Privacy Notice — Primary Care Research Alliance
Version: 2.0 Effective from: 9 May 2026 Last updated: 8 May 2026 Approved by: Richard Newell, Data Protection Officer (countersigned 9 May 2026)
At a glance
We are the Primary Care Research Alliance ("PCRA", "we", "us"). We are a UK site management organisation delivering clinical research studies in NHS and private settings.
This notice explains how we collect, use and look after personal data across two related but distinct surfaces:
- Our research delivery activity — the clinical studies we run with member practices, sponsors, and patients. This is the long-standing scope of our processing. (Sections 5–9 below.)
- Our member portal at
portal.pcralliance.uk— a software platform launched in 2026 that lets GP practices, PCNs, and other NHS member organisations join PCRA, build a sponsor-facing capabilities profile, and respond to study feasibility requests. The portal also lets sponsor companies see the network of member practices and engage with us through controlled, NDA-protected interactions. (Sections 10–14 below.)
Patient-identifiable data is explicitly excluded from the portal by design. Sponsors and PCRA staff anonymise data at source before it enters the portal. Any patient-identifiable data appearing in inbound content is treated as an incident, quarantined, and removed without being incorporated into our records.
AI is used in the portal, in tightly-scoped ways, with safeguards. A human always reviews AI output before it influences any decision. The AI provider chain is described in Section 11.
1. Who we are
| Controller | Primary Care Research Alliance Ltd |
| Registered office | Middleton House, Yapton Road, PO22 6DU |
| ICO Registration | ZB864081 |
| Regulator | Information Commissioner's Office (ICO) |
| Data Protection Officer | Contact via info@pcralliance.uk with the subject line "FAO Data Protection Officer", or by post to the address above |
| General contact | info@pcralliance.uk or via the contact page on our website |
We are the "data controller" for all personal data described in this notice. Our processors (Microsoft, Vercel, Neon, AWS, GitHub) act on our documented instructions only — see Section 13.
2. The portal — what it is and what it is not
The PCRA Portal at portal.pcralliance.uk is a software service we operate to coordinate member practices and sponsors.
The portal does:
- Hold member-practice profiles (capabilities, equipment, team members, awards, photos, "about us" descriptions).
- Let practice staff sign in with email + password + email-based one-time passcode (2FA).
- Show sponsors a directory of member practices with the data the practice has chosen to publish.
- Capture inbound enquiries from sponsors and from a shared inbox (
info@pcralliance.uk) and route them to a human admin for triage. - Use AI assistance — with human review of every output — to help practices fill in their profile from their public website, to suggest matches between studies and practices, and to summarise inbound emails for an admin reviewer. See Section 11.
- Let practices exchange documents (CVs, leaflets, SOPs) with PCRA admins under access controls and audit logging.
The portal does NOT:
- Hold patient-identifiable data of any kind. NHS numbers, dates of birth paired with other identifiers, postcodes paired with ages, GP-system patient IDs are all out of scope. A patient-data scanner refuses any inbound content that matches these patterns and treats matches as incidents.
- Send automatic emails or replies on your behalf. Outbound mail is limited to operational notifications (one-time passcodes, account alerts, practice-confirmed comms about a specific opportunity).
- Make automated decisions about people. Every consequential output is reviewed by a human. We do not perform any "solely automated decision-making" within the meaning of UK GDPR Article 22.
- Train any AI model on your data. Our AI provider (AWS Bedrock with Anthropic's Claude model) does not retain or train on the prompts we send.
The portal is a separate processing surface from our research delivery work. The two surfaces talk to each other (a sponsor inquiry on the portal can become a real research project) but the portal stays clear of patient-identifiable data throughout.
