GRAIL Privacy Notice for SUMMIT Study Participants
This notice is directed to participants in the SUMMIT Study. The Participant Information Sheet (PIS) that you receive when you join the study describes the procedures you undergo during the study, the information collected from you during the study, and how University College London (UCL) and University College London Hospitals NHS Foundation Trust (UCLH) use the information collected about you during the study. As explained in the PIS, GRAIL, Inc. (GRAIL), 1525 O’Brien Drive, Menlo Park, California, 94025, USA, is a company that is developing blood tests for early cancer detection and is providing money and equipment to support the SUMMIT Study. This notice describes how GRAIL uses the information that it receives about you from the SUMMIT Study.
Who is the data controller of my information?
UCL is the data controller for the SUMMIT Study and will be responsible for coordinating the collection and use of your data under the SUMMIT Study. GRAIL will receive certain information about you as part of the SUMMIT Study. GRAIL will be the data controller in relation to the processing of the information that GRAIL receives from the SUMMIT Study. GRAIL Bio Ltd, based in the UK will also be processing data and acting as a data processor on instruction of GRAIL, LCC.
What information does GRAIL receive about me?
GRAIL receives the information that you enter into the electronic questionnaires during your SUMMIT Study appointments, information from your medical record that is collected for the SUMMIT Study, and reports of adverse reactions occurring during the SUMMIT Study. This information will include details about your current health, past medical history, your sex, your age, and genetic information. GRAIL will also receive your blood samples collected during the SUMMIT Study, and historic health information from national (UK-based) registries and data sources up to 6 months before you consented to the study.
Importantly, the information and samples that GRAIL receives do not contain your name or other information from which you can readily be identified. Instead, the information that GRAIL receives contains a study number in place of your name and other readily identifying information; this is sometimes called “pseudonymised” or “coded” information. Only certain authorised members of the SUMMIT Study team will be able to link your name to this code. GRAIL will not have access to the link between the code and your name.
What does GRAIL do with my information and samples?
GRAIL will perform tests, including genetic analyses, on your samples. You will not receive the results of this testing. GRAIL will use these test results and the other information described above for research purposes related to developing a test for early cancer detection. GRAIL may also use this information to authorise and commercialize this test. As part of this process, GRAIL may share your information with collaborators and other researchers.
GRAIL, its collaborators, and other researchers may use your information to conduct additional studies with the information collected in this study to advance scientific research and public health. These projects may involve bringing together coded information from the SUMMT Study with information from other studies or sources outside typical research settings, such as electronic health records or biobanks. If your coded information is used for additional studies, specific safeguards will be used to protect the information, which may include:
- Limiting access to specific individuals who are obligated to keep the information confidential.
- Using security measures to avoid information loss and unauthorised access.
- Anonymising the information by destroying the link between the coded information and your personal identifiers.
- When required by applicable law, ensuring that the scientific research has the approval of research ethics committees (RECs), or other similar review groups.
GRAIL, its collaborators and other researchers may publish the results of their research, and they may be required by law or scientific journal policy to make information generated in the research publicly available or available to future researchers. If GRAIL, its collaborators, or other researchers make public any study results, the results will not contain your name or other details that can easily be used to identify you.
What is the basis for processing my information?
GRAIL needs a valid legal reason to process and use your information. This is called a “legal basis.” GRAIL’s legal basis for processing your information is its legitimate interest in conducting scientific research.
How long will my information be kept?
GRAIL will keep your information for as long as needed to fulfil the purposes outlined in this notice and the PIS, which may be indefinitely, unless a different retention period is required by law.
Will my information be transferred outside of the United Kingdom?
Your information will be transferred to the United States, where GRAIL is located, and potentially to other countries. Some of these countries, including the United States, have been found by the European Commission not to offer the same level of data protection as that found in the European Economic Area. GRAIL and UCL have entered into a data transfer agreement in a form approved by the European Commission to make sure that your information remains protected after it is sent to GRAIL. Please contact your study team if you wish to obtain a copy of the standard data transfer agreement.
In accordance with GDPR Article 46(1), a global transfer assessment has been conducted, and appropriate safeguards are in place. Participants can find out more information by contacting ctc.summit@ucl.ac.uk.
What are my rights?
Under data protection legislation you have certain rights in relation to your personal information, including the right to access, correct, erase or restrict or object to the use of your personal information. These rights are limited in the research setting, however, because GRAIL needs to manage your information in specific ways in order for the research to be reliable and accurate. Because GRAIL does not know your identity, if you wish to exercise any of these rights, you should contact your study doctor or members of the study team for the SUMMIT Study and they can direct your question to the appropriate person at GRAIL.
You also have the right to make a complaint with the Information Commissioner’s Office (ICO) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website: https://ico.org.uk/.
Whom can I contact with questions?
Because GRAIL does not know your identity, you should address your questions to the study doctor or study team for the SUMMIT Study. GRAIL’s data protection officer is reachable at privacy@grail.com. GRAIL’s representative in the UK is BM Data Services Limited and is reachable at grailsummitrep@grailbio.com.