Submit your study name and confirm your email address;
Your new study is created; and
You will be sent an email with a unique link for participants to access your study. The email will also contain instructions for you to retrieve your study data.
Oscar Terms of Use for Study Owners
Firstly, please note that OSCAR is freely available to use for academic research. We just ask in return that you cite the related methodological reference article: De Matteis S, Jarvis D, Young H, Young A, Allen N, Potts J, Darnton A, Rushton L, Cullinan P. Occupational self-coding and automatic recording (OSCAR): a novel web-based tool to collect and code lifetime job histories in large population-based studies. Scand J Work Environ Health. 2017 Mar 1;43(2):181-186.
Secondly, the responses collected via OSCAR may be linked with existing data. A unique identifier can be assigned to each participant and included in the email invitations sent to request OSCAR participation. Then, when a participant accesses OSCAR, they are requested to enter the unique identifier provided. This will be returned in their records in the final downloaded data. Other than the unique identifier OSCAR does not collect, process or store any personal identifiable data, as such OSCAR is unable to identify or re-identify any individual participant. Therefore, if a participant does not provide a unique identifier then their data will be considered fully anonymised with a blank value in this field.
In using this system you agree to the following terms:
Parties
Your Institution as submitted by you on this page, incorporated in the United Kingdom, whose address is also as submitted by you on this page (the “Study Owner”); and
CHP Design Ltd incorporated and registered in England with company number 1944677 whose registered office is at 89 King St, Maidstone, Kent ME14 1BG (the “Oscar system developer”).
Background
In accepting these terms of use the Study Owner has entered into an agreement with the Oscar system developer for the Study Owner to use Oscar for collecting participant responses, which requires processing Data for the purposes of the Oscar system developer performing its obligations under the Services Agreement.
Because the provision of the services under the Services Agreement requires the Oscar system developer to process Data, the Data Protection Legislation is engaged. This establishes the Oscar system developer as the Data Processor who is processing Data on behalf of the Study Owner who is the Data Controller. Under the Data Protection Legislation the Data Processor and Data Controller are jointly and severally legally responsible for the Data processing.
The Oscar system developer has agreed to process the Data in compliance with the terms set out in the Services Agreement.
This Agreement neither overrides nor replaces the Services Agreement, but instead is supplementary to it. It is issued in accordance with Article 28 of the General Data Protection Regulation which requires the Study Owner (as the Data Controller) to set out the terms and conditions for the provision of the Services provided by the Oscar system developer (as the Data Processor). If this has not already been set out by the Study Owner to participants elsewhere, e.g. in their invitation to participate, this can be added to the 'Study Specific Privacy Policy Text' field on this page.
The Study Owner acts as a Data Controller for the data collected in OSCAR. Other than system administrator access for maintenance purposes, which is strictly restricted to the Oscar system developer alone, only the Study Owner has access to their data. This is achieved by secure download as a .csv (Comma Separated Values) text file. All completed participant responses in the Study Owner's Data will be deleted from the Oscar Data after it has been downloaded from Oscar by the Study Owner. At this time, the Study Owner becomes solely responsible for the downloaded Data and this data will no longer exist in the Oscar system.
Subject to and without prejudice to the terms of the Services Agreement, the Study Owner has agreed to license to the Oscar system developer the use of all rights to enable the Oscar system developer to provide the services under the Services Agreement.
Terms
This Agreement shall commence on the start date noted in the table below and shall continue unless terminated earlier in accordance with Clause 10, until the end date noted in the table below.
Start date:
26/01/2021
End date:
26/01/2022
If an extension is required beyond the 'End Date' above, then the Study owner must contact the Oscar system developer by email from the email address submitted on this page.
