Archive of privacy notices

See our current privacy notices here.

The below privacy notices were archived on 22 July 2021.

This page is valid from 18 June 2020

Description of data use

Data in the National Genomic Research Library (NGRL or the Library) includes personal data donated for research through:

  • the 100,000 Genomes Project (including the pilot stages)
  • your consulting clinician as part of the NHS GMS
  • other genomic research projects (see below if you are unsure if this applies to you)
Purpose and lawful basis for processing

What do we collect?
The data we collect includes the following types of data (this may be expanded in the future):  

  • your sequenced genome created from samples of blood, tissue or saliva 
  • health data provided by your treating clinician at a clinic or through a research programme 
  • hospital episode data about you provided through NHS Digital 
  • data from Public Health England about you from their data repositories (such as cancer) 
  • in the future, this will include other sources such as your GP records

This data is part of the Library in its de-identified form and informs the research into cancers, rare conditions or other scientific projects (such as virus research).   

We do this by providing these organisations with a list of participant details (usually NHS number and date of birth). They are matched to data held by that organisation and sent to us securely. We bring all your information together into our secure Library for use by researchers. 

As part of your treatment or clinical care, you may provide personal information about you and your condition to your clinical team. This may include personal information, like name, address, date of birth and other demographic information. It may also include other information about your condition and how it affects you. As part of your treatment the information held about you may include scans, radiological images (for example, X-rays) or video, and these may all form part of the health data. 

The majority of the personal data that we have in the Library are from our initial pilot schemes, the 100,000 Genomes Project (see our previous privacy notice), and when people have added their data when they’ve had a test through the NHS Genomic Medicine Service. 

We also add other data to the Library from different sources.

For these groups of participants, we also add clinical data. You can download this file to see them and the extent to which we process your data.

Why do we need it and what do we do with it?
To ensure there is the richest possible health data set for research purposes we collect all sorts of data, even things that might at first look like they have no relevance to a health condition. This is because we don’t yet know what is important. For instance, we collect details about birth and childhood illnesses because these might – or might not – have an influence on a condition. While some information we collect may not be relevant for an individual, it might be very important in other people’s conditions. For instance, we collect information about mental health and disability which is an important symptom for many of the rare conditions we cover. 

By considering your health data and genome data together, researchers are able to develop a better understanding of the relationship between variations in the genome and the health of the individual. In rare diseases, they may be able to better explain the condition, arrive at a new diagnosis or suggest a new approach to treatment. In cancer, they may be able to predict the effect of a particular course of treatment, avoiding drugs that would not work for the individual concerned or selecting or developing drugs that have a better chance of success.

Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (UK GDPR) on which to process it. Below are the lawful bases we use.

Type of data and purpose  Personal data (Article 6 UK GDPR)  Special category data (Article 9 UK GDPR) 
Identifiable data used internally to match data together from different sources and make it ready for ‘publishing’ in the Library. 

 

We rely on Article 6(1)(f) – legitimate interests.   

 

We rely on Article 9(2)(j) – scientific research – alongside Article 65 UK GDPR and the Data Protection Act 2018 which details the responsibilities of the Research Ethics Committee (part of the Health Research Authority) for approving our research protocol. You can see our approved protocol here.
De-identified* data used in the Library. 

These are to conduct research and investigate and to test and develop new tools used to improve research.   

We rely on Article 6(1)(f) – legitimate interests – to process your data.    We rely on Article 9(2)(j) – scientific research – alongside Article 65 UK GDPR and the Data Protection Act 2018 which details the responsibilities of the Research Ethics Service (part of the Health Research Authority) for approving our research protocol. 

Legitimate Interests

When we discuss our research with you, we are unable to discuss every aspect of the use of your data, partly because it may be extensive, but partly because our research may lead us down avenues we do not yet know we need to go down. For this reason, we do not use consent as the lawful basis as we could not fulfil the UK GDPR requirement to be very detailed about what you are providing consent for. Genomics England therefore uses Legitimate Interests as its lawful basis in line with guidance from the Health Research Authority, which can be found here.

We have assessed our processing against your rights and have documented them appropriately. Our legitimate interests are that, as a company wholly owned by the Department of Health and Social Care, we collect your personal data to fulfil the function for which we were created, that is to create a de-identified library of genomic and health data for the purpose of research.

We keep you informed by the fact that you are provided with an opportunity to discuss your participation with a healthcare professional, through the provision of participant materials and our regularly reviewed and up-to-date privacy notice and website.

What does ‘de-identified’ data mean?
De-identification means that we take ‘strong’ identifiers out of the data, such as name, address (including postcode), date of birth and NHS number (where relevant), and replace them with a unique identifier that only we at Genomics England can use to re-identify you.  Researchers that are given access to the Library do so under strict agreements and their access is reviewed by our Access Review Committee, which includes patient and participant representatives. You can read more about the Committee on our website.

However, due to the detailed nature of the data it can never be truly anonymised, there is always a small risk that an individual may recognise your specific rare condition or other aspects of your health. This is because some clinicians also have access to the Library to conduct research they themselves are involved in.  

We only allow data to be taken out of the Library in aggregated form (for example, numbers in tables). There are strict controls around this and we have an ‘Airlock’ Committee which reviews each request prior to release. Sometimes there are very few individuals, even in a table showing numbers of individuals, and therefore we don’t allow tables with small numbers of individuals in them to be released either. This helps us further minimise the chance of re-identification.

How we comply with the common law duty of confidentiality
Common law is simply the build-up of past judgements in the courts which together make up ‘case law’. It is separate to data protection law which is made by act of parliament (such as the Data Protection Act or General Data Protection Regulation).

Where your data comes to us from your treating cliniciana member of their team or a researcher it is given to them by you under a duty of confidentiality. This means that your clinician must still comply with the common law and gain explicit consent before sharing your data with us for a health research purpose. This is why they will have a full discussion with you and you will sign our forms to say that you understand what we will do with your data. They must leave you with a good understanding of what we will do with your data. We will also provide you with information leaflets and we will keep updating this privacy notice for you to refer back to. You can also contact our data protection team at any time if you have further questions, via email: [email protected] 

Note that once you have given your permission for us to use your data in Library, you should contact us directly for any information about what we do with it, using the details and form on our web page about data access requests.

Questions about what your geneticist or clinician does in the use of your data to support your care in the NHS Genomic Medicine Service should be asked directly to them. Learn more about the NHS Genomic Medicine Service, managed by NHS England, through their website.

Where your personal data comes to us because you have been part of a separate research programme (for example, with a charity or commercial organisation), the common law would not normally apply.

Who do we share it with?
As part of the National Genomic Research Library we need to link the different types of health data held by other organisations to get a complete overview of your health data footprint so that we may carry out our research. In practice, in order to access and obtain health data held by other organisations, including NHS Digital, NHS England, GPs and Public Health England, we will share your personal information with these other organisations so that they can provide your personal information to us. 

Before we share any of your personal information, we ensure that agreements are in place that include strict rules and processes on how your personal information is shared safely and securely. 

