Health Data Research Innovation Gateway Privacy Policy

This privacy policy aims to give you information on how Health Data Research UK collects and processes your personal data through your use of this Gateway, including any data you may provide by emailing the contact email address listed on our Gateway.


Health Data Research UK (“HDR UK”) is a limited company registered in England and Wales under company number 10887014 and its registered office is at 215 Euston Road, London, England, NW1 2BE

HDR UK is the controller and responsible for your personal data (“we”, “us” or “our” in this privacy policy).

We have a data privacy manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights as set out in this privacy policy, please contact the data privacy manager using the following details:


Postal address: Data Privacy Manager, Health Data Research UK, Gibbs Building, 215 Euston Road, London, NW1 2BE

Data we collect about you

Personal data means any information relating to an identified or identifiable individual.

We may collect, use, store and transfer different kinds of personal data about you when you use this Gateway. This may include:

  • Information you provide to us: We collect information when you interact with us through our Gateway. This will include your name, email address and institution. We will also collect content you contribute to us as part of your use of the Gateway, such as uploading tools and papers and access requests.
  • Information we collect automatically: We collect information about the browsers and devices you use to access the Gateway through the use of cookies and similar technologies. Please see our cookie policy for further details.

How we use your personal data and the purpose for which we will use it

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in accordance with the following legal bases:

  • Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests.
  • Consent
  • Where the processing is necessary for the performance of a contract to which you are a party.
  • Where we need to comply with a legal obligation.

We plan to use your personal data, and to rely on the legal bases, as set out below:

  • To respond to any enquiry you make, we will use the information that you provide to us. The legal basis for processing for this purpose will be our legitimate interests.
  • To improve our Gateway, we will use the technical data that we collect about you automatically. The legal basis for processing for this purpose will be our legitimate interests and, where required, your consent. Please see our cookie policy for further details.

We may also use your data to create aggregated statistics in relation to the performance of the Gateway or the data sets referenced on the Gateway. These aggregated statistics are not personal data and you cannot be identified from this information.

Disclosure of personal data

When requesting access to data via the Gateway, or submitting a query about its contents, the information you provide as part of the request will be shared with such third parties as may be necessary to consider and administer that enquiry. Such third parties will, in particular, include the dataset’s custodian or their designee.

We may share your personal data with internal employees who respond to an enquiry you make or to manage our IT services.

We may also share your personal data with external third-party system providers that support our business – such parties include providers of hosting services and technical infrastructure (e.g. Google Cloud Platform).

We will not share your personal data with organisations for marketing purposes.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We may share your personal information with regulators or other authorities if we have a legal obligation to do so. In the event that HDR UK undergoes any reorganisation, restructuring, merger, sale, or other transfer of assets, your information may be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to any new owners of the business.

International transfers

In connection with the purposes identified in the section above, your personal data may be transferred outside the UK and the EEA. Where information is transferred outside the UK or EEA, and the destination is not subject to an adequacy decision by the EU Commission or UK equivalent, then such transfer may be restricted by law. In such cases, then unless the transfer is necessary for the performance of a qualifying contract, the performance of a legal obligation, or use in connection with legal claims, and you have not consented to that transfer, then we shall take steps to ensure that the data is adequately protected by EU Commission approved standard contractual clauses (or UK equivalent), or a vendor’s Processor Binding Corporate Rules.

Data retention

  • Information you provide to us: We collect information when you interact with us by completing the online form. We will retain this for as long as you remain an active user. Where you request to become inactive, we will delete your data within 90 days of the request.
  • Information we collect automatically: We collect information about the browsers and devices you use to access the Gateway through the use of cookies and similar technologies. We will retain this for 26 months after which time it will be deleted.

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data, including:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
  • Request restriction of processing your personal data. This enables you to ask us to suspend the processing of your personal data in a number of different scenarios, such as where you want us to establish the accuracy of the data.
  • Request transfer of your personal data. This enables you to request the transfer of your personal data to a third party. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Right to withdraw consent. This enables you to withdraw your consent that we are relying on to process your personal data. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

In addition, you can object to the processing of your personal data in some circumstances (in particular, where we do not have to process the data to meet a contractual or other legal requirements).

These rights may be limited, for example, if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. We will inform you of the relevant exemptions we rely upon when responding to any request you make.

If you wish to exercise any of these rights or to get a copy of our legitimate interest balancing test, please contact us. If you have unresolved concerns, you have the right to complain to a data protection authority where you live, work or where you believe a breach may have occurred.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Changes to our privacy policy

We reserve the right to change this privacy policy from time to time to reflect changes in the law or regulation, our information practices, our services, or our operational requirements. Depending on the type of change, we may notify you by updating this page or by email. We encourage you to periodically review this page to see any changes we have made.

Last updated: 30 November 2020