IT IS HEREBY AGREED as follows:
DEFINITIONS AND INTERPRETATION
In this Agreement unless the context otherwise requires the following words and expressions shall have the following meaning: Anonymised Data shall have the meaning given to it under the applicable Data Protection Legislation; Authorised Person any person specified in Part 1 of the Schedule or as may otherwise be designated from time to time by the Study Owner giving written notice to the Oscar system developer; Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business; Confidential Information is defined as all confidential information (however recorded or preserved) disclosed by a Party or its employees, officers, representatives, advisers or subcontractors involved in the provision or receipt of the Services who need to know the confidential information in question (Representatives) to the other Party and that Party's Representatives in connection with this Agreement, which is either labelled as such or else which should reasonably be considered as confidential because of its nature and the manner of its disclosure; Data Controller (‘Controller’) shall have the meaning given to it under the applicable Data Protection Legislation; Data Processor (‘Processor’) shall have the meaning given to it under the applicable Data Protection Legislation; Data Protection Legislation shall mean the Data Protection Act 2018 (as amended from time to time), the General Data Protection Regulation (as amended from time to time) and any other applicable replacement or re-enacted legislation of the foregoing; Normal Business Hours: 9.30am to 5.30pm GMT on a Business Day; Parties refers to the Study Owner/ the Data Controller and the Oscar system developer/ the Data Processor and Party refers to any of them as the context may require; Personal Data shall have the meaning given to it under the applicable Data Protection Legislation; Process and Processing have the meaning given under the applicable Data Protection Legislation; Pseudonymised Data shall have the meaning given to it under the applicable Data Protection Legislation; Oscar is the web application displaying the terms of use on this page at the domain oscar-job-history.com; Services Agreement is the agreement that the Oscar system developer has in place to maintain the Oscar system on an on-going basis; Services: the services to be supplied by the Oscar system developer under the Services Agreement a summary of which is set out in Part 2 of the Schedule.
References to “data” or “Data” shall be construed as references to Personal Data and Special Categories of Personal Data (within the meaning of Article 9 of the General Data Protection Regulations) unless the context requires otherwise.
Clause, Schedule and paragraph headings shall not affect the interpretation of this Agreement.
A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
The Schedule forms part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedule.
A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
A reference to a statute or statutory provision is a reference to it as amended, extended, superseded or re-enacted from time to time.
A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
A reference to writing or written includes faxes but not e-mail.
References to Clauses and Schedules are to the clauses and schedules of this Agreement and references to paragraphs are to paragraphs of the Schedule.
Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
In the case of conflict or ambiguity between:
any provision contained in the body of this Agreement and any provision contained in the Schedule or appendices, the provision in the body of this Agreement shall take precedence;
the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Schedule or appendices, the provision contained in the Schedule or appendices shall take precedence; and
any of the provisions of this Agreement and the provisions of the Services Agreement in relation to the compliance of any Data processing with the Data Protection Legislation, the provisions of this Agreement shall prevail.
OBLIGATIONS OF THE PROCESSOR
The Processor shall process the Data only to the extent, and in such a manner, as is necessary for maintaining the provision of the Services up to and including the export of the Controller's study data by secure download as .csv text file and shall not process the Data for any other purpose. Controller instructions will be given to the Processor via the Authorised Person using the email address submitted on this page alone. As at the start date of this Agreement the Parties agree that the nature and purpose of the processing and the type of personal data and categories of data subjects whose Data will be processed are as set out in Parts 3 and 4 of the Schedule.
Without prejudice to the specificity of the other terms of this Agreement, the Processor warrants that it will process the Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments.
To the extent that the Processor cannot comply with a change to the Controller’s instructions in so far as they are incompatible with the Data Protection Legislation the Processor shall:
immediately inform the Controller, giving full details of the problem; and
cease all processing of the affected data (other than securely storing those data) until revised instructions are received.
The Processor shall not transfer the Data outside the European Economic Area without the prior written consent of the Controller.
The Processor shall not share the Data with any third party without the prior written permission of the Controller or process Data in any way or for any purpose that has not been instructed and authorised by the Controller.
The Processor will keep at its normal place of business detailed, accurate and up-to-date written records relating to the processing of Data it carries out on behalf of the Controller which should include:
the full name of the Processor, any representatives and Data Protection Officer (where relevant);
the nature of the processing carried out on behalf of the Controller;
the details of any transfer of Data to a third country and where relevant all documentation evidencing safeguarding adequacy.