Research users will have restricted access to de-identified datasets which contain only the information they need for their specific and approved research study. From this information they may produce additional research data based on their analysis. Researchers should not be able to work out who this data is about, or even who is participating in the research simply by looking at the information in the system. However, any non-trivial piece of health data – even a de-identified report of an appointment booking – could be re-identified by somebody who already has enough information about the individual in question. This is why Genomics England insists all access to its data takes place within our secure Research Environment, where it can be monitored. 

Access is also given to Genomics England Clinical Interpretation Partnerships (GeCIPs). Access is strictly controlled. You can learn about the work the different GeCIP domains are doing through our website. 

We also allow access to academic institutions for training and education purposes. The access by these organisations is approved in each case and strictly controlled. 

Researchers also include commercial organisations through our Discovery Forum. Again, their access is strictly controlled and monitored.   

Through their work, researchers may find that they want to research a specific group of individuals. However, they are not able to identify you in the Library. Genomics England has strict processes in place whereby your contact information will not be passed to them until we have your permission to do so. We will always give you the choice for your information not to be shared with them. 

No personal data held by Genomics England will be accessible to other government agencies which includes HMRC and the Child Support Agency. In the unusual situation that a request for data is made by a court order then this will be referred to Genomics England’s Legal Counsel as promptly as possible so that all representations may be made to the court, for example, to limit the information requested being released. We do not share information with insurance companies.

How long do we keep it?
We will keep personal data relating to our research purpose for 30 years, at which point it will be reviewed to see if we are able to justify keeping it. If we cannot, it will be deleted in line with our secure destruction procedures. Download our full retention schedule.

Withdrawing from the research
If you change your mind and want to withdraw your data from research, then you are free to do so. This will always be acted upon.

There are two options: 

  1. Partial withdrawal: ‘no further contact’ – this means Genomics England will not contact the you again although your clinical team will still get an initial report, but no more reports after this. The clinical team will ask you if you want to receive this initial report only (this only applies if you were part of the 100,000 Genomes Project). Genomics England will continue to use any samples already collected for research purposes and will continue to update and store information from your health and other records for use in approved research.
  2. Full withdrawal: ‘no further use’ – this means your data will no longer be part of our research database, although an initial report would still go to the clinical team for them to check if you want to receive this. After this there is no further contact. We would destroy any DNA samples that we hold and from that point forwards we would restrict researchers from accessing any information we hold by putting it beyond any future use. Data that has been used already in research cannot be altered as that would affect the research results on which discoveries may be made.

Finally, regardless of the option chosen above, we will keep an audit record to say that you were once part of the Project and then withdrew. This includes your surname, first name, date of birth, address and contact details.  

If you wish to withdraw, contact us at [email protected].

What are your rights when we use your data for research?

Individual right  Does it apply?  Reason if it doesn’t apply (where applicable) 
Right to be informed  

 
Right of access  

 
Right to rectification 

We rely on the exemption in the Data Protection Act 2018, Schedule 2, Paragraph 27(1)-(3) where to apply this would seriously impair the aims of the research. 
Right to erasure 

Because data may have been used to inform a research programme, we are unable to delete it.  We rely on the exception in UK GDPR Article 17(3)(d) to allow us to keep it in these circumstances.  The data will be reassessed after 30 years in line with our retention schedules. 
Right to restriction of processing 

We rely on the exemption in the Data Protection Act 2018, Schedule 2, Paragraph 27(1)-(3) where this would seriously impair the aims of the research. 
Right to data portability 

The UK GDPR only applies this right where UK GDPR consent or a contract are the lawful basis used.  Genomics England relies on a lawful basis of legitimate interests 
Right to object 

We rely on the exemption in the Data Protection Act 2018, Schedule 2, Paragraph 27(1)-(3) where this would seriously impair the aims of the research. 
Right to be informed of automated individual decision-making, including profiling 

We do not use your data to profile you or use it for automated decision-making. 

Do we use any data processors?
A data processor is another person or company who holds the data on our behalf. This might be to help us best use the vast amounts of data we hold, or because only they have the expertise to provide us with a certain service. A good example of this is our sequencing partners. Illumina are a sequencing company based in Cambridge and provide us with a service to take your tissue or blood sample and create the electronic file which is your DNA sequence. 

A list of our processors can be downloaded here.

All of our processors are bound by contract which restrict them to only use your data for very specific purposes.

Do we make any overseas transfers?
No. Your data is not transferred out of the United Kingdom and we ensure all our suppliers are contractually bound to that rule. Only summary data which cannot identify you is allowed out of the Library, and all requests to take summary data out are reviewed by a committee.

This page is valid from 26 November 2020

Description of data use

Genomics England Limited is working as part of the GenOMICC consortium to develop a powerful database of genetic sequences combined with testing and health data to enable researchers to better understand and help in the fight against COVID-19.

Purpose and lawful basis for processing

Why do we need it and what do we with it?

This privacy notice relates to two uses of your information:

  1. Where you complete our web form to indicate your interest in contributing to the research; and
  2. Where you agreed to share your DNA and health records for research when:
    • You were in hospital in the Intensive Care Unit with a severe case of COVID-19or
    • We invite you to take part after registering your interest on our web form

1. How we use the information we collect when you register an interest through our web form

Our web form collects:  

  • Your first name, surname, date of birth, email address and contact telephone number  
  • First part of your post code 
  • Your gender and ethnicity 
  • Whether or not you tested positive for COVID-19
  • Whether or not you were treated for COVID-19 in a hospital Intensive Care Unit (and if so, which Intensive Care Unit) 
  • Whether or not you had mild symptoms of COVID-19  

In the first instance, we will assess the data and may invite you to take part in research. Our aim is to collect a group of people to contribute to our research where we can look at the different aspects of their genetic makeup up that might make them susceptible to the virus. Having information such as first part of post code, ethnicity and gender helps us ensure we are collecting enough representative data. 

We also give you the opportunity to join our mailing list. If you tick the box to agree to this, we will only use your name and email address to allow us to send you emails.

Who will we share it with?  

To contact you about research, the information from the form will only be kept and used by Genomics England and the GenOMICC consortium members unless we get further permission from you. 

If you agree to join our mailing list, your data will only be used by Genomics England to send you information about what we do and what events we might have coming up, for example. We may also ask you to do further surveys, but this will only be about our work. The only information we will use for this purpose is your name and email address. 

How long will we keep it?  

Genomics England maintains a retention schedule for all the different types of personal data we hold.  

The information held for contacting you about the research study will be kept for 2 years after the recruitment has completed and will then be deleted. This is because people may later decide they do not wish to take part and we may wish to recruit more participants to the initial study.  

You can stay on our mailing list as long as you like. You will always have the option to unsubscribe or you can email us using the details below if you want to be removed. 

Where will the data be held?  

Where Genomics England holds the data it will be held in our secure UK data centres. 

The contact information from the questionnaire is collected with a survey service called SmartSurvey. Their data is held within the UK and European Economic Area and you can read about their service here. 

