Prevent: Privacy Policy

Updated: 15 December 2021

What is Prevent?

The Prevent app is designed to be used as a tool to help users set goals and track their progress relating to their eating, smoking, drinking and physical activity with a view of helping them manage risk factors associated with breast cancer. Researchers will also collect data from participants to better understand the effectiveness of this tool.

Who has reviewed Prevent?

The app has been developed as part of a research project for which ethics approval was obtained from The University of Manchester Research Ethics Committee (UREC) (Ref: 2021-12590-20551). The processing and handling of any data collected by the app is handled in accordance with the Privacy Notice for Research Participants and the associated Data Management Plan (DMP) for the research project (Ref: 57905), reviewed by the Information Governance Office at The University of Manchester. The app has undergone an internal test programme prior to public release and has been approved for release by the research team and the Research IT Strategy and Change Management Board (RIT SCMB) at The University of Manchester.

How does Prevent handle data?

Research IT at The University of Manchester handles data in compliance with UK GDPR and the Data Protection Act 2018. By using the app, users agree that researchers at The University of Manchester and collaborating institutions, associated with the development of the app can use any data collected for research purposes only. All research data handling is compliant with our Privacy Notice for Research Participants.

What data is stored on the device?

In order to function, the app is required to store some information locally on your device. The following information is stored in a database which resides in a private application directory on your device. This data may be used strictly behind-the-scenes or may be displayed directly on screen in appropriate locations to assist with the function of the app.

• Activity Log History - The date logs were created, their content inlcuding all your repsonses and entered data inlcuding your target goals. This is to allow you to review your own responses within the app.
• Participant Information - Your chosen preferences during setup including your ID number, long term and motivational goals, height and latest weight and body mass index. This data is to allow the app to be customised by you and to allow the app to provide its features such as calculating your body mass index.
• Reminder Schedule - Based on your frequency preferences, the app will also maintain a log completion schedule which it uses to set due dates and provide notifications.

This database is erased when the app is uninstalled.

It is the responsibility of the device owner to protect their access to their device and hence the data store on it. We strongly recommend that you use some form of screen lock and storage encryption to protect unauthorised access to any of the data we store or display in the app.

What data is transmitted to researchers?

The app sends data to University researchers through the following mechanisms:

• StorageConnect - secure data collection system operated by Research IT at the University of Manchester.
• Google Firebase Analytics - a service for collecting events associated with app usage operated by Google.
• Microsoft App Center - a service for collecting diagnostic information about errors and crashes operated by Microsoft.

Note that if an internet connection is not available at the time of transmission, StorageConnect data is buffered in a separate local database on the device. Once an internet connection is available again, these records are transmitted and deleted from this local database.

The following data is transmitted to researchers:

• Activity Logs - Your activity logs are transmitted to researchers to allow them to monitor engagement and explore whether the app is having a positive effect in being able to reduce the risks of breast cancer in users.
• Participant ID - This is your anonymised ID number which is sent to researchers to identify when two logs come from teh same person.

Is any data Person Identifying Information (PII) and linked to my identity?

The Participant ID transmitted to researchers cannot be linked to your identity on its own. Researchers may reverse the anonymisation by matching your ID number to any PII they may have collected when you signed up to the study. However, the circumstances in which this would be required will be stated in the Participant Information Sheet when you signed up. The app does not directly collect any PII or link any information to your identity.

How will you protect my data?

All transmissions over the internet are encrypted using a standard TSL/SSL encryption protocol and is thus protected in transit. The data you send us is stored on systems that are access-controlled and data is only accessible by project researchers and nominated collaborators. The StorageConnect system is also accessible by select members of Research IT. Access to StorageConnect is controlled by Research IT on a person-by-person basis and will not be granted to individuals not affiliated with the research project to which the data is attached. StorageConnect is backed-up and replicated daily. Records stored in StorageConnect are given an anonymous user ID and are not identified against any username or password you may have been asked to enter into the app unless a separate identifier is collected as part of the record.

What will you use the data for?

The data will be used to quantify the effectiveness of the app in reducing risks associated with breast cancer. This will be done by exploring user engagement (frequency of logs submitted) and the trends in target goals or submitted log data (i.e. a measurable reduction in alcohol consumed and a decreasing target).

Who will you share the data with?

The data may be shared with researchers at both The University of Manchester and Manchester NHS Foundation Trust. The anonymised data may also be shared via publication or with other researchers for research purposes only.

Does Prevent collect usage statistics or analytics?

The app connects automatically to Microsoft App Center servers for the purposes of crash reporting and usage monitoring. In the event of a crash, or when you install, uninstall or open the app, the app will collect the following information:

• Device information (e.g. make, model, operating system and version)
• Unique device identifiers (not directly person-identifying but allows us to know two reports came from the same device)
• Location data (only what country your device is in and what time zone)
• Usage data (limited to when you installed / uninstalled / opened the app)

This information is transmitted to servers not owned by The University of Manchester, and is hence shared with the third-parties who operate the crash monitoring services. We make use of this service to monitor how many people are using the app and to acquire details on crashes users may have experienced. This allows us to improve future versions of the app. This data is only accessible to Research IT staff and is not shared with other services.

Does Prevent access third-party content?

The app contains links to websites. If you click on a link, you will be directed to that site. Note that these external sites are not operated by the app provider. Therefore, we would advise you to review the Privacy Policy of these websites. We have no control over, and assume no responsibility for, the accuracy of content, the privacy policies, or practices of any third-party sites or services.

What permissions does Prevent need?

The app requires permission to access certain features of your device for its functionality. The permissions required along with the reason are described below:

• Internet / Network - The app requires access to the internet to communicate with web-based systems.

Who do I contact about the study?

Lead Researcher: Mary Pegington
Phone: +44 161 2914411
Email: Mary.Pegington@manchester.ac.uk

What if I have a complaint about the research team?

We encourage you to contact the research team in the first instance. However, if you are dissatisfied with their response and wish to make a formal complaint about the conduct of the research team, please write to:

Head of the Research Office
Christie Building
The University of Manchester
Oxford Road
Manchester
M13 9PL

What if I have a complaint about Data Protection and Information Governance?

We encourage you to contact the research team in the first instance. However, if you are dissatisfied with their response and wish to make a formal complaint about data protection, please contact:

Information Governance Office
G7 Christie Building
The University of Manchester
Oxford Road
Manchester
M13 9PL
Tel: +44 (0)161 275 7789
Email: information.governance@manchester.ac.uk