The Processor shall permit the Controller and its third-party representatives, on reasonable notice during Normal Business Hours, but without notice in case of any reasonably suspected breach of this Clause 2, to:
gain access to, and take copies of, the records and any other information held at the Processor’s premises or on the Processor’s System; and
inspect all records, documents and electronic data and the Processor’s system, facilities and equipment,
for the purpose of auditing the Controller’s compliance with its obligations under this Agreement.
To qualify the above in 2.7, 2.7.1 and 2.7.2:
For ongoing security, physical access to system hosting facilities is highly restricted and therefore not possible;
Data in Oscar cannot be shared between Controllers so direct access to the raw data by Controller's or their represntatives is therefore not possible;
Participant data in Oscar is also regularly deleted after it has been downloaded by Controllers;
Access cannot be provided at any location by the Processor to any other information which is not directly relevant to Oscar or which might contain any information outside of the Controller's Oscar study.
Therefore the process to achieve 2.7, 2.7.1 and 2.7.2 above is as follows:
The Controller is provided by the Oscar system with secure access to all of the current data held for their Study;
Secure access to the data is available to the Controller at any time. Access credentials are provided by email when a new study is created. The password must be updated by the Study owner on first login;
After accessing the secure area, the data is available to the Controller for download as a .csv file. This is only possible via an encrypted connection from the secure area, any data intercepted in between the Oscar system and the Controller's browser will be encrypted;
All data records, both completed and partially completed participant submissions are available. Completed participant submissions are deleted from Oscar after they have been downloaded. This function does not delete any incomplete participant data.
As part of the Oscar system, the Processor provides secure access for the Controller to export it's study Data in .csv (Comma Separated Values) format at any time.
Data exported in the .csv, which is part of a completed participant submission, will be deleted from the Oscar system. At time of export, the Controller becomes solely responsible for the Data.
The Processor shall only collect any Data on behalf of the Controller as specifically instructed to do so by the Controller clicking the green 'Submit New Study' button, on this page, having completed their correct details, also on this page, and subject to the Controller agreeing an information gathering/request form that will contain a data protection notice informing the data subject of the identity of the Controller, the identity of any data protection representative it may have appointed, the purposes or purposes for which their Data will be processed and any other information which is necessary having regard to the specific circumstances in which the Data is, or is to be, processed to enable processing in respect of the data subject to be fair. The Processor shall not modify or alter any information gathering/request form agreed pursuant to this Clause in any way without the prior written consent of the Controller.
The Processor, shall have in place appropriate technical and organisational security measures that protect the Data it is contracted to process on behalf of the Controller from unauthorised or unlawful processing, accidental loss, destruction or damage such technical and organisation security measures being as a minimum as described in Part 5 of the Schedule.
The Processor shall provide reasonable assurances and guarantees to the Controller (as required) that those technical and organisational security measures in place are both appropriate and effective in protecting the processing of Data.
If the Processor receives any complaint, notice or communication which relates directly or indirectly to the processing of the Data or to either Party's compliance with the Data Protection Legislation and the data protection principles set out therein, it shall immediately notify the Controller and it shall provide the Controller with full co-operation and assistance in relation to any such complaint, notice or communication.
The Processor shall promptly without undue delay and in any case within 24 hours of becoming aware of such issues inform the Controller if any Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Processor will restore such Data at its own expense.
The Processor shall make available any records of processing to the supervisory authority on request.
The Processor shall cooperate with the supervisory authority in the performance of its tasks.
PROCESSOR'S EMPLOYEES
The Processor shall ensure that access to the Data is limited to:
those employees who need access to the Data to meet the Processor's obligations under this Agreement; and
in the case of any access by any employee, such part or parts of the Data as is strictly necessary for performance of that employee's duties.