Our mailing lists (where we will use only email and name) are held and managed using MailChimp, a US Company which is a member of the US/EU privacy shield. The US/EU privacy shield ensures your data is held with the same rights applying in the European Union. You can read about their service here,

All data is protected by encryption at rest and when transferred to the latest standard.

2. How we use your data if you were in intensive care or we invited you to join the research after you registered an interest via our online web-form 

How we use this information  

You will either have agreed to share your DNA and health data with us when you were in hospital, or you will have agreed to share your DNA and health data when you discussed sharing it with one of the GenOMICC team  In both cases this would have been a healthcare professional as a member of the GenOMICC consortium who will have discussed the sharing with you and asked you to sign to take the sample and to agree for your additional health data to be collected by us.  

Your blood sample was then sent to our genetic sequencers and will be sent on to us. This is always by secure, encrypted transfer.

At the same time, we ask the different health and agencies for copies of any information about you.   

We match them up in our data centre, take all the identifiers out of the data (such as name, address, NHS number, date of birth) and then put them in the COVID-19 research environment within our National Genomic Research Library (the Library). This means the data are de-identified.   

Our library is like a reference library. This means that individuals that can look at the data and perform their research but cannot take any of the data out unless it is anonymised. For it to be effectively anonymised, there must be no chance of it identifying an individual and normally this would only be in the form of numbers in a table or report. Our Airlock Committee assesses any requests to remove this data so that we can be sure it has been properly anonymised. 

All of the researchers accessing the de-identified data for COVID-19 research will be approved by our Access Review Committee, and this means that we check whether or not they have the right approval from the Health Research Authority.

Who will we share it with?  

So that we can get the richest possible data for our research, the following organisations supply us with information about you and your health data: 

Type of Organisation  Data collected  
NHS Digital (England only)* 
  • Mortality data 
  • Hospital episode statistics 
  • Emergency Care Data Sets 
  • Mental Health 
  • Cancer registration 
  • Diagnostic imaging dataset (No images) 
  • Patient reported outcome measures 
  • Secondary uses dataset 
Public Health Data (England, Northern Ireland, Scotland and Wales) 
  • COVID-19 test results  
The Intensive Care National Audit and Research Centre (ICNARC) 
  • Health data from intensive care 
International Severe Acute Respiratory and Emerging Infection Consortium 
  • Admission 
  • PMH 
  • ventilation 
  • smoking 
  • Outcome data 

*Some of the data sources are only shared with us only whilst the COVID-19 pandemic is happening and where public bodies are instructed to share by the Secretary of State for Health and Social Care under The Health Service (Control of Patient Information) Regulations 2002. You can read more about them by clicking here. This data is time limited and will cease to be provided to us at a certain time dependent on the instruction from the Secretary of State (currently 31 March 2021).

Research users will have restricted access to de-identified datasets which contain only the information they need to complete their COVID-19 research. From this information they may produce additional research data based on their analysis. Researchers should not be able to work out who this data is about, or even who is participating in the research simply by looking at the information in the system. However, any non-trivial piece of health data – even a de-identified report of an appointment booking – could be re-identified by somebody who already has enough information about the individual in question. This is why Genomics England insists all access to its data takes place within our secure Research Environment, where it can be monitored.

Through their work, researchers may find that they want to research a specific group of individuals. However, they are not able to identify you in the COVID-19 research environment. Genomics England has strict processes in place whereby your contact information will not be passed to them until we have your permission to do so. We will always give you the choice for your information not to be shared with them.

No personal data held by Genomics England will be accessible to other government agencies which includes HMRC and the Child Support Agency. In the unusual situation that a request for data is made by a court order then this will be referred to Genomics England’s Legal Counsel as promptly as possible so that all representations may be made to the court, for example, to limit the information requested being released. We do not share information with insurance companies.

How long will we keep it?  

On our form you agree that the data we collect can be used more widely in the National Genomic Research Library for research. This is whilst you are alive and will continue after your death. 

Where your information is to be used in research, we will keep the data for 30 years, at which point it will be reviewed to see if we are able to justify keeping it. If we cannot, it will be deleted in line with our secure destruction procedures. Download our full retention schedule.

Where will the data be held?  

Genomics England holds the data in our secure United Kingdom data centres. We do not transfer it outside the UK.

Withdrawing from the research 

If you change your mind and want to withdraw your data from our research, then you are free to do so at any time. This will always be acted upon. 

There are two options:  

  • Partial withdrawal: ‘no further contact’ – this means Genomics England will not contact you again. Genomics England will continue to use any samples already collected for research purposes and will continue to update and store information from your health and other records for use in approved research.
  • Full withdrawal: ‘no further use’ – this means your data will no longer be part of our research database, although an initial report would still go to the clinical team for them to check if you want to receive this. After this there is no further contact. We would destroy any DNA samples that we hold and from that point forwards we would restrict researchers from accessing any information we hold by putting it beyond any future use. Data that has been used already in research cannot be altered as that would affect the research results on which discoveries may be made. 

If you would like to withdraw, please download and complete our Withdrawal Form.

You can email it to [email protected] or you can post it to the Senior Data Protection Manager at the address below.

What are your rights when we use your data for research?

Individual right Does it apply? Reason if it doesn’t apply (where applicable)
Right to be informed
Right of access
Right to rectification We rely on the exemption in the Data Protection Act 2018, Schedule 2, Paragraph 27(1)-(3) where to apply this would seriously impair the aims of the research.
Right to erasure Because data may have been used to inform a research programme, we are unable to delete it.  We rely on the exception in UK GDPR Article 17(3)(d) to allow us to keep it in these circumstances.  The data will be reassessed after 30 years in line with our retention schedules.
Right to restriction of processing We rely on the exemption in the Data Protection Act 2018, Schedule 2, Paragraph 27(1)-(3) where this would seriously impair the aims of the research.
Right to data portability The UK GDPR only applies this right where UK GDPR consent or a contract are the lawful basis used.  Genomics England relies on a lawful basis of legitimate interests
Right to object We rely on the exemption in the Data Protection Act 2018, Schedule 2, Paragraph 27(1)-(3) where this would seriously impair the aims of the research.
Right to be informed of automated individual decision-making, including profiling We do not use your data to profile you or use it for automated decision-making.