3. Who this notice is about
| Category of person | Section |
|---|---|
| Patients & research participants — anyone enrolled or being screened for one of our studies, including via primary-care identification | §5 |
| Member-practice users — clinicians, practice managers, research nurses and PCN admins who use the portal to represent their practice | §6 |
| Sponsor users — pharmaceutical, biotech and CRO contacts who use the portal to engage with PCRA for studies | §7 |
Inbound mail senders — anyone who sends an email to info@pcralliance.uk |
§8 |
| Staff, healthcare professionals & contractors — PCRA employees, consultants and individuals contracted to deliver studies | §9 |
| Suppliers — third-party companies we contract with (legal, IT, telecoms etc.) | §9 |
Website visitors — anyone visiting pcralliance.uk or portal.pcralliance.uk |
§10 |
You may fall into more than one category. Each section explains what data we hold for that role and why.
4. Lawful bases at a glance
| Processing | Lawful basis (UK GDPR Art 6) | Special category basis where relevant (Art 9) |
|---|---|---|
| Conducting a clinical study with consented patients | (e) public task, supported by patient consent for participation | (j) scientific research |
| Sponsor / CRO contractual relationship | (b) performance of contract | n/a |
| Member-practice contractual relationship | (b) performance of membership contract | n/a |
| AI-assisted operations (profile enrichment + email triage) | profile enrichment: (a) explicit, per-practice opt-in consent; email triage: (f) legitimate interest (ops) | n/a (no health data processed) |
| Audit logging (account actions, document views) | (c) legal obligation (GDPR Art 5(2) accountability) + (f) legitimate interest (security) | n/a |
| Marketing communications | (a) explicit consent OR (f) legitimate interest with opt-out | n/a |
| Cookies & similar technologies | strictly necessary cookies: (f) legitimate interest; analytics or marketing cookies: (a) consent (PECR) | n/a |
5. Patients & research participants
What we collect
When you participate in a study with us we collect the personal data described in your study's specific consent form — typically:
- Identity: name, date of birth, NHS number, National Insurance number where required by the protocol.
- Contact: address, phone, email, family / emergency contacts.
- Health: medical conditions, treatment and medication history, study-specific measurements (vital signs, lab results, imaging where relevant), test responses.
- Lifestyle: smoking, alcohol, exercise where the protocol requires.
- Genetic data: only when the study protocol requires it and you have specifically consented.
Why we collect it
- Conducting the clinical study itself.
- Monitoring your safety throughout the study.
- Providing healthcare services around the study (clinic visits, follow-up).
- Meeting regulatory requirements (MHRA, Research Ethics Committees, ICH-GCP).
- Following up on study outcomes.
Lawful basis
- Art 6(1)(e) public task (we deliver research that is in the public interest), supported by your specific Art 6(1)(a) consent for the protocol.
- Art 9(2)(j) processing of special category (health) data is necessary for scientific research, with appropriate safeguards including pseudonymisation at source by sponsors.
Who we share with
- Study sponsors and the contract research organisations (CROs) acting on their behalf, in line with the study protocol.
- Regulatory authorities (MHRA, Research Ethics Committees) on request.
- Your GP or referring clinician where clinically appropriate.
- Specialist consultants involved in your care under the study.
- Pathology laboratories for analysis of your samples.
- Independent data monitoring committees.
- Healthcare insurance providers (with your separate consent only).
We share the minimum necessary in each case. Sponsors and CROs receive pseudonymised data unless the protocol specifically requires identifiable data and you have consented.
Retention
Per ICH-GCP and MHRA: typically 15 years from the end of the study, longer where the study or the sponsor's contract requires.
6. Member-practice users (portal)
If you are a clinician, practice manager, research nurse or PCN admin using the portal to represent your practice, this section applies to you.
What we collect
- Identity & contact: your name, role, work email, work phone.
- Authentication: a hashed password (we never store plain text), email-based one-time passcodes (10 minute lifetime), an optional "trusted device" cookie (60 days).
- Practice data you author:
- The practice's own contact details, address, postcode.
- The capabilities profile you complete (free-text descriptions of your trial history, equipment, recruitment routes, MHRA inspection history, awards, etc.).
- Photos and short bios of named team members at your practice (with their knowledge — you confirm consent at the point of upload).
- Documents you choose to upload (PI CVs, practice leaflets, SOPs).
