provide detailed information to people about our purposes for processing personal data at the time they choose to take part in our research.

Who is responsible for how data is used?

For most of our research projects, University of Leeds is the ‘data controller’, which means the University has overall responsibility for what data are collected and how they are handled. If some other organisation is the data controller, either alone or jointly with University of Leeds, this will be made clear to the people concerned.

Any queries or concerns about the way personal data has been processed should be sent to the University of Leeds Data Protection Officer using any of the following details:

  • Email:
  • General Postal Address: University of Leeds, Leeds LS2 9JT, UK
  • Postal address for data protection issues: University of Leeds, Room 11.72 EC Stoner Building, Leeds, LS2 9JT
  • Telephone number: +44 (0) 113 343 7641

The University of Leeds data controller registration number provided by the Information Commissioner’s Office is Z553814X.

Individuals whose data are held at the University of Leeds or CTRU, who are not satisfied with the response to any queries or complaints, or believe their data is being used unlawfully, have the right to complain to the Information Commissioner’s Office.

Date last updated: 9th September 2022

University of Leeds Personal Data Notice

Legal Statement

The information made available by the University of Leeds over the World Wide Web does not form part of any contract. Changing circumstances may cause the University to have to change its provisions at any time. Whilst every effort has been made to ensure the accuracy of the information presented, the University cannot accept responsibility for errors.

Privacy Notice

1. Purpose of this notice

This statement tells you how the University of Leeds will collect and process your personal data when you access this website.

2. Automated collection of personal information

As with most other web servers, when you access these web pages certain information you provide will automatically be recorded by the University of Leeds. This may include your IP address, browser type, and information relating to the page you last visited. This information is processed to estimate how much usage of the server is made by different categories of users and in the event of a breach of security may be used to aid detection.

3. Non-automated collection

Where you are required under this website to provide personal data this data will be used for the following purposes: to contact you regarding the query that you have made; to send you details of courses, if you have expressed an interest in receiving information about these courses.

4. Third-party access

Your personal data that you have provided will not routinely be sent to other third-parties (unless notified – see 3. above).

5. Cookies

Cookies are small text files that are placed on your device by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Our website uses first party cookies which are set by our web server as opposed to a different web server. They are categorised as strictly necessary, which are essential to the operation of the website, and performance cookies which collect anonymous information about the usage of our website. By using our website you agree that we can place these types of cookies on your device.

We do not use cookies to collect personal information about you. Should you wish to restrict or block cookies which are set by our website you can do this through your browser settings. The ‘help’ function within your browser or the manual that comes with your device should tell you how. You may also wish to visit which contains comprehensive information on how you can do this on a wide variety of browsers. Please be aware that restricting cookies may impact on the functionality of our website.

The table below explains the cookies we use and why:

__utmzThis cookie stores the type of referral used by you to reach your site, whether via a direct method, a referring link, a website search, or a campaign such as an ad or an email link. It is used to calculate search engine traffic, ad campaigns and page navigation within the site. The cookie is updated with each page view, and expires 6 months from being set or updated._gatThis cookie is associated with Google Universal Analytics, and is used to throttle the request rate – limiting the collection of data on high traffic sites. It expires after 10 minutes.

Cookie Name Purpose
Google Analytics

Further information:

__utma This cookie is used to determine unique visitors to the site, and is written upon your first visit to this site from your web browser. The cookie is updated with each page view, and expires 2 years from being set or updated.
__utmb This cookie is used to establish the length of your visit to the site. The cookie is updated with each page view, and expires 30 minutes from being set or updated.
__utmc This cookie is set to enable interoperability with the older version of Google Analytics code known as Urchin. This is a Session cookie which is destroyed when the user closes their browser.
__utmv This cookie may be set from some pages which are used to track file downloads, or which are used in advertising campaigns. The cookie is updated with each page view, and expires 2 years from being set or updated.
_ga This cookie is asssociated with Google Universal Analytics and is used to distinguish unique users by assigning a randomly generated number as a client identifier. By default it is set to expire after 2 years, although this is customisable by website owners.

6. University Code of Practice

The University’s Data Protection Code of Practice also applies to the use of personal data under this website. The Code can be accessed at

7. Changes to this notice

This notice and therefore the ways in which your data may be processed can be changed from time to time. Any changes will only be notified via this web page.

8. Further information and Contact

If you have any queries relating to this privacy notice or the way your data is being processed through this website then please contact The University Communications Team If you are dissatisfied with their response please contact the University Webmaster,