Lawful basis

UK GDPR classifies your personal data in two ways:  

  • Personal data – such as your name, email address and phone number
  • Special category data – such as information relating to your health and including your DNA (your genomic sequence)  

For us to use your data, we must identify a lawful basis in the General Data Protection Regulation on which to process it. For us to use your health data for research, we must have a research protocol reviewed and approved by the Research Ethics Committee (REC). The REC is a legal body established as part of the Health Research Authority. The Health Research Authority is the UK public body responsible for authorising research and reviews all our materials to make sure they comply. Below are the lawful bases we use:  

Use of data  Typof data  Personal data (Article 6 UK GDPR)  Special category data (Article 9 UK GDPR) 
1. When you registered your interest to join the COVID-19 research project  To allow us to contact you for research 

 

Personal data 

Special category data 

We rely on Article 6(1)(a) – Consent  

 

We rely on Article 9(2)(a) – explicit consent  

 

So that you can receive more information from us by email 

 

Personal data only 

We rely on Article 6(1)(a) – Consent  

 

n/a 
2. When you agreed to join the COVID-19 research project and were in intensive care or we invited you after you registered an interest  Personal data 

Special category data  

We rely on Article 6(1)(f) – Legitimate interests  We rely on Article 9(2)(j)  a research purpose 

 

UK GDPR Article 65 (1); 

 

DPA 2018 Section 19(3)(4); and 

 

CLDC – Explicit consent** 

 **The Common Law Duty of Confidentiality (CLDC) 

Common law is simply the build-up of past judgements in the courts which together make up ‘case law’. It is separate to data protection law which is made by act of parliament (such as the Data Protection Act or General Data Protection Regulation). 

Where your data comes to us from your treating clinician (for example at the hospital, GP surgery or other healthcare provider)the common law considers that you have provided that information to them under a duty of confidence.

This means that for us to use that information, we must gain explicit consent so that the above organisations can share your data with us for our research purpose. So that our consent is valid, the GenOMICC research nurse must have a full discussion with you. You must also sign our record of discussion form to say that you understand what we will do with your data. The form records that you have been provided with our patient information leaflet which gives more detail about what we will do with your information. You can also contact our data protection team at any time if you have questions, via email: [email protected]uk   

Note that once you have given your permission for us to use your data in the Library, you should contact us directly for any information about what we do with it, using the details and form on our web page about data access requests.

Questions about what your geneticist or clinician does in the use of your data when they supported your care in hospital will be a separate record and you should go directly to your clinician or the hospital that treated you to learn about how they use your data.

Legitimate Interests

When we discuss our research with you, we are unable to discuss every aspect of the use of your data, partly because it may be extensive, but partly because our research may lead us down avenues we do not yet know we need to go down. For this reason, we do not use consent as the lawful basis as we could not fulfil the UK GDPR requirement to be very detailed about what you are providing consent for. Genomics England therefore uses Legitimate Interests as its lawful basis in line with guidance from the Health Research Authority, which can be found here.

We have assessed our processing against your rights and have documented them appropriately. Our legitimate interests are that, as a company wholly owned by the Department of Health and Social Care, we collect your personal data to fulfil the function for which we were created, that is to create a de-identified library of genomic and health data for the purpose of research.

We keep you informed by the fact that you are provided with an opportunity to discuss your participation with a healthcare professional, through the provision of participant materials and our regularly reviewed and up-to-date privacy notice and website.

Do we use any data processors (sub-contractors) to process your data? 

We comply with the law by ensuring all our data processors: 

  • Are properly assessed to ensure they can meet our operational and technological control expectations; 
  • Have a contract in place with us which restricts them to only using the data for purposes we authorise (unless we give them written approval); 
  • Don’t further sub-contract it without our explicit permission; 
  • Give us guarantees about the security under which the data are kept; and 
  • Are subject to us auditing, if required, their procedures and processes  

Our key data processors for collecting your information to see if you are eligible for our research are: 

  • Microsoft 365 (our office and data storage providers) 
  • MailChimp (email service) 
  • SmartSurvey (provided us with the webform and hold the data collected) 

Our key data processors when you are part of the research study are: 

  • Amazon Web Services (UK data centre for storage and processing) 
  • Lifebit (secure research software provider within our Amazon organisational unit) 
  • You can find a list of all our processors and links to their security information here 

The below privacy notices were archived on 18 June 2020.

What is the GDPR?

The GDPR creates a new data protection regime throughout the EU, “designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy”. The Data Protection Act 2018 makes provision for how the GDPR will operate in the UK.

How does the GDPR affect Genomics England?

The GDPR applies to anything we do with your personal data, such as collecting, storing or using it in any way. We are a Data Controller under the GDPR. We process personal data, including something known as ‘special category personal data’ (SCPD). SCPD includes genetic data and data concerning health – which we process as part of the 100,000 Genomes Project.

Under legislation in force before the GDPR – the Data Protection Act (1998) − Genomics England processed data on the basis of Participant Consent. Changes introduced as part of the Data Protection Act 2018 and the GDPR, however, mean that the basis for data processing has evolved.

What is changing?

Article 6 of the GDPR details the six criteria for the lawfulness of processing data. Genomics England can only process personal data if it meets at least one of these. We rely on the provision that allows us to process personal data based on our legitimate interests, which are to carry out medical research and in providing clinical care.

This change in the basis of the lawfulness of Genomics England’s clinical and research data processing will come into effect on 25 May 2018.

What does this mean for consent?

It is important to note that participant informed consent is fundamental to the 100,000 Genomes Project and Genomics England’s work – and this will not change. Indeed, “the creation of an ethical and transparent programme based on consent” is one of our four founding aims. This commitment is further underlined by England’s Chief Medical Officer, Dame Sally Davies, who focuses on the importance of informed consent to the success of genomic medicine in her 2017 report, ‘Generation Genome’.

Genomics England is committed to – and will continue to deliver – a workable consent process that allows participants to make informed choices on how their confidential genomic data is used.

Where can I find out more?

There are resources available to help people understand and make informed choices on the ways in which we use their data.

  • Data Protection Officer (DPO): In compliance with the GDPR and the Data Protection Act 2018, Genomics England has appointed a Data Protection Officer. Our DPO is a senior, qualified data practitioner who, amongst other duties:
  • helps us to monitor internal compliance with the GDPR;
  • informs and advises on our data protection obligations, including under the new Data Protection Act; and
  • provides advice and is the first point of contact for any questions on how we use data.

Genomics England’s DPO can be contacted – here.

  • Data Access and Use: more information on how we use data, as well as our Privacy Notices, can be found on our website – here.
  • Information Commissioner’s Office (ICO): the ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO is an excellent resource on data protection issues and is the body responsible for investigating concerns.
  • Health Research Authority (HRA) guidance for those in the health and social care research sector can be found here.

Privacy Notice for Website Users

Version 1. Dated 24 May 2018

1. About us

We are Genomics England Limited, also known as Genomics England, a company registered in England and Wales (Company No. 08493132). We are listed on the Information Commissioner’s register of data controllers under number: ZA021653

2. Introduction and purpose of this Privacy Notice

This Privacy Notice sets out key information that it is essential for you to know when you provide information to Genomics England.

This informs you of what to expect when Genomics England collects information from you, such as when you visit our website or subscribe to our newsletter. It does not apply to information from participants in the 100,000 Genomes Project; or members of the Discovery Forum or GeCIP. For details on data collected from participants, members of the Discovery Forum and GeCIP please see below.