The Processor shall take reasonable steps to ensure the reliability of their personnel who have access to the Data, which shall include ensuring that all staff engaged by the Processor:
understand the confidential nature of the Data;
have received appropriate training in data protection prior to their use of the data; and
have signed a written undertaking that they understand and will act in accordance with their responsibilities for confidentiality under contract.
The Processor shall ensure that is has properly configured access rights for its staff, including a well-defined starters and leavers process to ensure appropriate access control.
DATA SECURITY REQUIREMENTS
The Processor shall have in place appropriate technical and organisational security measures that protect the Data it is contracted to process on behalf of the Controller from unauthorised or unlawful processing, accidental loss, destruction or damage.
The Processor shall provide reasonable assurances and guarantees to the Controller (as required) that the technical and organisational security measures in place as referred to in Clause 4.1 are both appropriate and effective in protecting the processing of Data.
The Processor agrees to maintain good information governance standards and practices, by meeting or exceeding the information governance requirements relevant for their service.
The Processor shall ensure that suitable and effective user authentication processes are established and used to protect Data.
The Processor shall ensure that the Data is backed up on a regular basis and that any back up data is subject to vigorous security measures as necessary to protect the availability, integrity and confidentiality of the data.
The Processor shall ensure that robust and tested business continuity measures are in place to protect the confidentiality, integrity and availability of the data.
The Processor agrees that data transferred electronically is encrypted in accordance with UK national standards as a minimum.
The Processor shall ensure that employees are not able to access the data remotely e.g. from home or via their own electronic device or internet portal other than through a secure electronic network and in accordance with organisational remote working policy. No data shall be stored in such devices.
The Processor warrants that data that requires disposal is disposed of securely and confidentially in accordance with the secure destruction requirements specified in Clause 9.
The Processor shall:
only make copies of the Data to the extent reasonably necessary for the specified purposes in accordance with this Agreement (which, for clarity, includes back-up, mirroring (and similar availability enhancement techniques), security, disaster recovery and testing of the Study Owner Data);
not extract, re-utilise, use, exploit, redistribute, re-disseminate, copy or store the Study Owner Data other than for the purpose of providing the Services; and
not do anything that is reasonably likely to damage the reputation of the Study Owner.
The Processor undertakes to fully cooperate with the Controller’s incident investigation requirements where these don't affect any other of it's agreements or obligations.
RIGHTS OF THE DATA SUBJECT
The Processor shall notify the Controller within 24 business hours if it receives a request from a Data Subject for access to that person's Data.
The Processor shall provide the Controller with full co-operation and assistance in relation to any request made by a Data Subject to have access to that person's Data.
The Processor shall not disclose the Data to any Data Subject or to a third party other than as provided for in this Agreement.
RIGHTS & OBLIGATIONS OF THE CONTROLLER
The Controller is entitled, on giving at least 3 working days' notice to the Processor, to inspect or appoint representatives to inspect all facilities, equipment, documents and electronic data relating to the processing of Data by the Processor.
The requirement under Clause 6.1 to give notice will not apply if the Controller believes that the Processor is in breach of any of its obligations under this Agreement. The Controller is entitled to immediate access to it's study data.
For the requirements under Clause 6.1 and 6.2, please refer to 2.7 above for qualification and the process for how this will work in practice.
The Controller must inform the Processor of any issues detected within 24 hours.
After the Controller has accessed their Study data, completed participant submissions will be deleted from Oscar. The Controller is then solely responsible for the data under GDPR.
The Controller has full access to their download their data from Oscar at all times. In creating a study and agreeing to these terms of use, the Controller confirms that they will comply with their obligations under GDPR at all times.
INDEMNITY
The Processor agrees to indemnify and keep indemnified and defend at its own expense the Controller against all costs, claims, damages or reasonable expenses incurred by the Controller or for which the Controller may become liable due to any failure by the Processor or its employees or agents to comply with any of its obligations under this Agreement.
The Controller agrees to indemnify and keep indemnified and defend at its own expense the Processor against all costs, claims, damages or reasonable expenses incurred by the Processor or for which the Processor may become liable due to any failure by the Controller or its employees or agents to comply with any of its obligations under GDPR, this Agreement and it's responsibilities with the Data provided by Oscar.
