Data protection — PCRA

This is the plain-English version of our Data Protection Impact Assessment (DPIA). The full DPIA document (a formal controlled document with a version history and signed audit trail) is available to the ICO and to sponsors on request — email daphne@pcralliance.uk.

1. Who the Portal is for

The PCRA Portal is a workspace for three groups of people:

Sponsor companies (pharma / CRO) — upload study protocols and review feasibility responses.
NHS GP practices — look at protocols, tell us how their practice could contribute, collaborate with a sponsor on a specific study.
PCRA staff — run the platform.

The Portal is not a clinical system. It does not hold patient records and it does not process patient-identifiable data. If anyone sends us a message that contains patient information, our system quarantines the message and asks them to resend it without the patient details.

2. What data we hold about you

If you have a Portal account, we hold:

Your work name, work email, the practice or company you represent.
Which projects, protocols and documents you have been given access to.
A record of each sign-in (time, IP) and each document you have opened. This is our audit trail — it allows us to demonstrate to a sponsor (or the regulator) who saw what, and when.
A timestamped record when you first accept the confidentiality terms (NDA) for a given project.

If you fill in one of our public forms (join request, sponsor inquiry, contact) we hold the content of the form and the contact details you provided.

3. What we never hold

Patient-identifiable data. NHS numbers, dates of birth, names of individual patients. Our scanner actively looks for these patterns at ingest and blocks them.
Your password. We only store a one-way hash (bcrypt) that cannot be reversed.
Content of AI conversations. We run certain drafting tasks through an AI service (AWS Bedrock, hosted in the EU). We keep a metadata record of each call — when, which model, how many tokens — but never the prompt text or the response body.

4. Where the data lives

Database: Neon PostgreSQL, region eu-west-2 (London).
Files you upload: object storage in the UK / EU (exact provider recorded in our DPIA).
Email: Microsoft 365 (Graph API), EU tenancy.
AI processing: AWS Bedrock, EU region. We do not send data to the direct Anthropic US API.

Director decision (2026-04-18): transfers to the United States are minimised. Every sub-processor we use is selected on the basis of UK / EU hosting.

5. How long we keep it

Regulated research audit trail (who signed which NDA, who opened which protocol, AI call metadata): 7 years, in line with MHRA / ICH GCP expectations.
Commercial correspondence (inquiries, join requests that didn’t lead to an account): 2 years.
Your account data: for as long as you have an active account, plus a short audit tail after closure.

6. Your rights (UK GDPR)

You can ask us to:

Send you a copy of everything we hold about you (right of access, Art 15). We will send you a JSON bundle within one calendar month.
Correct anything that is wrong (Art 16).
Delete your account and associated data (Art 17), subject to our regulated audit retention.
Object to how we’re using your data (Art 21).
Complain to the ICO (0303 123 1113 or ico.org.uk/make-a-complaint).

Point of contact for all of the above: daphne@pcralliance.uk.

7. How we keep things safe

Everything is encrypted in transit (HTTPS) and at rest (database-level encryption).
Admin and member accounts require two-factor authentication.
Every sign-in, document view and NDA acceptance is recorded in an append-only audit log.
Public forms and auth endpoints are rate-limited.
Our DPO is notified automatically the moment our scanner detects anything that looks like patient data in inbound content.
Dependencies are patched on a regular cadence; vulnerability status is reviewed each release.

8. When something goes wrong

If we detect (or are told about) a breach that is likely to affect your rights and freedoms, we notify the ICO within 72 hours and contact you directly without undue delay. Our incident response runbook sits alongside the DPIA as a controlled document.

9. Related documents

Privacy Notice — the formal notice required by UK GDPR Art 13/14.
Scraping Policy — what we do when we populate practice profiles from public sources, and how to opt out.
Full DPIA (controlled document) — available to sponsors and to the ICO on request.

1. Who the Portal is for

The PCRA Portal is a workspace for three groups of people:

Sponsor companies (pharma / CRO) — upload study protocols and review feasibility responses.
NHS GP practices — look at protocols, tell us how their practice could contribute, collaborate with a sponsor on a specific study.
PCRA staff — run the platform.

2. What data we hold about you

If you have a Portal account, we hold:

Your work name, work email, the practice or company you represent.
Which projects, protocols and documents you have been given access to.
A record of each sign-in (time, IP) and each document you have opened. This is our audit trail — it allows us to demonstrate to a sponsor (or the regulator) who saw what, and when.
A timestamped record when you first accept the confidentiality terms (NDA) for a given project.

If you fill in one of our public forms (join request, sponsor inquiry, contact) we hold the content of the form and the contact details you provided.

3. What we never hold

Patient-identifiable data. NHS numbers, dates of birth, names of individual patients. Our scanner actively looks for these patterns at ingest and blocks them.
Your password. We only store a one-way hash (bcrypt) that cannot be reversed.
Content of AI conversations. We run certain drafting tasks through an AI service (AWS Bedrock, hosted in the EU). We keep a metadata record of each call — when, which model, how many tokens — but never the prompt text or the response body.

4. Where the data lives

Database: Neon PostgreSQL, region eu-west-2 (London).
Files you upload: object storage in the UK / EU (exact provider recorded in our DPIA).
Email: Microsoft 365 (Graph API), EU tenancy.
AI processing: AWS Bedrock, EU region. We do not send data to the direct Anthropic US API.

Director decision (2026-04-18): transfers to the United States are minimised. Every sub-processor we use is selected on the basis of UK / EU hosting.

5. How long we keep it

Regulated research audit trail (who signed which NDA, who opened which protocol, AI call metadata): 7 years, in line with MHRA / ICH GCP expectations.
Commercial correspondence (inquiries, join requests that didn’t lead to an account): 2 years.
Your account data: for as long as you have an active account, plus a short audit tail after closure.

6. Your rights (UK GDPR)

You can ask us to:

Send you a copy of everything we hold about you (right of access, Art 15). We will send you a JSON bundle within one calendar month.
Correct anything that is wrong (Art 16).
Delete your account and associated data (Art 17), subject to our regulated audit retention.
Object to how we’re using your data (Art 21).
Complain to the ICO (0303 123 1113 or ico.org.uk/make-a-complaint).

Point of contact for all of the above: daphne@pcralliance.uk.

7. How we keep things safe

Everything is encrypted in transit (HTTPS) and at rest (database-level encryption).
Admin and member accounts require two-factor authentication.
Every sign-in, document view and NDA acceptance is recorded in an append-only audit log.
Public forms and auth endpoints are rate-limited.
Our DPO is notified automatically the moment our scanner detects anything that looks like patient data in inbound content.
Dependencies are patched on a regular cadence; vulnerability status is reviewed each release.

8. When something goes wrong

9. Related documents

Privacy Notice — the formal notice required by UK GDPR Art 13/14.
Scraping Policy — what we do when we populate practice profiles from public sources, and how to opt out.
Full DPIA (controlled document) — available to sponsors and to the ICO on request.

Data protection summary

1. Who the Portal is for

2. What data we hold about you

3. What we never hold

4. Where the data lives

5. How long we keep it

6. Your rights (UK GDPR)

7. How we keep things safe

8. When something goes wrong

9. Related documents

Data protection summary

1. Who the Portal is for

2. What data we hold about you

3. What we never hold

4. Where the data lives

5. How long we keep it

6. Your rights (UK GDPR)

7. How we keep things safe

8. When something goes wrong

9. Related documents