We are the data controller for your personal data and this Privacy Notice describes how we process it. By processing, we mean any operations such as collecting, organising, structuring, storing and destroying personal data. We will put in place appropriate technical measures to protect your personal data and to ensure that we process it:

  • Fairly and proportionately;
  • Only in ways that are relevant to the purposes for which it is to be used;
  • Accurately so that it is complete and up to date;
  • So that it is kept no longer than is necessary;
  • So that it is protected by security safeguards to prevent loss, unauthorised destruction, use or disclosure;
  • In accordance with the General Data Protection Regulation (GDPR) 2018 and the Data Protection Act 2018.

3. Our right to change our Privacy Notice

We may make changes to our Privacy Notice and when we do we will post our changed Privacy Notice on our website and it will then apply. We will always put the date and version of our Privacy Notice at the top, so that you can easily find this information.

4. What is personal data?

Personal data is any information about a living individual that can be used to identify the individual, such as name, address, date of birth, email address, photographs or videos. It may also include special categories of personal data. This is information concerning: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health data; data concerning a person’s sex life or sexual orientation.

5. What information we collect

When you use our website on or register to receive our newsletters we collect the following personal data when you provide it to us, such as:

  • Name and title
  • Username
  • Address
  • Email address
  • Affiliated institutions where you have one

6. Your personal data and how we process it

We only ever use your personal data lawfully and when you have given us your consent to the processing of it. Most commonly we will use your personal data in the following circumstances:

  • To allow you to register to receive our newsletters.
  • To communicate with you on events, news and updates from Genomics England.

You may withdraw your consent at any time by clicking the ‘unsubscribe’ bottom of any email we sent to you or by contacting us at [email protected].

We will never sell your personal data or share it with third parties who might use it for their own purposes.

7. How we protect your personal data

The security of your personal data is very important to us. We will ensure that we have in place appropriate organisational and technical measures to prevent unauthorised access, improper use, alteration, destruction or accidental loss of your personal data.

8. How long we keep your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for.

9. Your rights and your personal data

Under certain circumstances, by law you have a number of rights in respect of your personal data. These include the right to:

  • Request access to your personal information, known as a ‘data subject access request’. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request that we correct the personal data we hold about you if it is inaccurate or out of date.
  • Request that we erase your personal data where there is no good reason for us continuing to process it.
  • Request that we restrict the processing of your personal data where there is a dispute about its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party where our processing of it is under a contract or based on your consent and the processing is carried out by automated means.

If you want to obtain access to, request correction or erasure of, restrict the processing of or request the transfer of your personal information please contact [email protected]

For more information on your rights and your personal data please see the Information Commissioner’s website.

Complaints

If you consider that we have not handled your personal data lawfully then please contact our Data Protection Officer. You also have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.

You can contact the Information Commissioner at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113

Contact details and useful information

If you have any questions about this Privacy Notice and how we handle your personal data then please contact our Data Protection Officer at [email protected]

Privacy Notice for Participants in the 100,000 Genomes Project

Version 1. Dated 24 May 2018

1. Introduction

This Privacy Notice describes how we collect, store and process personal information about you as a Participant in the 100,000 Genomes Project and in accordance with the General Data Protection Regulation (GDPR).

At Genomics England we take privacy seriously and will only use your personal information for the benefits of research or for clinical care. As a Participant you have been kind enough to volunteer for the 100,000 Genomes Project and you will have been referred for inclusion in the 100,000 Genomes Project by your clinician and may have certain rare diseases yourself or in your family, or you may have cancer. You will, in most cases, have been invited to take part by a clinical team and in all cases you will have given your consent to providing your personal information by completing and signing a consent form.

Genomics England is a ‘data controller’ and we want you to be clear about how we collect, store and use personal information about you, how we protect the privacy of your personal information and how you can access your personal information should you choose to do so.

It is therefore important that you read this Privacy Notice as it will explain:

  • What information we collect and why we collect it.
  • Where the information comes from
  • How we use that information.
  • How we keep the information private
  • The choices we offer, including how to access and update information.

We’ve tried to keep this Privacy Notice it as simple as possible, but if you’re not familiar with the terms used in it, such as Health Data, Genome Data then visit our Data types and storage page to read about these key terms.

Your privacy matters to us. If you have any questions about this Privacy Notice then please contact our Data Protection Officer at [email protected]

2. Information we collect, store and process about you

We collect, store and process your personal information and this information includes health data from clinical care that has been given to us about your genome sequence data which is obtained after we have processed samples of blood, tissue, and saliva. We also produce interpretation reports once we have analysed all your information and these reports are provided to your clinical team for review.

3. Why is this information collected

By considering your health data and genome data together, researchers will be able to better understand the relationship between variations in the genome and the health of the individual. In rare diseases, they may be able to better explain the condition, arrive at a new diagnosis or suggest a new approach to treatment. In cancer, they may be able to predict the effect of a particular course of treatment, avoiding drugs that would not work for the individual concerned or selecting or developing drugs that have a better chance of success.

Under the GDPR, personal data can only be processed where one of the specific conditions set out in the GDPR is satisfied. We rely on the provision that allows data controllers to process personal data on the basis of legitimate interests: the interests on which we rely are our interests in carrying out medical research and in providing clinical care.

There are also specific provisions in the GDPR in relation to special categories of personal data (including genetic, biometric and health data), under which such data can only be processed on limited grounds. In order to process such data, we rely on the provisions that allow such data to be processed for research purposes and for providing clinical care.

4. What type of data is collected

As part of your treatment or clinical care, you may provide personal information about yourself and your condition to your clinical team. This may include personal information, like name, address, date of birth and other demographic information. It may also include other information (much of it very personal) about your condition and how it affects you. As part of your treatment the information held about you may include photos, scans, images or video and these may all form part of the health data.

To ensure there is the richest possible health data set for research purposes we collect all sorts of data, even things that at first look might not have any relevance to a health condition. This is because we don’t yet know what is important. For instance, we collect details about birth and childhood illnesses because these might – or might not – have an influence on a condition. While some information we collect may not be relevant for an individual, it might be very important in other people’s conditions. For instance, we collect information about mental health and disability which is an important symptom for many of the rare conditions we cover.

5. Where is data collected from

Some of your health data will come from NHS hospitals and GPs or other health care teams that have provided you with care at any time; other health data will come from NHS healthcare organisations (such as NHS Digital, NHS England and Public Health England) that will either provide care in the future or support organisations that provide that care.

Information that we may share or link to other organisations
As part of the 100,000 Genomes Project we need to link different types of your health data, that is held by other organisations, to get a complete overview of your health data footprint so that we may carry out our research. In practice in order to access and obtain health data held by other organisations, including NHS Digital, NHS England and Public Health England, we may share your personal information with these other organisations so that they can provide your personal information to us.

Before we share any of your personal information we ensure that agreements are in place that include strict rules and processes on how your personal information is shared.

6. Keeping data private

Research users will have restricted access to de-identified datasets which contain only the information they need for their specific and approved research study. From this information they may produce additional research data based on their analysis. Researchers should not be able to work out who this data is about, or even who is participating in the Project, simply by looking at the information in the system. However, any non-trivial piece of health data – even a de-identified report of an appointment booking – could be re-identified by somebody who already has enough information about the individual in question. This is why Genomics England insists all access to its data takes place within their secure environment, where it can be monitored.

