Legal

Privacy Notice

How we collect, use, and protect your personal data.

Last updated: 11 September 2025

We may revise this Privacy Notice from time to time. Any changes will be posted on this page with an updated date.

1. Who We Are

Primary Care Research Alliance (“we”, “us”, “our”) is a leading site management service working across the UK, delivering clinical research studies in both NHS and private patient settings. Our purpose is the advancement of health and the relief of patients suffering.

Company Details

  • Registered in England and Wales
  • Registered address: Middleton House, Yapton Road, PO22 6DU
  • ICO Registration Number: ZB864081
  • Data Protection Authority: Information Commissioner's Office (ICO)

We are the “Data Controller” for the personal data we collect and process, meaning we determine how and why your personal data is used.

2. Research Participants & Patients

What Information We Collect

We collect personal information necessary for conducting clinical research studies and providing healthcare services:

Basic Information:

  • Personal identity (name, date of birth, NHS number, National Insurance number)
  • Contact details (address, phone numbers, email)
  • Family/emergency contact details
  • Medical history and current health status
  • Treatment and medication records
  • Study-specific data and measurements

Special Category Data:

  • Health data (medical conditions, test results, treatment responses)
  • Genetic data (where relevant to the study)
  • Lifestyle information (smoking, alcohol consumption, exercise habits)

How We Use Your Information

Primary Purposes:

  • Conducting clinical research studies
  • Monitoring your safety during studies
  • Providing healthcare services
  • Meeting regulatory requirements
  • Following up on study outcomes

Who We Share Your Information With

We may share your information with:

  • Study sponsors and clinical research organizations
  • Regulatory authorities (MHRA, Research Ethics Committees)
  • Your GP or referring clinician
  • Specialist consultants involved in your care
  • Pathology laboratories for test analysis
  • Data monitoring committees
  • Healthcare insurance providers (with consent)

3. Staff Members & Employment

What Information We Collect

Employment Data:

  • Personal identity and contact information
  • Employment history, qualifications, and CV
  • Right to work documentation
  • Salary, benefits, and payroll information
  • Tax and National Insurance details
  • Performance reviews and training records
  • Occupational health data
  • Security clearance information
  • Disciplinary and grievance records

Special Category Data:

  • Health data for occupational health purposes
  • Criminal conviction data for background checks
  • Trade union membership (where applicable)

How We Use Your Information

Employment Purposes:

  • Managing recruitment and selection processes
  • Administering employment contracts
  • Processing payroll and benefits
  • Ensuring workplace health and safety
  • Providing training and development
  • Managing performance and conduct
  • Fulfilling legal employment obligations

Our Legitimate Interests (Staff)

When we rely on legitimate interests, these include:

  • Business Operations: Efficient management of our workforce
  • Safety & Security: Protecting staff, patients, and business premises
  • Professional Standards: Ensuring competent delivery of healthcare services
  • Risk Management: Preventing fraud, misconduct, and regulatory breaches
  • Emergency Response: Contacting staff during incidents or emergencies

4. Healthcare Professionals & Consultants

What Information We Collect

  • Professional identity and contact information
  • Qualifications, registrations, and credentials
  • Professional indemnity insurance details
  • Performance and quality metrics
  • Payment and invoicing information
  • Training and competency records

How We Use Your Information

Professional Purposes:

  • Managing service contracts and agreements
  • Ensuring professional standards and competency
  • Processing payments and invoicing
  • Regulatory reporting and compliance
  • Quality assurance and improvement

5. Suppliers & Contractors

What Information We Collect

  • Business contact information
  • Financial and payment details
  • Service performance data
  • Due diligence and risk assessment information
  • Insurance and certification details

How We Use Your Information

Business Purposes:

  • Managing supplier relationships and contracts
  • Processing payments and invoicing
  • Conducting due diligence and risk assessments
  • Ensuring service quality and compliance

6. Website Visitors

What Information We Collect

  • Technical information (IP address, browser type, device information)
  • Usage data (pages visited, time spent, navigation patterns)
  • Contact information (if you contact us or subscribe to updates)

How We Use Your Information

Website Purposes:

  • Providing website functionality and services
  • Improving website performance and user experience
  • Responding to inquiries and providing information
  • Security monitoring and fraud prevention

7. Data Security

We implement comprehensive technical and organizational measures to protect your data:

Technical Measures:

  • Secure servers with encryption
  • Password protection and unique user access controls
  • Two-factor authentication where available
  • Regular security updates and monitoring
  • Secure data transmission protocols

Organizational Measures:

  • Staff training on data protection
  • Access controls based on job requirements
  • Regular security risk assessments
  • Incident response procedures
  • Secure data disposal processes

Data Breach Response: If you suspect any misuse, loss, or unauthorized access to your data, please contact us immediately through our website contact page.

8. International Data Transfers

When we transfer your data outside the UK, we ensure appropriate safeguards are in place:

  • International Data Transfer Agreements
  • Standard Contractual Clauses
  • Adequacy decisions where applicable
  • Additional security measures as required

9. Data Retention

We retain your personal data only as long as necessary for the purposes collected:

  • Research Data: In accordance with clinical trial regulations and sponsor requirements (typically 15–25 years)
  • Employee Data: 6 years after employment ends (or longer for pension/legal requirements)
  • Healthcare Records: Following NHS Records Management Code of Practice
  • Financial Data: 7 years from end of financial year
  • Marketing Data: Until you withdraw consent or 3 years of inactivity

Full details are available in our Data Retention Schedule upon request.

10. Your Rights

Under UK-GDPR, you have the following rights:

  • Access: Request copies of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data (where legally permissible)
  • Restriction: Limit how we use your data
  • Portability: Receive your data in a portable format
  • Objection: Object to processing based on legitimate interests
  • Withdrawal: Withdraw consent at any time (where consent is the legal basis)

Exercising Your Rights:

  • Contact us through our website contact page
  • We will respond within one month
  • No charge for most requests
  • We may need to verify your identity

Limitations: Some rights may be limited where we have overriding legal obligations or legitimate interests, particularly in clinical research contexts.

11. Marketing Communications

We may contact you about our services, research opportunities, or events where applicable.

Your Choices:

  • Unsubscribe using links in emails
  • Contact us directly to opt out
  • Update your communication preferences

12. Complaints

If you're dissatisfied with how we handle your personal data:

  • Contact us first: Use our website contact page to raise concerns
  • Independent Review: Contact the Information Commissioner's Office (ICO)

Website: www.ico.org.uk
Helpline: 0303 123 1113

The ICO is the UK's independent data protection regulator.

13. Links to Other Websites

Our website may link to external sites. We are not responsible for their privacy practices. Please review their privacy policies before providing personal information.

14. Changes to This Policy

We may update this privacy notice to reflect changes in our practices or legal requirements. Check this page regularly for updates. The date of last revision appears at the top of this notice.

15. Contact Us

For questions about this privacy notice or how we handle your data:

Data Protection Officer
Primary Care Research Alliance
Middleton House, Yapton Road, PO22 6DU

Contact us through our website contact page or write to the above address.