Privacy Notice

EPIC-Oxford Study Data Privacy Notice

1. What is the purpose of this document?

The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).
This privacy policy describes how we collect and use your personal data during your participation in the EPIC-Oxford Study in accordance with the General Data Protection Regulation (GDPR).
It is important that you read this policy, together with any other privacy policy we may provide on specific occasions when we are collecting or processing information about you, so that you are aware of how and why we are using your information. We may update this policy at any time.

2. Glossary

Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified.
Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure or retention.

3. Who is using your personal data?

The University of Oxford(1) is the “data controller” for the information that we obtain from you or others as part of the EPIC-Oxford Study. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.
(1) The University’s legal title is the Chancellor, Masters and Scholars of the University of Oxford

Access to your data will be provided to designated members of our staff who need to view it as part of their work in carrying out the purposes set out in section 5. We also share it with the third parties described in section 6.

4. The types of data we hold about you and how we obtained it

We collect the majority of the information directly from you, when you complete our questionnaires. This information includes the personal details provided by you on study questionnaires at recruitment between 1993 and 1999, and on re-survey questionnaires since then.
This information includes name, address and date of birth, and special categories of more sensitive personal data including health-related data on factors such as height, weight, smoking, alcohol, diet, personal and family medical history, physical activity, childbearing, use of HRT and other medication, working patterns and general wellbeing.
We may also have collected blood samples from you, and derived biochemical and genetic data from these samples.
We also collect additional information from third parties including from the National Health Service (NHS Digital in England, Public Health England the Information Services Division in Scotland and PEDW in Wales), your General Practitioner and other databases. This information includes special category sensitive data concerning your health, such as information on cancer registrations and screening, primary care and hospital admissions.

5. How the University uses your data

We combine the information you have given us on our questionnaires with the information we have collected from third parties. For example, to study the relationship of diet and obesity with the risk of gallstones we used linked hospital admission data to compare the number of participants who went on to develop gallstones among participants in EPIC-Oxford grouped according to their diet and their body mass index (an indication of obesity), and allowing for other important factors such as age and smoking. We found that the risk for developing gallstones did not differ between vegetarians and non-vegetarians, whereas obesity was associated with a large increase in the risk for this condition.
We collect and process your data (including your special category sensitive data) in this way for the purpose of performing scientific (medical) research being carried out in the public interest. This is known under data protection law as our “legal basis” for processing personal data.
We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your data for an unrelated purpose, we will seek your consent to use it for that new purpose. We do not use your personal data for any form automated decision making or public profiling.
Please note that we may process your data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
The University of Oxford Policy on Data Protection can be accessed via the following link

6. Who has access to your data?

Access to your data within the University will be provided to those who need to view it as part of their work in carrying out the purposes described above.
In addition, in order to perform our research and other legal responsibilities or purposes, we will, from time to time, need to share your information with the following:
• with collaborating research organisations working with us;
• with external organisations providing services to us, including those who provide us with data; and
• with external regulatory bodies.

Where information is shared with third parties, we will seek to share the minimum amount necessary, including pseudonymising your data where possible. This means we remove your identity and replace it with a code number before sharing the information. Only we have access to the ‘key’ linking the code to your identity.
All our third-party service providers that process data on our behalf are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions.

7. Transfer of your data outside of the European Economic Area (EEA)

Your data is stored on our secure servers and/or in our premises within the UK.
There may be occasions when we transfer your data outside the EEA, for example, to a researcher who is collaborating with us for the purpose of our research. Such transfers will only take place if one of the following applies:
• the country receiving the data is considered by the EU to provide an adequate level of data protection;
• the transfer has your consent;
• the transfer is necessary for the performance of a contract with you or to take steps requested by you prior to entering into that contract; or
• the transfer is governed by approved contractual clauses.

8. Retention Period

University of Oxford is required to keep the information collected about you for at least 25 years after “end of the study” and perhaps longer if required by the law or other research needs.

9. Security

Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website:

10. Your rights

Under certain circumstances, by law you have certain rights with respect to your data. A summary of these rights is available here:
If you want to exercise any of the rights described or are dissatisfied with the way we have used your information, please contact the University’s Information Compliance Team at The same address can be used to contact the University’s Data Protection Officer. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office at

11. Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and will seek to inform you of substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

12. Contact

If you wish to raise any queries or concerns about this privacy notice please contact us at, or write to Professor Tim Key, EPIC-Oxford Study, Cancer Epidemiology Unit, Nuffield Department of Population Health, University of Oxford, Richard Doll Building, Roosevelt Drive, Oxford OX3 7LF, UK.

  • Previous Article
  • Next Article
Copyright © EPIC-Oxford