No data held by Genomics England will be accessible to other government agencies which includes HMRC and the Child Support Agency In the unusual situation that a request for data is made by a court order then this will be referred to Genomics England’s Legal Counsel as promptly as possible so that all representations may be made to the court, for example, to limit the information requested being released. We do not share information with insurance companies.

7. Withdrawing participation from the 100,000 Genomes Project

If a participant changes their mind and wants to withdraw from the 100,000 Genomes Project then they are free to do so and this will always be acted on without delay as we aim to make this process as easy as possible. There are two options:

Option 1 – partial withdrawal: ‘no further contact’ – this means Genomics England will not contact the participant again although the clinical team will still get an initial report about the rare condition or cancer but no more reports after this. The clinical team will ask the participant if they want to receive this initial report only. Genomics England will continue to use any samples already collected for research purposes and will continue to update and store information from the participant’s health and other records for use in approved research.

Option 2 – full withdrawal: ‘no further use’ – this means the participants would no longer be in the 100,000 Genomes Project although an initial report would still go to the clinical team for them to check if the participant wants to receive this. After this there is no further contact. We would destroy any DNA samples that we hold and from that point forwards we would restrict researchers from accessing any information we hold by putting it beyond any future use. Data that has been used already in research cannot be altered as that would affect the research results on which discoveries may be made.

Finally regardless of the option chosen above we will keep an audit record to say that the participant was once part of the Project and then withdrew. This includes their surname, first name, date of birth, address and contact details. This information is held in a very secure area with access limited to a very small number of staff within Genomics England.

8. Children in the 100,000 Genomes Project

When participants in the 100,000 Genomes Project reach the age of 16 they will be given the opportunity to give their own consent as an adult to remain in the Project. They will be contacted by their clinical team to complete this process.

9. Information that is captured when we are contacted

Genomics England can be contacted by phone, email or via our website. When you contact us we may record your details so we can best answer your query and provide you with a response. We will keep a record of these communications in case you contact us again but these records will not be used for other purposes. We review the information we hold and the length of time these are held as part of our records management policy.

We may contact you by post to keep you informed about the 100,000 Genomes Project or to discuss clinical trials that may be of interest to you. We may use email to do this if you prefer and where you have provided us with your email address.

10. Accessing and updating your personal information

Under the GDPR you have the right of access to your personal information; you also have rights to rectify the information or have it erased, and to restrict or object to processing. These rights are subject to various exceptions, including in relation to information processed for research purposes.

Genomics England aims to ensure we have the most accurate data and up to date information but we do recognise that this may not always be the case. If the information we hold is wrong we strive to give you ways to update it quickly or to request it is deleted. When updating your personal information, we may ask you to verify your identity before we can act on your request.

There may also be situations where we may reject requests that we believe are unreasonably repetitive or require disproportionate technical effort. We may also reject requests that we believe risk the privacy of others and where these circumstances apply we will contact you to discuss our concerns.

Where we can provide information access and correction, we will do so free of charge. In certain cases we may charge reasonable amounts where we believe this is appropriate due to the effort that may be needed to satisfy the request. Again where we believe this is the case we will contact you to discuss the matter further.

Like all organisations we take our data security extremely seriously and therefore we make backups of all our data. This helps to protect this vital data from accidental or malicious destruction. Because of this, after we have deleted information, at your request, we may not immediately be able to delete residual copies from our backup systems. We will confirm to you as part of our discussions how we can address your privacy concerns in this respect.

11. Information security and period of storage

We work hard to protect all data from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold. In particular:

  • We encrypt much of the data we hold
  • We use access control techniques
  • We restrict access to personal information to only those staff who need to see this information
  • All staff and suppliers who need to access this information are subject to strict contractual confidentiality obligations. They may be disciplined or their contract terminated if they fail to meet these obligations.
  • We continually review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems.

We store your personal data for no longer than is necessary to carry out our legitimate interests of medical research and providing clinical care. We have implemented appropriate technical and organisational measures to keep your personal data safe and to safeguard your rights and freedoms.

12. Changes

This Privacy Notice may change from time to time. We will post any Privacy Notice changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Notice changes). We will also keep prior versions of this Privacy Notice in an archive for your review.

Contact details and useful information

The address of Genomics England is:

Dawson Hall
Charterhouse Square
London
EC1M 6BQ

For general enquires our contact details can be found on our Contact us page.

Complaints and requests for information

When we receive formal written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including the Information Commissioners Officer, to resolve any complaints.

If you have a complaint, issue or question relating to this privacy notice or data protection you can contact our Data Protection Officer by the following methods:

By Phone – Call 0207 882 5030 (main switchboard) and ask for the Data Protection Officer.

By email – [email protected]

By letter – Addressed to the Data Protection Officer at the address above.

Genomics England is registered with the Information Commissioners Office Data Protection Register. Our registered number is ZA021653.

Privacy Notice for Applicants for Positions at Genomics England

Version 1. Dated 24 May 2018

1. Introduction

Genomics England was set up by the Department of Health and Social Care to deliver the 100,000 Genomes Project. This ambitious consent-based project is the largest national genome sequencing effort of its kind in the world. Participants are NHS patients with a rare disease, plus their families, and patients with cancer. We are creating a new genomic medicine service for the NHS to support better diagnosis and better treatments for patients. We are also enabling medical research and aim to kick-start a UK genomics industry.

2. Purpose of this Privacy Notice

This Privacy Notice sets out key information that it is essential for you to know when you provide information to Genomics England as part of the recruitment process.

We are the data controller for your personal data and this Privacy Notice describes how we process it.

By processing your personal data we mean any activity we perform on it such as collecting, storing, adapting or using it in any way during our recruitment process. We will put in place appropriate technical measures to protect your personal data and to ensure that we process it:

  • Fairly and proportionately;
  • Only in ways that are relevant to the purposes for which it is to be used;
  • Accurately so that it is complete and up to date;
  • So that it is kept no longer than is necessary;
  • So that it is protected by security safeguards to prevent loss, unauthorised destruction, use or disclosure;
  • In accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

3. Our right to change our Privacy Notice

We may make changes to our Privacy Notice during our recruitment process and when we do we will email you to let you know that we have changed it.

4. What is personal data?

Personal data is any information about a living individual that can be used to identify the individual, such as name, address, date of birth, email address, photographs or videos. It may also include special categories of personal data. This is information concerning: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health data; data concerning a person’s sex life or sexual orientation.

5. Your personal data and how we process it

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • To process your personal data as part of our recruitment exercise and before we offer a contract of employment to you;
  • When we need to comply with a legal obligation e.g. to check your eligibility to work in the UK.

From time to time we may seek your consent to process special categories of personal data and we will ask for your explicit consent before we process it. You are under no obligation to give consent if we ask for it. Where you do provide consent you may withdraw it at any time.

