Skip to main content

Privacy Policy

Privacy Notice: Durham Reading and Exploration (DREX) Training App and websites


Please read the privacy information below – Part 1 comprises Durham University’s Generic Privacy Notice and Part 2 comprises privacy information specific to the activities of DREX.


Durham University’s responsibilities under data protection legislation include the duty to ensure that we provide individuals with information about how we process personal data. We do this in a number of ways, one of which is the publication of privacy notices. Our privacy notices comprise two parts – a generic part and a part tailored to the specific processing activity being undertaken.

Data Controller

The Data Controller is Durham University. If you would like more information about how the University uses your personal data, please see the University’s Information Governance webpages or contact:

Information Governance Unit
Telephone: (0191 33) 46246 or 46103

Data Protection Officer

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer:

Jennifer Sewel
University Secretary
Telephone: (0191 33) 46144


The University keeps personal data for as long as it is needed for the purpose for which it was originally collected. Most of these time periods are set out in the University Records Retention Schedule.

Your rights in relation to your personal data

Privacy notices and/or consent

You have the right to be provided with information about how and why we process your personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data.

Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time. Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.

Accessing your personal data

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. This is known as the right of subject access. You can find out more about this right on the University’s Subject Access Requests webpage.

Right to rectification

If you believe that personal data we hold about you is inaccurate, please contact us and we will investigate. You can also request that we complete any incomplete data.

Once we have determined what we are going to do, we will contact you to let you know.

Right to erasure

You can ask us to erase your personal data in any of the following circumstances:

  • We no longer need the personal data for the purpose it was originally collected
  • You withdraw your consent and there is no other legal basis for the processing
  • You object to the processing and there are no overriding legitimate grounds for the processing
  • The personal data have been unlawfully processed
  • The personal data have to be erased for compliance with a legal obligation
  • The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites).

Once we have determined whether we will erase the personal data, we will contact you to let you know.

Right to restriction of processing

You can ask us to restrict the processing of your personal data in the following circumstances:

  • You believe that the data is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate
  • The processing is unlawful and you want us to restrict processing rather than erase it
  • We no longer need the data for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim and
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.

Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and, where possible, agree this with you.

Making a complaint

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right. If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113

Website: Information Commissioner’s Office


This section of the Privacy Notice provides you with the privacy information that you need to know before you provide personal data to DREX for the particular purpose(s) stated below.

Type(s) of personal data collected and held by DREX and method of collection:

In order to use DREX you will be asked to enter the following personal information at the registration stage using free text boxes:

  • Full name
  • Age
  • Email address
  • Username (user generated)
  • Password (user generated)

You will also be asked to provide some additional sensitive personal information including:

  • Gender
  • Cause of condition
  • Onset date
  • Type of condition
  • Side affected by condition

Dropdown menus provide the option of selecting ‘other’ thereby allowing you to input any answer to the question that you wish, or to provide no personal details beyond this.

The DREX app itself will collect data relating to your performance on the tasks contained therein. This includes measures of accuracy of your responses to the tasks as well as speed of responding. This data will be stored on the device you use to do the training. If this device is ever connected to the internet then this performance data will also be sent to the University who will store it anonymously and securely.

Lawful Basis

We are relying on Consent for the legal purpose of processing your personal data. The personal information that you input into DREX allows the University to use this information in order to deliver the DREX experience. In addition the University will use the data you provide via DREX for internal research and development purposes. The University’s core purpose includes undertaking research in the public interest. Processing of your data is carried out as part of this core purpose. When undertaking any such research, the University will work with anonymised patient characteristic data and assessment performance data only. All such data will be analysed to allow us to better understand rates of improvement and user characteristics.

How personal data is stored by DREX:

All personal data will be kept strictly confidential and anonymous, and held on secure servers. Your name will be encrypted and email address hashed before being stored in the database. The research team only have access to anonymised data and no data will be made available to anyone else. If data is included in any publication it will be entirely anonymous and will not be identifiable as yours.

How personal data is processed by DREX:

All personal data that the DREX app collects will be stored anonymously. The stored data allows the app to work for the individual user. The anonymous data will be analysed by eligible research staff to investigate if the amount of app training completed leads to changes in task performance, including changes in both accuracy and speed of responding. The additional information provided means that the eligible researchers can investigate factors that may also affect overall performance on the DREX app such as gender, age, and medical condition influences including cause, degree, location and duration of impairment.

The email address you provide allows you to be sent a password reminder should you forget it, and this data will not be used for any other purpose. The email information will not be made available to any third party or accessed by the DREX research team.

You can request to withdraw your data at any point and without providing a reason. However, removing your data will mean that the training offered via the DREX app will no longer be available to you as functionality is dependent upon the stored data. If you wish to remove your data please contact the DREX research team via email;

Who DREX shares personal data with:

As a user, you can request to share your data with your medical clinician via the DREX portal. For further information on how your clinician can access and use your DREX data and how to authorise sharing please see the clinician data sharing letter supplied by your clinician. None of the information you supply shall be shared with any third party without your consent. However, anonymised (i.e. not identifiable) data may be used in publications, reports, presentations, web pages and other research outputs. Anonymised data may be archived and shared with others for legitimate research purposes.

How long personal data is held by DREX:

This information is additional to the information in Part 1 about Retention. The University considers its relationship with DREX users to be life-long as the stored information allows the University to continue to provide the training experience to each individual user via the app. This means that we will maintain an anonymised user record for you until such time as you tell us that you no longer wish us to do so. You can stop using the app at any time, but unless you tell us that you want to remove your user details then these will remain stored securely and anonymously on the servers.

How to object to DREX processing your personal data:

If you have any concerns regarding the processing of your personal data, or you wish to withdraw your data from the project, then please contact DREX via email:

Visitors to our websites/webpages:

When someone visits or uses the DREX app we use a third party service, Google Analytics, to collect standard internet log information and details of user behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site and different components within the app such as the audio files. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website or using the DREX app.

Use of cookies by DREX:

A cookie is a simple text file that is stored on your computer or mobile device by a website's server and only that server will be able to retrieve or read the contents of that cookie. Cookies allow websites to remember user preferences, choices and selections, such as what's in your shopping basket. The DREX app and the DREX webpages do not use cookies to collect personal information about you.

Links to other websites:

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice:

We regularly review our privacy information to ensure that it remains accurate and current. We will review and update this privacy information whenever we plan to use personal data for any new purpose. Any changes to this privacy information will be communicated to you.

Further information:

If you have any questions which you feel have not been covered by this Privacy Notice, please do not hesitate to email us or write to:

Psychology Department,
Durham University,
Science Laboratories,
South Road,