- AI-assisted draft data (only if you consent — see §11):
- Content scraped once from your practice's public website (hero photo, "about" text, team-member names + bios, awards) — surfaced for your review before anything is published.
- Activity: every login, every consequential action (publishing your profile, accepting an invitation), and every view of a sponsor document is recorded in an audit log.
We do not collect patient-identifiable data through the portal. The patient-data scanner refuses any inbound content that matches NHS numbers / DoB+identifier patterns / postcode+age / GP-system IDs.
Why we collect it
- Performance of your practice's PCRA membership contract — the portal is the membership platform.
- Providing the practice's profile to sponsors so they can match studies to sites.
- Managing the lifecycle of study invitations (invite → accept → confirm → deliver).
- Security and audit (regulatory + good-practice).
Lawful basis
- Art 6(1)(b) performance of contract — the practice asked PCRA to be in our directory; the portal is how we deliver that.
- Art 6(1)(a) explicit consent — for the AI-assisted enrichment path specifically (the per-practice
ai_enrichmentconsent in your portal account). Withdrawable at any time via the Profile editor; withdrawal immediately disables the scraper and the in-portal AI assistant for your practice. - Art 6(1)(c) legal obligation — for retention of the audit log (GDPR Art 5(2) accountability).
Who we share with
- Sponsor users on the portal — they see what you have chosen to publish on your profile (you control "draft" / "published" state).
- PCRA admins — they see your draft profile and your activity log for support and triage.
- Sub-processors (Vercel, Neon, AWS, Microsoft) — see Section 13.
Retention
- Profile data: held for the duration of your practice's membership, then a 12-month tail to allow re-onboarding without retyping.
- Audit log entries: 7 years (regulated audit retention).
- AI-derived suggestions awaiting your review: 90 days from creation if not actioned.
- Email-based 2FA tokens: 10 minutes (then expired and purged).
Your control
The portal gives you self-service for most rights:
- Edit any field in your practice profile at any time.
- Withdraw
ai_enrichmentconsent — disables AI processing immediately. - Toggle profile visibility (
draft/published/inactive). - Manage team members and documents directly.
- Request account deletion via PCRA support; profile data is removed within 30 days.
7. Sponsor users (portal)
If you are a contact at a pharmaceutical, biotech or CRO using the portal to engage with PCRA for studies, this section applies to you.
What we collect
- Identity & contact: name, work email, company, role/title.
- Authentication: as for member-practice users (§6).
- NDA acknowledgements: the timestamp and version of NDA you accepted before viewing each sponsor's project documents.
- Activity: logins, every project document view (with timestamp + IP for audit), inquiry submissions.
Why we collect it
- Performance of the contractual relationship between PCRA and your sponsor organisation.
- Auditability of who accessed what — particularly important for NDA-bound content.
- Security: enabling your access to be revoked immediately if your role at the sponsor organisation changes.
Lawful basis
- Art 6(1)(b) performance of contract.
- Art 6(1)(c) legal obligation for the audit log.
- Art 6(1)(f) legitimate interest for security (account lockout on failed logins, etc.).
Who we share with
- The sponsor organisation you represent (your activity is visible to other authorised users at the same sponsor).
- PCRA admins.
- Sub-processors (Section 13).
We do not share sponsor-user identity with member practices unless you have specifically engaged with that practice and consented to the introduction.
Retention
- Account: while you have access. After deactivation, account record + audit-log entries retained for 7 years for regulatory and contractual evidence.
- NDA acknowledgements: 7 years from acceptance (sponsor contractual obligation).
8. Inbound mail senders (info@pcralliance.uk)
This section is new in v2 and explains how we handle email sent to our shared mailbox info@pcralliance.uk.
What we collect
When you email info@pcralliance.uk, the following happens automatically:
- The email (sender, recipient, subject, body, attachments metadata) is read by our portal via Microsoft Graph polling.
- A patient-data scanner runs on the body before the message is stored. If it detects NHS numbers, pattern-matched DOBs, postcode+age combinations, or GP-system identifiers, the body is dropped immediately — only the metadata + a "quarantined" marker is kept, for 30 days, so PCRA's DPO can investigate any incident.