The personal data we collect and process about you includes:

Type of information Examples
Personal details. Name, address, date of birth, nationality, gender, religion, and preferred language, details of any disabilities, work restrictions and/or required adjustments.
Information that is necessary to enable us to carry out our recruitment exercise including information about your work history, your qualifications and your suitability to work for us. Information included in an application form, CV or covering letter provided as part of an application, references, interview notes, results of any assessments carried out as part of the recruitment process (e.g. such as coding ability tests) right to work documents, information to identify you such as passport details, records/results of pre-employment checks, including criminal record checks, credit and fraud checks.
Information that is necessary to enable us to carry out our recruitment exercise including your employment records and experience. CVs, references, records of skills and experience, including job titles, work history, working hours, qualifications, skills, training and other compliance requirements and professional memberships.
Health information. Health and sickness records and details of any medical condition but only where a medical condition will directly impact on your ability to carry out your work. So we will not collect general health information, such as the illnesses/ diseases you have had or the medicines you take, but we may collect details of, for example, a back injury if this would prevent you from sitting at a desk without reasonable adjustments being made for you to enable you to carry out your work.

We will not use your personal data for any purpose other than the recruitment exercise for which you have applied.

6. Sharing your personal data

Your personal data may be shared internally for the purposes of our recruitment exercise. This includes sharing it with members of our HR team and those directly involved in our recruitment exercise including managers and interviewers.

We will not share your personal data with third parties, unless your application for employment is successful and we make you an offer of employment. In this situation we will share your personal data with Sterling Talent Solutions UK, the organisation we use to carry out pre-employment checks on you, the Disclosure and Barring Service to obtain necessary criminal records checks and your referees.

Occasionally we may transfer your personal information outside the European Economic Area (EEA). Any third party with whom we share your personal data will be required to protect it and put in place appropriate technical and security measures to protect it in accordance with our instructions.

The third party organisations outside EEA that process your personal information include:

  • Sterling Talent Solutions UK

We limit access to your personal data to those who have a business need to know. They will only process your personal data in accordance with our instructions and they are required to keep your personal data confidential.

7. How we protect your personal data

The security of your personal data is very important to us. We will ensure that we have in place appropriate organisational and technical measures to prevent unauthorised access, improper use, alteration, destruction or accidental loss of your personal data.

8. How long we keep your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes of the recruitment exercise. Should your application be successful we will transfer your personal data to your personnel file and your personal data will be retained in accordance with our policies and practices for our employees. We will provide you with an Employee Privacy Notice in such a situation and it will set out all relevant details.

Should your application be unsuccessful we will destroy your personal data within one month.

9. Your rights and your personal data

Under certain circumstances, by law you have a number of rights in respect of your personal data. These include the right to:

  • Request access to your personal information, known as a “data subject access request”. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;
  • Request that we correct the personal data we hold about you if it is inaccurate or out of date;
  • Request that we erase your personal data where there is no good reason for us continuing to process it;
  • Request that we restrict the processing of your personal data where there is a dispute about its accuracy or the reason for processing it; and
  • Request the transfer of your personal information to another party where our processing of it is under a contract or based on your consent and the processing is carried out by automated means.

If you want to obtain access to, request correction or erasure of, restrict the processing of or request the transfer of your personal information please contact [email protected]. Where you would like us to correct the personal data we hold on you, in the first instance we would encourage you to do this by contacting our HR and recruitment teams. However you can contact our Data Protection Officer using the above email address.

For more information on your rights and your personal data please see the Information Commissioner’s website.

Contact details and useful information

If you have any questions about this Privacy Notice and how we handle your personal data then please contact our Data Protection Officer at [email protected]

Complaints

If you consider that we have not handled your personal data lawfully then please contact our Data Protection Officer. You also have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.

You can contact the Information Commissioner at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113

Privacy Notice for GeCIP Members

Version 2. Dated 6 July 2018

1. Purpose of this Privacy Notice

This Privacy Notice sets out key information that it is essential for you to know when you provide information to Genomics England as part of the Genomics England Clinical Interpretation Partnership (GeCIP).

We, Genomics England Limited, are the data controller in respect of your personal data that we collect, use and manage and this Privacy Notice describes how we process it.

By “processing” your personal data we mean any activity we may perform on it such as collecting, storing, adapting or using it in any way. We will put in place appropriate technical measures to protect your personal data and to ensure that we process it:

  • Fairly and proportionately;
  • Only in ways that are relevant to the purposes for which it is to be used;
  • Accurately so that it is complete and up to date;
  • So that it is kept no longer than is necessary;
  • So that it is protected by security safeguards to prevent loss, unauthorised destruction, use or disclosure;
  • In accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

2. Our right to change our Privacy Notice

We may make changes to our Privacy Notice and when we do we will post our changed Privacy Notice on our website and it will then apply. We will always put the date and version of our Privacy Notice in its header so that you can easily find this information. It is your responsibility to review this Privacy Notice from time to time.

3. What is personal data?

Personal data is any information about a living individual that can be used to identify the individual, such as name, address, date of birth, email address, photographs or videos. It may also include special categories of personal data. This is information concerning: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health data; and data concerning a person’s sex life or sexual orientation.

4. Your personal data and how we process it

We will only use your personal data when we have a legal basis for doing so. In accordance with the purposes for which we collect and use your personal data, as set out below, the legal basis for us processing your personal data will typically be one of the following:

  • your consent;
  • the performance of a contract that we have in place with you or other individuals;
  • our or our third parties’ legitimate interests provided we safeguard your fundamental rights and interests; or
  • compliance with our legal obligations.

Where we refer to “legitimate interests”, we refer to the interests of Genomics England in being able to carry out its activities in managing the GeCIP and its membership and in being able to manage its staff efficiently and effectively.

From time to time we may seek your consent to process special categories of personal data and we will always ask for your consent before we process any such personal data. You are under no obligation to give consent if we ask for it. Where you do provide consent you may withdraw it at any time.

5. The purposes for which we process your personal data

We may process your personal data for the following purposes:

  • when we process your application for membership of the GeCIP or carry out further administration in relation to your membership;
  • when you join our mailing list;
  • to communicate with you;
  • to comply with applicable laws and regulations; and

other purposes relating to our operations, including managing accounts and records, legal, regulatory and internal investigations and debt administration.

6. What personal data we collect

The personal data we collect and process about you includes:

Type of information Examples
Personal details Name, address, telephone email address, gender, job title, affiliations, research institutions.
Information that is necessary to enable us to carry out your membership application and membership generally. Information included in membership application forms, meeting notes references, records of skills and experience, including job titles, qualifications, skills, training and other compliance requirements and professional memberships. The name, address, telephone, email address of members of your organisation or associated with your organisation provided you have confirmed to us that they have consented to us having this information.
Publically available information Publically available information from social media, such as Twitter and LinkedIn, when interacting with you via these platforms.
Health information Details of any allergies or dietary requirements so that we can cater for you.

