Privacy Notice – Primary Care Research Alliance

Last updated: 11/09/2025

We may revise this Privacy Notice from time to time. Any changes will be posted on this page with an updated date.

Who We Are

Primary Care Research Alliance (“we”, “us”, “our”) is a leading site management service working across the UK, delivering clinical research studies in both NHS and private patient settings. Our purpose is the advancement of health and the relief of patients suffering.

Company Details:

Registered in England and Wales
Registered address: Middleton House, Yapton Road, PO22 6DU
ICO Registration Number: ZB864081
Data Protection Authority: Information Commissioner’s Office (ICO)

We are the “Data Controller” for the personal data we collect and process, meaning we determine how and why your personal data is used.

Research Participants & Patients

What Information We Collect

We collect personal information necessary for conducting clinical research studies and providing healthcare services:

Basic Information:

Personal identity (name, date of birth, NHS number, National Insurance number)
Contact details (address, phone numbers, email)
Family/emergency contact details
Medical history and current health status
Treatment and medication records
Study-specific data and measurements

Special Category Data:

Health data (medical conditions, test results, treatment responses)
Genetic data (where relevant to the study)
Lifestyle information (smoking, alcohol consumption, exercise habits)

How We Use Your Information

Primary Purposes:

Conducting clinical research studies
Monitoring your safety during studies
Providing healthcare services
Meeting regulatory requirements
Following up on study outcomes

Legal Bases:

Categories of Data	Purpose of Processing	Legal Basis	Relevant UK GDPR Articles
Identity, contact details, medical history, treatment records, health data, study-specific data	Conducting clinical research studies	Consent	Art. 6(1)(a); Art. 9(2)(a)
Health data, study results	Monitoring participant safety during studies	Vital Interests	Art. 6(1)(d); Art. 9(2)(h)
Identity, medical & health data	Providing healthcare services	Public Interest in health; Healthcare provision	Art. 6(1)(e); Art. 9(2)(h)
Identity, contact, study data	Meeting regulatory requirements (e.g., MHRA, NHS)	Legal Obligation	Art. 6(1)(c); Art. 9(2)(i)
Contact & medical history	Following up on study outcomes	Consent / Public Interest	Art. 6(1)(a)/(e); Art. 9(2)(a)/(i)
Identity, study data	Sharing with study sponsors, CROs, regulators, GPs, labs, insurers	Consent / Legal Obligation	Art. 6(1)(a)/(c); Art. 9(2)(a)/(i)

Who We Share Your Information With

We may share your information with:

Study sponsors and clinical research organizations
Regulatory authorities (MHRA, Research Ethics Committees)
Your GP or referring clinician
Specialist consultants involved in your care
Pathology laboratories for test analysis
Data monitoring committees
Healthcare insurance providers (with consent)

Staff Members & Employment

What Information We Collect

Employment Data:

Personal identity and contact information
Employment history, qualifications, and CV
Right to work documentation
Salary, benefits, and payroll information
Tax and National Insurance details
Performance reviews and training records
Occupational health data
Security clearance information
Disciplinary and grievance records

Special Category Data:

Health data for occupational health purposes
Criminal conviction data for background checks
Trade union membership (where applicable)

How We Use Your Information

Employment Purposes:

Managing recruitment and selection processes
Administering employment contracts
Processing payroll and benefits
Ensuring workplace health and safety
Providing training and development
Managing performance and conduct
Fulfilling legal employment obligations

Our Legitimate Interests (Staff)

When we rely on legitimate interests, these include:

Business Operations: Efficient management of our workforce
Safety & Security: Protecting staff, patients, and business premises
Professional Standards: Ensuring competent delivery of healthcare services
Risk Management: Preventing fraud, misconduct, and regulatory breaches
Emergency Response: Contacting staff during incidents or emergencies

Legal Bases:

Categories of Data	Purpose of Processing	Legal Basis	Relevant UK GDPR Articles
Identity, CV, right to work docs	Managing recruitment & selection	Contract	Art. 6(1)(b)
Identity, payroll, NI/tax data	Administering employment contracts & payroll	Contract & Legal Obligation	Art. 6(1)(b); Art. 6(1)(c)
Identity, training, performance	Providing training & development	Legitimate Interests	Art. 6(1)(f)
Occupational health data	Ensuring workplace health & safety	Legal Obligation & Employment Law	Art. 6(1)(c); Art. 9(2)(b)/(h)
Disciplinary & grievance records	Managing performance & conduct	Legitimate Interests	Art. 6(1)(f)
Identity, payroll, tax	Fulfilling legal employment obligations	Legal Obligation	Art. 6(1)(c)
Emergency contact data	Duty of care, contacting staff in emergencies	Legitimate Interests / Vital Interests	Art. 6(1)(f)/(d)
Criminal conviction data	Background checks	Legal Obligation (employment law); Art. 10	Art. 10
Trade union membership	HR administration (where disclosed)	Consent / Employment law	Art. 9(2)(a)/(b)

Healthcare Professionals & Consultants

What Information We Collect

Professional identity and contact information
Qualifications, registrations, and credentials
Professional indemnity insurance details
Performance and quality metrics
Payment and invoicing information
Training and competency records

How We Use Your Information

Professional Purposes:

Managing service contracts and agreements
Ensuring professional standards and competency
Processing payments and invoicing
Regulatory reporting and compliance
Quality assurance and improvement