- A rules-based relevance filter runs (still no AI) — out-of-office replies, automated newsletters, and obvious noise are flagged but kept for a human admin to glance at.
- If AI is enabled (it can be turned off at any time), an AI parser produces a structured summary to help the admin triage faster. Anthropic does not retain the email content (per AWS Bedrock terms — see §11). The AI's output is advisory only — never acted on automatically.
- A PCRA admin reviews the email in a triage workbench and decides what to do (push to a project, ignore, edit the AI's summary, ask a colleague for clarification). Every action is human-triggered.
Why we do this
- Operational efficiency of a small team — without triage assistance, important sponsor inquiries get lost in spam.
- Audit trail of what we did with each inbound message (regulatory + contractual evidence).
Lawful basis
- Art 6(1)(f) legitimate interest — operating our own organisational mailbox. You voluntarily emailed us; we have a legitimate interest in reading and triaging the email.
- Art 6(1)(c) legal obligation for the audit log.
What we never do
- We never reply automatically. The portal has no
Mail.Sendpermission on our mailbox; outbound replies are structurally impossible from the triage pipeline. - We never read any other PCRA mailbox. Microsoft Exchange enforces this with an Application Access Policy restricting our portal to
info@pcralliance.ukonly; the portal code refuses any other mailbox at the application layer too (defence-in-depth). - We never process patient-identifiable content through AI. The scanner runs first; quarantined messages never reach the AI parser.
Retention
| Type | Retention | Why |
|---|---|---|
| Pending review (admin hasn't actioned yet) | 90 days from receipt | Operational data tail. Dormant rows are noise. |
| Actioned (admin pushed to a project) | 7 years from terminal decision | Audit-log retention class — record of action. |
| Quarantined (scanner detected patient data) | 30 days from receipt; body never persisted | Incident-investigation window. |
Your rights
If you emailed info@pcralliance.uk and want a copy of what we hold, or want it deleted, reply to that address with the subject line "FAO Data Protection Officer". Subject access response within one calendar month.
9. Staff, healthcare professionals, suppliers & contractors
Staff
We hold the data needed to manage the employment relationship — identity, contact, employment history, qualifications, right to work, payroll, performance, training, occupational-health where relevant, criminal-record check where the role requires.
Lawful basis: Art 6(1)(b) performance of employment contract; Art 6(1)(c) for tax / NI / right-to-work obligations; Art 6(1)(f) for safety / security / professional standards.
Special category data: occupational health (Art 9(2)(b) — employment law); criminal record checks (Art 10 + Schedule 1 DPA 2018 conditions where applicable).
Retention: 6 years after employment ends (longer for pension / legal requirements).
Healthcare professionals & consultants
For independent HCPs and consultants delivering study services on contract: name, contact, professional registrations (GMC / NMC / HCPC), professional indemnity insurance, qualifications, performance metrics, payment information, training records.
Lawful basis: Art 6(1)(b) performance of contract; Art 6(1)(c) for professional registration verification.
Retention: 7 years after the last service contract ends.
Suppliers & contractors
For third-party companies (legal, IT, telecoms, professional services): business contact information, financial / payment details, due diligence and risk assessment information, insurance and certifications.
Lawful basis: Art 6(1)(b) performance of contract.
Retention: 7 years from end of the financial year of the last invoice.
10. Website visitors
When you visit our public websites (pcralliance.uk or portal.pcralliance.uk):
What we collect automatically
- Technical: IP address, browser type, device fingerprint hash, referring URL.
- Usage: pages visited, time spent, navigation patterns.
- Cookies: see §12 below.
What we collect when you submit a form
If you complete the contact form, the join-the-network form, or the sponsor enquiry form:
- Whatever you enter in the form (name, email, organisation, free-text message).
- Hidden anti-bot signals (timing, simple challenge results) used only to filter spam.
Why
- Provide the website itself.
- Improve performance and UX.