7. Sharing your personal data

We may share your personal data with third parties where it is necessary to enable us to carry out our activities in managing GeCIP. For example we may share your personal data with members of GeCIP and other organisations with whom we collaborate for the purposes of verifying your identity and for developing working partnerships. We may also share your personal data with third parties such as event organizers for health and safety purposes.

We may disclose your personal data to third parties including the authorities, our advisors, suppliers of IT services and third parties engaged by us for the purpose of providing services requested by you; to protect any intellectual property rights in any materials displayed on or otherwise available from our website; for the purposes of seeking legal or other professional advice; to respond to a legal request or comply with a legal obligation; and to enforce the GeCIP Rules

Any third party with whom we share your personal data will be required to protect it and put in place appropriate technical and security measures in accordance with our instructions. They are required to keep your personal data confidential.

8. How we protect your personal data

The security of your personal data is very important to us. We will ensure that we have in place appropriate organisational and technical measures to prevent unauthorised access, improper use, alteration, destruction or accidental loss of your personal data.

9. How long we keep your personal data

We will only retain your personal data for as long as is necessary for the purposes for which it is collected.

10. Your rights and your personal data

Under certain circumstances and subject to applicable exceptions, you have a number of legal rights in respect of your personal data. These include the right to:

  • request access to your personal information, known as a “data subject access request”. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;
  • request that we correct the personal data we hold about you if it is inaccurate or out of date;
  • request that we erase your personal data where there is no good reason for us continuing to process it;
  • request that we restrict the processing of your personal data where there is a dispute about its accuracy or the reason for processing it; and
  • request the transfer of your personal information to another party where our processing of it is under a contract or based on your consent and the processing is carried out by automated means.

If you want to obtain access to, request correction or erasure of, restrict the processing of or request the transfer of your personal information please contact [email protected]

Where you would like us to correct the personal data we hold on you, in the first instance we would encourage you to do this by getting in touch with your GeCIP coordinator. However you can contact our Data Protection Officer using the above email address.

If you decide that you do not want to receive our newsletter or any other communications from us, you can ‘opt-out’ from receiving such communications and update your preferences by emailing us at [email protected]and.co.uk, by contacting your GeCIP lead contact, or by clicking on the ‘unsubscribe’ link provided at the bottom of certain emails sent to you.

For more information on your rights and your personal data please see the Information Commissioner’s website at https://ico.org.uk/for-organisations/guide-to-data-protection

Contact details and useful information

If you have any questions about this Privacy Notice and how we handle your personal data then please contact our Data Protection Officer at [email protected]

Complaints

If you consider that we have not handled your personal data lawfully then please contact our Data Protection Officer. You also have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.

You can contact the Information Commissioner at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113

Privacy Notice for Genomics England Discovery Forum Members

Version 1. Dated 24 May 2018

1. Purpose of this Privacy Notice

This Privacy Notice sets out key information that it is essential for you to know when you provide information to Genomics England as part of the Discovery Forum.

We are the data controller for your personal data and this Privacy Notice describes how we process it.

By processing your personal data we mean any activity we perform on it such as collecting, storing, adapting or using it in any way during your membership application. We will put in place appropriate technical measures to protect your personal data and to ensure that we process it:

  • Fairly and proportionately;
  • Only in ways that are relevant to the purposes for which it is to be used;
  • Accurately so that it is complete and up to date;
  • So that it is kept no longer than is necessary;
  • So that it is protected by security safeguards to prevent loss, unauthorised destruction, use or disclosure;
  • In accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

2. Our right to change our Privacy Notice

We may make changes to our Privacy Notice and when we do we will post our changed Privacy Notice on our website and it will then apply. We will always put the date and version of our Privacy Notice in its header so that you can easily find this information.

3. What is personal data?

Personal data is any information about a living individual that can be used to identify the individual, such as name, address, date of birth, email address, photographs or videos. It may also include special categories of personal data. This is information concerning: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health data; data concerning a person’s sex life or sexual orientation.

4. Your personal data and how we process it

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances.

  • When we need to process your application for membership of the Discovery Forum;
  • When you join our mailing list; and
  • Where it is necessary for our legitimate interests provided we safeguard your fundamental rights and interests.

Where we refer to “legitimate interests”, we refer to the interests of Genomics England in being able to carry out its activities in managing the Discovery Forum and the membership of it.

From time to time we may seek your consent to process special categories of personal data and we will ask for your consent before we process your personal data. You are under no obligation to give consent if we ask for it. Where you do provide consent you may withdraw at any time.

The personal data we collect and process about you includes:

Type of information Examples
Personal details Name, address, telephone email address, gender, job title, affiliations, research institutions.
Information that is necessary to enable us to carry out your membership application and membership generally Information included in membership application forms, meeting notes references, records of skills and experience, including job titles, qualifications, skills, training and other compliance requirements and professional memberships. The name, address, telephone, email address of members of your organisation or associated with your organisation provided you have confirmed to us that they have consented to us having this information.
Publically available information Publically available information from social media, such as Twitter and LinkedIn.
Health information Details of any allergies or dietary requirements so that we can cater for you.

5. Sharing your personal data

We may share your personal data with third parties where it is necessary to enable us to carry out our activities in managing the Discovery Forum. For example we may share your personal data with members of the Discovery Forum and other organisations with whom we collaborate. We may also share your personal data with third parties such as event organisers. Any third party with whom we share your personal data will be required to protect it and put in place appropriate technical and security measures in accordance with our instructions. They are required to keep your personal data confidential.

6. How we protect your personal data

The security of your personal data is very important to us. We will ensure that we have in place appropriate organisational and technical measures to prevent unauthorised access, improper use, alteration, destruction or accidental loss of your personal data.

7. How long we keep your personal data

We will only retain your personal data for as long as you are a part of the Discovery Forum.

8. Your rights and your personal data

Under certain circumstances, by law you have a number of rights in respect of your personal data. These include the right to:

  • Request access to your personal information, known as a “data subject access request”. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;
  • Request that we correct the personal data we hold about you if it is inaccurate or out of date;
  • Request that we erase your personal data where there is no good reason for us continuing to process it;
  • Request that we restrict the processing of your personal data where there is a dispute about its accuracy or the reason for processing it; and
  • Request the transfer of your personal information to another party where our processing of it is under a contract or based on your consent and the processing is carried out by automated means.

If you want to obtain access to, request correction or erasure of, restrict the processing of or request the transfer of your personal information please contact [email protected]

Where you would like us to correct the personal data we hold on you, in the first instance we would encourage you to do this by getting in touch with your Genomic England Discovery Forum contact. However you can contact our Data Protection Officer using the above email address.

For more information on your rights and your personal data please see the Information Commissioner’s website at https://ico.org.uk/for-organisations/guide-to-data-protection

Contact details and useful information

If you have any questions about this Privacy Notice and how we handle your personal data then please contact our Data Protection Officer at [email protected]

Complaints

If you consider that we have not handled your personal data lawfully then please contact our Data Protection Officer. You also have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.

You can contact the Information Commissioner at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113


Useful links

Loading...