Accessibility > NCD-RisC

What is the purpose of this document?

Imperial College of Science, Technology and Medicine (the "University", "Imperial", "we", "our" or "us") is committed to protecting the privacy and security of your personal data.

This privacy notice describes how we collect and use personal data about you during and after your relationship with us, in accordance with the applicable data protection legislation.

For the purposes of any applicable data protection legislation in England and Wales, including the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR), Imperial is the data controller of your personal data.

This notice applies to those individuals who engage with the NCD Risk Factor Collaboration (NCD-RisC), directly or through website https://www.ncdrisc.org.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such personal data.

How is your personal data collected?

Imperial collects your personal data from the following sources:

via our online / physical forms which you complete via our website,
when you contact / engage with the team directly and request assistance or more information about the Collaboration

We may sometimes collect additional personal data about you from third parties. These may include:

affiliate partners where you have consented / requested for Imperial to do something.

What categories of personal data do we collect?

We may collect, store, and use the following categories of personal data about you:

Personal contact details such as name, title, addresses, telephone numbers, fax numbers and personal email addresses.
Professional contact details such as job titles, work history, institutional affiliations, addresses, telephone numbers, fax numbers and work email addresses.
Education background and other bibliographic information you provide.
Social media details, publication information.

How we will use personal data about you and the legal basis for processing your personal data under the GDPR

Most commonly, we will use your personal data in the following circumstances:

Where we need to perform the contract, we have entered into with you or in order to take steps at your request prior to the entry into a contract. (1)
Where we need to comply with a legal obligation. (2)
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. (3)
Where you have consented to the processing. (4)

Situations in which we will use your personal data

We have indicated by (number) the purpose or purposes for which we are processing or will process your personal data, as well as indicating which categories of data are involved.

To provide you with the information and / or services that you request from us. (4)
To contact you in relation to starting and managing your participation in the Collaboration. (1)
To manage your request to access information / data sets held by the Collaboration. (2)(3)
To ensure we meet any and all legal obligations with regards to the service we provide to you for the duration of your engagement with the Collaboration. (2)
To administer and fulfil requirements of your participation and any related terms and conditions. (1)(2)(3)
To notify you about changes to the network. (1)(3)
To conduct data analytics to review and better understand how our data is used. (3)
To ensure the information we hold about you is up to date and accurate. (1)(3)
To ensure that content from our site is presented in the most effective manner for you and your computer or mobile device. (3)(4)
To provide you with relevant news and special offers by email, phone or post where you have consented to receive this information. (4)

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Automated decision-making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

Data sharing

We may share your personal data with third parties where required by law, where it is necessary to administer the relationship with you or where we have another legitimate interest in doing so.

Which third-party service providers process my personal data?

"Third parties" includes third-party service providers (including contractors and designated agents) and other entities within the University group.

What about other third parties?

We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business and operations of the University. We may also need to share your personal data with a regulator or to otherwise comply with the law.

International transfers of data

The university will, where necessary, disclose personal data to third parties, or allow personal data to be stored or handled, in countries outside the UK in order to process your data and/or perform our contract with you. For example, we will transfer data to:

IT / service providers based overseas;

In these circumstances, your personal data will only be transferred on one of the following bases:

where the transfer is subject to one or more of the "appropriate safeguards" for international transfers prescribed by applicable law (e.g. data transfer assessments and standard data protection contract clauses adopted by the European Commission and UK Government respectively);
a UK adequacy decision has been awarded for that country or territory which has determined the destination country has adequate levels of protection in place; or
there exists another situation where the transfer is permitted under applicable law (for example, where we have your explicit consent or an exception applies).

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where necessary.

How secure is my data with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the Imperial group are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Data retention

How long will you use and retain your data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different records Imperial holds are available in our retention policy which is available via the following URL.

https://www.imperial.ac.uk/media/imperial-college/administration-and-support-services/records-and-archives/public/Retention-Schedule-May-2024.pdf

Predominantly we will retain your data for the period in which you are engaged with the Collaboration and for publishing requirements.

Your rights under the Data Protection Legislation

Under data protection legislation you have a variety of rights available to you. To find more information about the above rights please view the following URL.

https://www.imperial.ac.uk/admin-services/governance/policies-and-guidance/guidance/guide-10/

Please note that the above rights are not absolute, and requests may be refused where exceptions apply.

If you have any questions about these rights or how your personal data is used by us, you can contact the team directly via

ncdrisc@imperial.ac.uk

For any concerns/complaints, please contact the Data Protection Officer using the following details:

Post — Data Protection Officer Address - Imperial College of Science, Technology and Medicine, The MediaWorks, 191 Wood Lane, W12 7FP.
Email — DPO@imperial.ac.uk.

If you are not satisfied with how your personal data is used by Imperial, you can make a complaint to the Information Commissioner (www.ico.org.uk).

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

Document last updated in March 2026

Version 1.0

NCD-RisC Privacy Notice