- Respond to your inquiry.
- Block spam and abuse.
Lawful basis
- Art 6(1)(f) legitimate interest for technical and usage data + spam controls.
- Art 6(1)(b) performance of pre-contractual steps for inquiry handling, OR (a) consent if you ticked a marketing-comms box.
Retention
- Web server access logs: 30 days then aggregated into anonymous statistics.
- Inquiry submissions: 2 years from receipt unless they convert into an active engagement.
11. AI processing in the portal
This section is new in v2 and explains in plain English how AI is used in the portal and the safeguards we apply.
🔒 Your AI consent — your control
AI processing of your practice's profile data only happens if you have ticked the
ai_enrichmentconsent in your portal account.
- You give it once on
/member/welcomewhen you first set up your practice.- You can withdraw it at any time on
/member/profile-editor.- Withdrawal is immediate — the next AI call about your practice's profile (scrape, in-portal AI assistant, AI-led intake chat) is refused at the server. No retroactive deletion of past AI output is required by the withdrawal itself, but you can ask us to delete the past output too via the rights process in §17.
- You can re-grant consent at any time and the AI features turn back on.
- The text of the consent statement you ticked is stored verbatim against your account so you (and we) can always see exactly what you agreed to.
One scope clarification: this consent covers AI processing of YOUR PRACTICE'S profile data only. It does NOT cover AI triage of inbound mail to our shared inbox
info@pcralliance.uk(§8) — that's our own operational mailbox under Art 6(1)(f) legitimate interest, not a per-practice consent surface. If you, as a practice user, separately emailinfo@pcralliance.uk, that email is processed under §8's rules.
What AI does in the portal
| Use | Where | What gets sent to the AI |
|---|---|---|
| Practice profile assistance — pulling content from your public website to pre-fill your portal profile | /member/profile-enhancement |
The HTML of your public website (only if you have given the per-practice ai_enrichment consent) |
| AI-led intake chat — a structured chat that helps you describe your practice in your own words | /member/intake |
The text you type into the chat |
| Site selection ranking — helping admins shortlist practices for a study | Admin-only | Practice profile fields (no patient data, no NDA-bound sponsor content) |
| Inbound email triage — a structured summary of an email to help an admin decide what to do | Admin-only | The body and metadata of an email to info@pcralliance.uk (after the patient-data scanner has already cleared it) |
Where the AI runs
- Provider: Amazon Web Services Bedrock (region: Ireland,
eu-west-1). - Model: Anthropic's Claude model.
- Anthropic does NOT retain the content we send. Anthropic cannot train models on the prompts we send via Bedrock — this is fixed by our processor contracts.[^bedrock-terms]
- No cross-region inference. Our AWS account is configured to refuse any Bedrock call outside the EU
eu-west-1region. Even a misconfigured deploy cannot push data to a US region. - Content guardrails run on every AI call: they block NHS numbers, anonymise personal names / addresses / emails / phones, and refuse "patient identifiable information" or "clinical diagnosis" topics outright.
- PII redaction layer in the portal runs before every AI call, removing NHS numbers / emails / phones / postcodes / DOBs / NI numbers / MRNs. A second-line defence; the guardrails above are the third.
[^bedrock-terms]: For the technical reader: the no-retention / no-training position is contractually anchored by AWS Service Terms §50.12.5 and the Anthropic on Bedrock product terms (Section B). The detailed clause analysis lives in Appendix B of our DPIA-ADDENDUM-2026-04-23-bedrock document.
Safeguards we apply
- Patient-data scanner runs BEFORE every AI call. If the scanner quarantines content, no AI call happens at all.
- Per-practice opt-in. AI processing of your practice's profile data only happens if you have ticked the
ai_enrichmentconsent in your account. Withdraw and the AI assistant + scraper turn off immediately. - Human review of every AI output. The AI suggests; a human (you for your own profile, an admin for inbound email triage) reviews and approves before anything is acted on. We do not do automated decision-making in the meaning of UK GDPR Article 22.