APPOINTMENT OF SUBCONTRACTORS
The Processor may not authorise any third party or sub-contractor to process the Data without (i) the prior written consent of the Controller and (2) such third party or sub-contractor entering into a contract with the Processor on terms which are substantially the same as the terms of this Agreement and such contract being expressed to terminate automatically on the termination or expiry of this Agreement.
SECURE DESTRUCTION
The Processor shall ensure that Data held in paper form (regardless of whether originally provided by the Controller or printed from the Processor’s IT systems) is destroyed using a cross cut shredder or subcontracted to a confidential waste Controller that complies with European Standard EN15713.
In the event of any bad or unusable sectors that cannot be overwritten, the Processor shall ensure complete and irretrievable destruction of the media itself.
EXIT FROM AGREEMENT
The Controller may terminate this Agreement with immediate effect by written notice to the Processor on or at any time after the occurrence of an event that gives rise to an information security incident or otherwise poses a risk of non-compliance with the data protection principles.
Without prejudice to Clause 10.1, this Agreement shall terminate upon the termination of the Services Agreement save for any provisions that are intended to survive its termination including for the avoidance of doubt and without limitation Clauses 7, 9, 10.3, 11 and 12.
In order to protect the Data, the Processor agrees:
to store and process Data securely, and destroy it confidentially after it has been securely downloaded as a .csv text file by the Controller;
to return to the Controller the Data by secure export of a .csv text file available at any time via the Oscar system before the 'End date' displayed above, ensuring secure transfer, after which time it will be deleted from the Oscar system.
CONFIDENTIALITY
The Processor acknowledges that the Controller’s Confidential Information includes non-personal and personal data.
The term Confidential Information does not include any information that:
is or becomes generally available to the public (other than as a result of its disclosure by the receiving Party or its Representatives in breach of this Clause 11);
was available to the receiving Party on a non-confidential basis before disclosure by the disclosing Party;
was, is, or becomes, available to the receiving Party on a non-confidential basis from a person who, to the receiving Party's knowledge, is not bound by a confidentiality agreement with the disclosing Party or otherwise prohibited from disclosing the information to the receiving Party;
was known to the receiving Party before the information was disclosed to it by the disclosing Party;
the Parties agree in writing is not confidential or may be disclosed; or
is developed by or for the receiving Party independently of the information disclosed by the disclosing Party.
Without prejudice to any obligations of the Processor in relation to Personal Data, each Party shall keep the other Party's Confidential Information confidential and shall not:
use any Confidential Information except for the purposes of providing the Services; or
disclose any Confidential Information in whole or in part to any third party, except as expressly permitted by this Clause 11.
A Party may disclose the other Party's Confidential Information to those of its Representatives who need to know that Confidential Information for the purposes of providing the Services, provided that:
it informs those Representatives of the confidential nature of the Confidential Information before disclosure; and
at all times, it is responsible for the Representatives' compliance with the confidentiality obligations set out in this Clause 11.
A Party may disclose Confidential Information to the extent required by law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction provided that, as far as it is legally permitted to do so, it gives the other Party as much notice of the disclosure as possible.
Each Party reserves all rights in its Confidential Information. No rights or obligations in respect of a Party's Confidential Information, other than those expressly stated in this Agreement, are granted to the other Party, or are to be implied from this Agreement.
The provisions of this Clause 11 shall continue to apply after termination of this Agreement.
INTELLECTUAL PROPERTY RIGHTS
All Intellectual Property remains the sole property of it's respective owner(s). The Processor acknowledges that:
all Intellectual Property Rights in the exported Data .csv text files are and will remain the property of the Controller or its licensors, as the case may be; and
it shall have no rights in or to the exported Data .csv text files other than the right to use it for the purposes in accordance with this Agreement.
