Legal

Data Protection & GDPR

Last updated: April 2025

1. Our Commitment

TrialConnect is committed to protecting your personal data, especially health-related information which is classified as "special category data" under UK GDPR. We go beyond minimum compliance to build trust through transparency and robust safeguards.

2. Data Controller

TrialConnect Ltd is the data controller for personal data processed through this platform. Our Data Protection Officer (DPO) can be reached via our contact page.

3. Lawful Basis for Processing Health Data

Under Article 9 of UK GDPR, health data requires additional protection. We process health data only when:

  • Explicit consent — you have clearly agreed to share health information for trial matching purposes.
  • Substantial public interest — facilitating clinical trial participation serves a clear public health benefit.
  • Healthcare purposes — as recognised under Schedule 1, Part 1 of the Data Protection Act 2018.

4. Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for any new processing activity involving health data. This includes our trial matching algorithm, patient profile storage, and any data sharing with trial sponsors. DPIAs are reviewed annually and whenever significant changes occur.

5. Technical & Organisational Measures

Encryption

TLS 1.3 in transit, AES-256 at rest for all health data

Access controls

Role-based access, principle of least privilege, audit logs

Minimisation

We collect only data necessary for trial matching

Pseudonymisation

Health profiles are separated from identifying information

Regular testing

Penetration testing and vulnerability assessments

Staff training

Annual data protection training for all team members

6. Data Subject Rights

You have the following rights under UK GDPR:

  • Right of access (Article 15): request a copy of all personal data we hold about you.
  • Right to rectification (Article 16): correct inaccurate or incomplete data.
  • Right to erasure (Article 17): request deletion of your data when no longer necessary.
  • Right to restriction (Article 18): limit how we process your data in certain circumstances.
  • Right to data portability (Article 20): receive your data in a structured, machine-readable format.
  • Right to object (Article 21): object to processing based on legitimate interests.
  • Right regarding automated decisions (Article 22): request human review of algorithmic matching decisions.

To exercise any right, visit our contact page. We respond to all requests within 30 days.

7. Data Breach Procedures

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to your rights. If the breach is likely to result in a high risk, we will also notify affected individuals directly without undue delay.

8. Data Processors

Third-party processors who handle data on our behalf are bound by GDPR-compliant data processing agreements. We vet all processors for security standards and UK/EEA data residency before engagement.

9. Complaints

If you believe your data has been mishandled, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). We encourage you to contact us first so we can resolve any issues promptly.

10. Related Documents

Privacy PolicyTerms of ServiceContact Us