- Off-switches at every level. AI can be disabled per-project (sensitive projects get the kill-switch by default), per-practice (consent withdrawal), per-environment (the
AI_ENABLEDflag), and per-task (admin can disable specific automation capabilities).
Lawful basis
- Art 6(1)(a) explicit consent for AI processing of a member practice's own profile (
ai_enrichmentconsent). - Art 6(1)(f) legitimate interest for AI-assisted triage of our own inbound mail (operational efficiency; your sender identity is the only personal data and it's already in the email you sent us).
What we do not do with AI
- We do not train AI models on your data.
- We do not let AI take any consequential action without a human approving.
- We do not process patient-identifiable data through AI under any circumstances.
- We do not send AI-generated replies to anyone.
- We do not use AI to make hiring, employment, credit, or care decisions.
12. Cookies & similar technologies
The portal and the public website use a small number of cookies. We only set what is genuinely necessary unless you explicitly opt in to the optional ones.
Strictly necessary cookies
| Name | Purpose | Lifetime |
|---|---|---|
authjs.session-token (or __Secure-authjs.session-token on https) |
Keeps you signed in to the portal | 30 days |
pcra_trusted_device |
After your first 2FA, marks the device as trusted so you don't get a passcode every login | 60 days |
__vercel_live_token, __vercel_anti_bot and similar |
Hosting platform's anti-bot protection | Session |
These do not require consent under PECR — they are essential to the service you have requested.
Optional cookies
We do not currently set analytics or marketing cookies. If we add any in future, we will display a cookie banner on first visit and only set them after you opt in.
How to control cookies
You can clear or block cookies in your browser settings. Doing so for the strictly necessary cookies will prevent you from staying signed in to the portal.
13. Sharing data — sub-processors and recipients
We share personal data with:
Operational recipients
- Study sponsors and CROs — only patient and study-related data, in line with the study protocol and your consent.
- Regulatory authorities (MHRA, Research Ethics Committees, ICO) — on lawful request.
- Your GP, specialists, pathology labs — for clinical care related to the study.
- Member practices — see what each other publishes (each practice controls what is published and what stays in draft).
- Sponsor users — see published practice profiles only; never your draft data.
Sub-processors (process data on our behalf, not for their own purposes)
| Sub-processor | What they do | Where they hold data | Contractual basis |
|---|---|---|---|
| Microsoft Corporation | Microsoft 365 — staff email, calendar, the info@pcralliance.uk mailbox the portal polls |
UK / EU under the Microsoft EU Data Boundary | Microsoft Online Services DPA + UK addendum |
| Vercel Inc. | Hosting the portal application; serverless functions execute in London (lhr1); the company is US-headquartered |
UK / EU functions; US corporate metadata | UK International Data Transfer Addendum (IDTA) + Standard Contractual Clauses (SCCs) |
| Neon, LLC (Databricks Inc. affiliate) | Postgres database for the portal | UK (eu-west-2, London) |
Databricks Master Customer Services Agreement + DPA + Neon Platform Services Schedule |
| Amazon Web Services EMEA Sàrl | AWS Bedrock (the AI service) and S3 (document storage) | EU (eu-west-1, Ireland for Bedrock; eu-west-2 for S3) |
UK IDTA + SCCs + AWS DPA |
| Anthropic PBC | Sub-processor of AWS Bedrock — provides the Claude model. Does not retain content per Bedrock contractual terms. | n/a — no data retention | Covered by AWS DPA |
| GitHub, Inc. | Source code hosting (no personal data ever in source code) | USA | DPF + SCCs |
We do not sell or rent your personal data, ever. We do not share with advertising networks, data brokers, or any third party not listed here without first updating this notice.
14. International data transfers
Where we transfer personal data outside the UK we ensure appropriate safeguards under UK GDPR Articles 45–49:
- EU adequacy for transfers to Microsoft / AWS / Neon EU regions.
- UK International Data Transfer Addendum + Standard Contractual Clauses (signed under each processor's DPA) for any residual US touchpoint (Vercel / GitHub / Anthropic on Bedrock).