The Processor assigns to the Controller, and shall assign to it, its Intellectual Property Rights in the exported Data .csv text file it may create by download, by way of future assignment. The Processor shall execute such confirmatory assignments for the exported Data .csv text file as the Controller may require.
The Intellectual Property Rights assigned to the Controller under Clause 12.2 shall be deemed to be included in the right to use referred to in Clause 12.1.2 from the date when such rights arise.
GENERAL
Assignment: No Party may assign any of its rights under this Agreement, in whole or in part, without the other's prior written consent.
Succession: This Agreement shall be binding upon, and enure to the benefit of, each of the Parties, their respective personal representatives and their respective successors in title.
Variation: No variation of this Agreement shall be valid or effective unless it is in writing, refers to this Agreement and is duly signed or executed by, or on behalf of, each Party.
Entire Agreement: The Parties agree that this Agreement constitutes the entire agreement between them and supersedes all previous agreements, understandings and arrangements between them, whether in writing or oral in respect of its subject matter.
Notices: Notices under this Agreement shall be in writing and sent to a Party's address as set out in the Parties section of this Agreement or to the email address set out below. Notices may be given, and shall be deemed received:
by email to the email address submitted by the Study Owner on this page in the case of the Study Owner and webmaster@oscar-job-history.com in the case of the Oscar system developer: 24 hours from transmission if sent to the correct email address and no notice of delivery failure is received.
Clause 13.5 does not apply to notices given in legal proceedings or arbitration.
No Partnership or Agency: Nothing in this Agreement constitutes, or shall be deemed to constitute, a partnership between the Parties nor make any Party the agent of another party.
Severance: If any provision of this Agreement (or part of any provision) is or becomes illegal, invalid or unenforceable, the legality, validity and enforceability of any other provision of this Agreement shall not be affected.
Waiver: No failure, delay or omission by either Party in exercising any right, power or remedy provided by law or under this Agreement shall operate as a waiver of that right, power or remedy, nor shall it preclude or restrict any future exercise of that or any other right or remedy. No single or partial exercise of any right, power or remedy provided by law or under this Agreement shall prevent any future exercise of it or the exercise of any other right, power or remedy.
Third Party Rights: No one other than a party to this Agreement, their successors and permitted assignees shall have any right to enforce any of its provisions.
Counterparts: This Agreement may be executed in any number of counterparts, each of which when executed will constitute an original of this Agreement, but all counterparts will together constitute the same agreement. No counterpart will be effective until each Party has executed at least one counterpart.
Governing Law: This Agreement and any dispute or claim arising out of, or in connection with it, its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of England.
Jurisdiction: The Parties irrevocably agree that the courts of England shall have exclusive jurisdiction to settle any dispute or claim arising out of, or in connection with, this Agreement, its subject matter or formation (including non-contractual disputes or claims).
AGREED by the Parties on the date set out at the head of this Agreement
Schedule
Part 1. Authorised Persons.
The Webmaster at CHP Design Ltd. email address: webmaster@oscar-job-history.com
The Study Owner at the Institution submitted and at the email address: as submitted on agreeing to the terms on this page.
Part 2. Services
To provide access and use by invitation only of the Oscar system for academic research of participant job histories.
Part 3. The type of personal data and categories of data subjects whose personal data will be processed
Data subjects, participants in a study, are only able to use the Oscar system by invitation of the Study Owner. Their responses are assigned to the single Study to which they have been invited only. The data collected includes age, gender, education, job history by year and current occupation including any gaps in full-time work. There are optional questions specific to lung disease requested on a per job basis and an optional set of final questions per participant submission.
Part 4. The nature and purpose of the processing
For academic research into the links between jobs and illness.
Part 5. Minimum organisational and technical security measures.
Individual participants cannot be identified using the Data collected and stored in Oscar alone. This can only be done if a participant submits the unique identifier generated and requested by the Study Owner in the email sent to invite participation;
Access to Oscar is only possible via Transport Layer Security (TLSv1.2);
Security Certificate: RSA 2048 bits (SHA256 with RSA);
Oscar runs on a private dedicated server with bespoke security and restricted access;