This notice is directed to participants in the NHS-Galleri trial. This trial is organised by GRAIL Bio UK Ltd. (the UK subsidiary of a U.S. company called GRAIL, Inc.) in partnership with the National Health Service (NHS) and King’s College London. The Participant Information Sheet (PIS) that you will receive when you join the study describes the procedures you undergo during the study, the information collected from you during the study, and how the trial organisers use the information collected about you during the study. As explained in the PIS, GRAIL, Inc. (GRAIL), 1525 O’Brien Drive, Menlo Park, California, 94025, USA, is a company that has developed a blood test for early cancer detection and is providing money and equipment to support the NHS-Galleri trial. This notice describes how the information is used that is received about you from the trial.
Who are the data controllers of my information?
GRAIL Bio UK Ltd. and King’s College London are joint data controllers for the NHS-Galleri trial and will be responsible for coordinating the collection and use of your data under the trial. GRAIL in the U.S. will receive certain information about you as part of the NHS-Galleri trial. GRAIL Bio UK Ltd. will be the data controller in relation to the processing of the information that GRAIL receives from the trial.
What information does GRAIL Bio UK Ltd. receive about me?
GRAIL Bio UK Ltd. receives personal information about you, including your [name, date of birth, NHS number, address (including postcode), telephone number, and email]. The trial team will also receive any information you enter into the electronic questionnaires during trial appointments, information from your medical records and other health databases that is collected for the trial, as well reports of side effects occurring during the trial. This information will include details about your health, your sex, your age, and once the test is completed, the test result. GRAIL Bio UK Ltd. will have access to your health information held by King’s College London and information held about you by the National Cancer Registration and Analysis Service (NCRAS) and NHS Digital in the UK.
What information does GRAIL, Inc. in the United States receive about me?
Importantly, the information and samples that GRAIL Inc. in the U.S. receives do not contain your name or other information from which you can readily be identified. Instead, the information that GRAIL receives contains coded numbers in place of your name and other readily identifying information; this is sometimes called “pseudonymised” or “coded” information. Only certain authorised members of the trial team will be able to link your name to this code. GRAIL will not have access to the link between the code and your name.
What does GRAIL do with my information and samples?
GRAIL will perform tests, including DNA analyses, on your samples. GRAIL will use these test results and the other information described above for research purposes related to evaluating the test for early cancer detection. GRAIL may also use this information to authorise and commercialize this test. As part of this process, GRAIL may share your information with collaborators and other researchers. Your personal information will be stored separately (but linked via unique identifiers to your blood samples and other health information about you. This is so that only the members of the trial team who need to see your personal information will have access to it. Your personal data will be accessed by GRAIL Bio UK Ltd. and King’s College London staff in the UK involved in your participation and approved third parties for the purposes of this trial.
GRAIL, its collaborators, and other researchers may use your information to conduct additional studies with the information collected in this study to advance scientific research and public health. These projects may involve bringing together coded information from the NHS-Galleri trial with information from other studies or sources outside typical research settings, such as electronic health records or biobanks. If your coded information is used for additional studies, specific safeguards will be used to protect the information, which may include:
- Limiting access to specific individuals who are obligated to keep the information confidential.
- Using security measures to avoid information loss and unauthorised access.
- Anonymising the information by destroying the link between the coded information and your personal identifiers.
- When required by applicable law, ensuring that the scientific research has the approval of research ethics committees (RECs), or other similar review groups.
GRAIL, its collaborators and other researchers may publish the results of the research, and they may be required by law or scientific journal policy to make information generated in the research publicly available or available to future researchers. If GRAIL, its collaborators, or other researchers make public any study results, the results will not contain your name or other details that can easily be used to identify you.
What is the basis for processing my information?
GRAIL and King’s College London need a valid legal reason to process and use your information. This is called a “legal basis.” GRAIL’s legal basis for processing your information is its legitimate interest in conducting scientific research and to improve the test in the future. King’s College London’s legal basis for processing your information is its public task in the public interest as a research institution.
How long will my information be kept?
GRAIL will keep your information for as long as needed to fulfil the purposes outlined in this notice and the PIS, which may be indefinitely, unless a different retention period is required by law. King’s College London and GRAIL will keep your information for up to 10 years after the trial finishes. Information that is both aggregated and anonymised will be retained indefinitely.
Will my information be transferred outside of the United Kingdom?
Your samples will be transferred to the United States, where GRAIL laboratories are located. Your samples will be marked with study identifiers but no personal identifiers will be used or transferred outside of the UK. Some countries, including the United States, have been found by the European Commission not to offer the same level of data protection as that found in the European Economic Area. GRAIL and the study organizers have entered into a data transfer agreement in a form approved by the European Commission to make sure that your information remains protected after it is sent to GRAIL. Please contact your study team if you wish to obtain a copy of the standard data transfer agreement.
What are my rights?
Under data protection legislation you have certain rights in relation to your personal information, including the right to access, correct, erase or restrict or object to the use of your personal information. These rights are limited in the research setting, however, because GRAIL needs to manage your information in specific ways in order for the research to be reliable and accurate. Because GRAIL does not know your identity, if you wish to exercise any of these rights, you should contact your study doctor or members of the study team and they can direct your question to the appropriate person at GRAIL.
You also have the right to make a complaint with the Information Commissioner’s Office (ICO) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO.
Whom can I contact with questions?
IRAS Project ID: 293034
Wales REC1 Ref: 21/WA/014
Version 4.0 — 25 JAN 2022