- No direct transfers to the US for AI processing. AWS Bedrock is locked to
eu-west-1by an account-level Service Control Policy that denies any other region.
We have undertaken Transfer Impact Assessments (TIAs) for each non-UK processor. Copies are available to data subjects on request to the DPO.
15. How long we keep your data
| Data category | Retention period | Trigger |
|---|---|---|
| Clinical research participant data | 15–25 years | End of study, per ICH-GCP and sponsor protocol |
| NHS-record-derived data | Per NHS Records Management Code of Practice | Varies by category |
| Member-practice profile data | Duration of membership + 12 months tail | Membership ends |
| Member-practice user account | While account is active; 7 years for the audit-log entries after deactivation | Account closure |
| Sponsor user account & NDA acceptances | 7 years | Account closure |
| Inbound email — pending review | 90 days | Receipt |
| Inbound email — actioned by admin | 7 years | Terminal decision |
| Inbound email — quarantined by patient-data scanner (body never persisted) | 30 days | Receipt |
| Audit log entries | 7 years | Action timestamp |
| AI invocation records (without content — only counts and template id) | 7 years for regulated projects, 2 years for internal | Invocation |
| Employee data | 6 years (longer for pensions) | Employment ends |
| Healthcare professional / contractor data | 7 years | Last contract ends |
| Supplier data | 7 years from end of financial year of last invoice | Invoice paid |
| Marketing data | 3 years from last engagement, or until you withdraw consent | Last engagement / withdrawal |
| Web server access logs | 30 days then aggregated to anonymous statistics | Receipt |
| Portal session cookie | 30 days | Set (sliding) |
| Trusted-device cookie (2FA bypass) | 60 days | Set |
| Website / portal inquiry form submissions | 2 years from receipt, or until conversion to active engagement | Receipt |
| 2FA tokens | 10 minutes | Issued |
The complete retention schedule with the per-table specifics is at docs/governance/RETENTION-SCHEDULE.md. Available to data subjects on request.
16. Security measures
We take security seriously and implement layered controls.
Technical
- Transit: all traffic to / from the portal is TLS 1.2 or higher.
- At rest: database encryption (Neon AES-256); portal application secrets encrypted in Vercel environment variables.
- Authentication: email + password (bcrypt) + email-based one-time passcode (2FA) with optional 60-day trusted-device exemption.
- Authorisation: role-based access control (admin / member / sponsor) enforced at every endpoint; per-project membership lists for sponsor data; NDA click-through for sensitive documents.
- Audit logging: every consequential action recorded with userId, timestamp, IP, content hash where relevant. 7-year retention.
- Patient-data scanner: runs at every ingest point (uploads, forms, inbound mail). Quarantines matched content.
PatientDataIncidentrow + DPO notification path. - AI controls: PII redaction before every AI call, AWS Bedrock Guardrails, EU-region pin enforced by Service Control Policy.
- Vulnerability management: dependency security scanning, regular updates.
- Penetration testing: annual penetration testing is conducted by an independent third-party tester; results are reviewed by the DPO.
Organisational
- Data protection training: all staff trained on data protection at induction and annually.
- Access controls: based on job requirements; quarterly review.
- Incident response procedures: documented playbook + DPO notification within 24 hours of detected breach. ICO notification within 72 hours where required.
- Secure data disposal: cryptographic erasure for hosted data; secure shredding for paper.
- Vendor due diligence: sub-processors reviewed before engagement and re-reviewed annually.
Data Breach Response
If you suspect any misuse, loss, or unauthorised access to your data, contact us at info@pcralliance.uk (subject line "FAO Data Protection Officer") immediately.
