Privacy Policy

The University of Surrey is the “Data Controller” of your personal data. We are registered with the Information Commissioner’s Office (our notification number is Z6346945) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation.

The Dental Disease Detection Team is part of The Department of Computer Science at The University of Surrey. DR CAPS is an annotation and radiograph collection tool that we are using to collect usable data. We have a named Data Protection Officer, Suzie Mereweather, who can be contacted via dataprotection@surrey.ac.uk.

One of our responsibilities is to tell you about the different ways we collect and use your personal data. This statement provides details about these uses. In addition to this statement, you may be given further information about the uses of your personal data when you use certain services offered by the University of Surrey.

What information do we collect from you?

The Dental Disease Detection Team holds and processes personal data about:

• Authorised users
• Users of previous annotation and data collection methods
• People who have requested to be authorised users

The personal data we hold about you consists of name, email, professional bio/research/achievements, years practicing dentistry, field of dentistry. We only collect the data we need and keep that data up to date. Additionally, non-identifying patient data is collected in the form of annotations completed by the users, and radiographs manually uploaded by the user (optional), which are connected the username and email of the annotating user.

We receive this data from you when you:

• Complete this form
• Contact us to register interest
• Complete annotations or upload radiographs

We also receive data such as name, email, field of dentistry, years practicing, professional bio/research/achievements to email potential users about signing up, internally from:

• Other authorised users (recommendation)
• Recommendations from dentists involved in the project
• Users of previous annotation and data collection methods

Externally from third parties. These third parties are:

• Professional organisations by recommendation
• Professional organisations about/team page
• Linked In and other social media
• Dental Schools

We analyse geographic, demographic and other information relating to you from publicly available sources, such as Linked In and other publicly available social media.

Why do we collect this information?

The University collects only the data we need and we keep the data up to date and only for as long as it is needed.

It is important for you to know the lawful basis for us processing your information:

We process data to ensure that we can carry out our public role as an educational and research establishment, meeting legal, moral, and contractual obligations as laid out in the University’s Charter.

We also process data to meet our statutory and legal requirements, specifically when we have to report to governmental bodies and to ensure we are meeting our legal requirement under equality.

We also process data to meet our contractual duties to you and provide you with access to the annotation service, and the ability to sign up and delete your account/access to the data collection website as laid out in our contract with you.

We also process data in our legitimate interests to give you an option to take part in future data collection methods, to produce statistics for internal improvements, and to manage users. These legitimate interests are determined through an assessment made by weighing our requirements against the impact of the processing on you. Our legitimate interests will never override your right to privacy and the freedoms that require the protection of your personal data. If you are interested in learning more about this legitimate interest assessment, please contact dataprotection@surrey.ac.uk.

We process data because you give us your consent, specifically to further our research using the collected radiographs and annotations, and to contact you about annotations, radiographs, and authorised user status.

We do not use the personal data we collect to make decisions about individuals or to analyse information on an individual level. However, we do analyse submitted radiographs and annotations to determine if they should be used in our research, and to determine if the submitting user is using the data collection website as intended and if they should remain an authorised user.

If the user uploads a radiograph using the ‘upload a radiograph’ feature, it is the user’s responsibility to ensure they are allowed to share the non-identifying patient data/radiograph with us. Additionally, by uploading and submitting a radiograph the user agrees to have the image and annotations used in our research and agrees to have the radiograph viewed and annotated by other users.

What do we do with your information?

The University processes personal data and radiographs/annotations in accordance with data protection legislation and its own Data Protection Policy.

We track activity in the University’s legitimate interest submitted radiographs and annotations, to obtain information about the way you access and use the data collection website to analyse the effectiveness of the data collection website.

We combine the data you provide with data obtained from professional organisations and social media to keep a record of your dental expertise and quality of radiographs/annotations. We do this in the University’s legitimate interests.

We do not use special category data relating to ethnicity and disability at a statistical level as it is unnecessary to the nature of the data collection website.

We monitor use of the data collection website in the University’s legitimate interests to ensure adherence to the Acceptable Use Policy, and to ensure the user is using the data collection website as intended.

We analyse the effectiveness of our service at an aggregate level so that no individuals are identified from the data. Additionally, if data is used in research, radiographs and their annotations are used in a way so that no individuals are identified from the data.

How long do we keep your information?

We keep your personal data in accordance with the University’s retention schedules which are available by emailing dataprotection@surrey.ac.uk.

We only keep your personal data for as long as it takes to collect the data required to conduct our research. Images and annotations used in the research will not contain identifying information but will be linked to an anonymised ‘annotator’. If you have deleted your account without completing any annotations or uploading any images, your personal data will not be kept.

All relevant safeguards are met in relation to this historical research, which can be found in our Archives Policy.

How do we protect your data?

We take the security of the personal data we hold seriously. Details on university wide measures surrounding IT security can be found in the principal IT Security Policy which sets out the definition of, commitment to and requirements of Information Technology and Security.

We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the performance of their duties.

Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions contained within a contract, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Who do we share your information with?

Internally, we share your personal data with:

• The Research Team in order to conduct research and manage the data collection process
• The Internal Audit Team in order to ensure University compliance with policies and processes
• IT Services in order to assist in any it related issues

We share your personal data externally with the following third parties:

• Partnered teams involved in the project in order to conduct research
• External Development in order to fix urgent bug and issues with the website

What rights do you have in relation to the way we process your data?

As an individual whose data we process (a data subject), you have certain rights in relation to the processing. You can find detailed information about your rights as a data subject on the University’s webpage.

You have the right to:

• withdraw your consent in circumstances where we are processing your personal data on that basis
• Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing
• request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete
• Have your data erased by us, although in certain circumstances we may not be able to do this, for example, where we must comply with a legal obligation or in managing your health and social care. The circumstances where this applies can be found in the data subject rights information on the University’s webpage
• Restrict the processing of your personal data in certain ways
• Obtain your personal data for reuse
• Object to certain processing of your personal data

To exercise any of these rights, please contact dataprotection@surrey.ac.uk.

If you have any concerns about the way that we have handled your personal data, please contact us as we would like to have the opportunity to resolve your concerns. If you’re still unhappy, you have the right to lodge a complaint with the Information Commissioner’s Office. Please see their website at: https://ico.org.uk/make-a-complaint/.