Legal Bases:

*Categories of Data*	*Purpose of Processing*	*Legal Basis*	*Relevant UK GDPR Articles*
Identity, contact, qualifications	Managing professional service contracts	Contract	Art. 6(1)(b)
Credentials, training records	Ensuring professional standards & competency	Legal Obligation / Legitimate Interests	Art. 6(1)(c)/(f)
Payment & invoicing data	Processing payments	Contract	Art. 6(1)(b)
Registration, quality metrics	Regulatory reporting & compliance	Legal Obligation	Art. 6(1)(c)
Performance, service delivery	Quality assurance & improvement	Legitimate Interests	Art. 6(1)(f)

Suppliers & Contractors

What Information We Collect

Business contact information
Financial and payment details
Service performance data
Due diligence and risk assessment information
Insurance and certification details

How We Use Your Information

Business Purposes:

Managing supplier relationships and contracts
Processing payments and invoicing
Conducting due diligence and risk assessments
Ensuring service quality and compliance

Legal Bases:

Categories of Data	Purpose of Processing	Legal Basis	Relevant UK GDPR Articles
Contact info, payment details	Managing supplier contracts	Contract	Art. 6(1)(b)
Financial, invoicing data	Processing payments	Legal Obligation	Art. 6(1)(c)
Due diligence data	Conducting risk assessments	Legitimate Interests	Art. 6(1)(f)
Service performance data	Ensuring service quality & compliance	Legitimate Interests	Art. 6(1)(f)

Website Visitors

What Information We Collect

Technical information (IP address, browser type, device information)
Usage data (pages visited, time spent, navigation patterns)
Contact information (if you contact us or subscribe to updates)

How We Use Your Information

Website Purposes:

Providing website functionality and services
Improving website performance and user experience
Responding to inquiries and providing information
Security monitoring and fraud prevention

Legal Bases:

Categories of Data	Purpose of Processing	Legal Basis	Relevant UK GDPR Articles
Technical data (IP, browser, device)	Providing website functionality	Legitimate Interests	Art. 6(1)(f)
Usage data (pages visited, navigation)	Improving site performance & user experience	Legitimate Interests	Art. 6(1)(f)
Contact details (via forms)	Responding to enquiries	Legitimate Interests / Consent (if marketing)	Art. 6(1)(f)/(a)
Technical data, IP, logs	Security monitoring & fraud prevention	Legitimate Interests	Art. 6(1)(f)

Data Security

We implement comprehensive technical and organizational measures to protect your data:

Technical Measures:

Secure servers with encryption
Password protection and unique user access controls
Two-factor authentication where available
Regular security updates and monitoring
Secure data transmission protocols

Organizational Measures:

Staff training on data protection
Access controls based on job requirements
Regular security risk assessments
Incident response procedures
Secure data disposal processes

Data Breach Response: If you suspect any misuse, loss, or unauthorized access to your data, please contact us immediately through our website contact page.

International Data Transfers

When we transfer your data outside the UK, we ensure appropriate safeguards are in place:

International Data Transfer Agreements
Standard Contractual Clauses
Adequacy decisions where applicable
Additional security measures as required

Data Retention

We retain your personal data only as long as necessary for the purposes collected:

Research Data: In accordance with clinical trial regulations and sponsor requirements (typically 15-25 years) Employee Data: 6 years after employment ends (or longer for pension/legal requirements) Healthcare Records: Following NHS Records Management Code of Practice Financial Data: 7 years from end of financial year Marketing Data: Until you withdraw consent or 3 years of inactivity

Full details are available in our Data Retention Schedule upon request.

Your Rights

Under UK-GDPR, you have the following rights:

Access: Request copies of your personal data Rectification: Correct inaccurate or incomplete data Erasure: Request deletion of your data (where legally permissible) Restriction: Limit how we use your data Portability: Receive your data in a portable format Objection: Object to processing based on legitimate interests Withdrawal: Withdraw consent at any time (where consent is the legal basis)

Exercising Your Rights:

Contact us through our website contact page
We will respond within one month
No charge for most requests
We may need to verify your identity

Limitations: Some rights may be limited where we have overriding legal obligations or legitimate interests, particularly in clinical research contexts.

Marketing Communications

We may contact you about our services, research opportunities, or events where:

Categories of Data	Purpose of Processing	Legal Basis	Relevant UK GDPR Articles
Contact info, communication preferences	Sending service/research updates or event info	Consent / Legitimate Interests	Art. 6(1)(a); Art. 6(1)(f); (also PECR)

Your Choices:

Unsubscribe using links in emails
Contact us directly to opt out
Update your communication preferences

Complaints

If you’re dissatisfied with how we handle your personal data:

Contact us first: Use our website contact page to raise concerns
Independent Review: Contact the Information Commissioner’s Office (ICO)
- Website: www.ico.org.uk
- Helpline: 0303 123 1113

The ICO is the UK’s independent data protection regulator.

Links to Other Websites

Our website may link to external sites. We are not responsible for their privacy practices. Please review their privacy policies before providing personal information.

Changes to This Policy

We may update this privacy notice to reflect changes in our practices or legal requirements. Check this page regularly for updates. The date of last revision appears at the top of this notice.

Contact Us

For questions about this privacy notice or how we handle your data:

Data Protection Officer Primary Care Research Alliance Middleton House, Yapton Road, PO22 6DU

Privacy Policy