17. Your rights
Under UK GDPR you have the following rights. We will respond within one calendar month of a verified request.
| Right | What it means | How to exercise it |
|---|---|---|
| Access (Art 15) | Get a copy of the personal data we hold about you | Email info@pcralliance.uk (FAO Data Protection Officer); for member-practice users some data is self-export from the portal Settings page |
| Rectification (Art 16) | Correct inaccurate or incomplete data | Self-edit in the portal where possible; otherwise email info@pcralliance.uk (FAO Data Protection Officer) |
| Erasure (Art 17) | Request deletion of your data, subject to legal limitations | Email info@pcralliance.uk (FAO Data Protection Officer). Member-practice users: account deletion request → 30 day removal |
| Restriction (Art 18) | Limit how we use your data while a dispute is resolved | Email info@pcralliance.uk (FAO Data Protection Officer) |
| Portability (Art 20) | Receive your data in a portable format | Email info@pcralliance.uk (FAO Data Protection Officer); portal export for self-service where available |
| Objection (Art 21) | Object to processing based on legitimate interests, including direct marketing | Email info@pcralliance.uk (FAO Data Protection Officer); opt-out link in marketing emails |
| Withdrawal of consent | Where consent is the basis (e.g. ai_enrichment), withdraw it |
Self-service in the portal Settings; or email info@pcralliance.uk (FAO Data Protection Officer) |
| Not be subject to solely automated decisions (Art 22) | We do not perform any solely automated decision-making — every consequential output is human-reviewed before action | n/a — already structurally enforced |
Limitations
Some rights may be limited where we have overriding legal obligations (regulatory record-keeping for clinical research, audit trail retention) or legitimate interests. We will explain in our response if any limit applies to your specific request.
Verification
We may need to verify your identity before responding — typically by asking you to confirm details we already hold for you. We will not ask for ID documents we do not already have.
18. Marketing communications
We may contact you about our services, research opportunities, or events.
- For practice members: by virtue of your membership, you receive operational emails about opportunities. You can opt out of "non-essential" emails (newsletters, network announcements) without losing operational ones.
- For sponsor contacts: similarly tied to your engagement with us.
- For everyone else: explicit opt-in to a mailing list.
You can unsubscribe at any time using the link in any marketing email or by emailing info@pcralliance.uk.
19. Complaints
If you're dissatisfied with how we handle your personal data:
- Contact us first. Email
info@pcralliance.ukwith the subject line "FAO Data Protection Officer", or write to the DPO at our registered address. - Independent review. Contact the Information Commissioner's Office (ICO):
- Website: https://www.ico.org.uk
- Helpline: 0303 123 1113
The ICO is the UK's independent data protection regulator. You have the right to complain to them at any time, with or without contacting us first.
20. Links to other websites
Our website and portal may link to external sites (e.g. sponsor websites, regulator pages, public clinical-trial registries). We are not responsible for the privacy practices of those sites. Please review their privacy policies before providing personal information.
21. Changes to this notice
We may update this notice to reflect changes in our practices or legal requirements. The "version" number and "Effective from" date at the top of this document tell you whether you are reading a current version.
For material changes (new processing activity, new sub-processor, broader sharing), we will notify affected data subjects directly — email to known users, banner notice on the portal at first sign-in after the change.
22. Contact us
For any question about this notice or how we handle your data:
| Data Protection Officer | Contact via info@pcralliance.uk with the subject line "FAO Data Protection Officer", or by post to the address below |
| General enquiries | info@pcralliance.uk |
| Postal | Data Protection Officer, Primary Care Research Alliance Ltd, Middleton House, Yapton Road, PO22 6DU |
| ICO Registration | ZB864081 |
Appendix A — Version history
| Version | Date | Author | Change summary |
|---|---|---|---|
| 1.0 | 2025-09-11 | Daphne Hazell (CEO) | Initial public privacy notice. Five data-subject categories: research participants, staff, HCPs, suppliers, website visitors. |
| 2.0 (DRAFT) | 2026-05-07 | Daphne Hazell (CEO) | Restructured around portal-era data subjects. Three new categories (member-practice users, sponsor users, inbound mail senders). New §11 AI processing. New §12 cookies. §13 sub-processors named explicitly. §14 international transfers expanded with TIA reference. §15 retention schedule expanded with 7 portal-specific rows. §16 security measures expanded. DPO contact details fixed. Pending DPO countersign. |