Genomics England privacy notice
Our privacy notice gives general information about who we are, what we do and who to contact if you want more information (such as to exercise your information rights), as well as more detail about how we use your personal data.
General information
Genomics England’s priority is to ensure that the data of all participants and everyone it deals with is protected – and that we are fully compliant with the latest data protection legislation.
Who we are and what we do
Genomics England is a limited company wholly owned by the Department of Health and Social Care (company registration 08493132).
We were created to run the 100,000 Genomes Project, a project instigated by former Prime Minister David Cameron in order to research cancers and rare diseases. That project has now come to an end. The Project is transitioning to where the main source of recruitment, sample and data acquisition, and mechanism for return of results will be via the NHS Genomic Medicine Service (NHS GMS).
What we use your personal data for
Genomics England processes personal data for a number of reasons. These include:
- research,
- providing the NHS Genomic Medicine Service (NHS GMS),
- recruitment,
- using this website,
- organising conferences and
- providing access to our research environment to other research institutions and businesses.
Genomics England is a data controller, and we are registered with the Information Commissioner’s Office (ICO), registration number ZA021653.
To find out about how we use your personal data, click to expand the section that relates to you below.
This page is valid from 17 June 2022
The NHS Genomic Medicine Service (NHS GMS) is the arm of the NHS working to enable the NHS to harness the power of genomic technology and science to improve the health of our population.
If you're a patient of the NHS Genomic Medicine Service, you may be offered whole genome sequencing as part of your clinical care. You will be asked if you want to donate genome sequence and health data, and/or your sample (blood/saliva/tissue, etc.), for research.
If you agree, your samples will be stored securely and your data will be added to the National Genomic Research Library. This is a secure national database of pseudonymised genomic and health data managed by Genomics England. NHS England, on behalf of the hospitals (Trusts) that provided your genomic test, will allow Genomics England to access your identified data to link you to the National Genomic Research Library. Genomics England then pseudonymise your linked data so that approved researchers can use the pseudonymised samples and data to study diseases and look for new treatments. Their research might help you and others now or in the future.
Genomics England Ltd is a Data Controller under data protection legislation for the purposes of the National Genomic Research Library.
Genomics England process the following types of Personal Data:
- Patient Identifiers including NHS Number
- Demographics – name, address, date of birth, ethnicity, registered GP
- Clinical pathway – this is a tool which helps clinicians guide a patient's treatment to make sure the care provided is consistent.
- Family identifiers – where relevant. This may identify one or multiple people in your family group where it is relevant to your health record.
- Clinical Indicators – nature of condition, details of condition
- Clinical measurements and observations relevant to condition specific to cancer or rare and heritable disease pathways
- Clinical ethnicity and clinical sex details
- Details of genomic testing and related procedures – e.g. the type of test performed
- Link to previous requests and tests
- Whole Genome Sequence – this is your DNA sequence recorded in a computer file.
- Health records
Genomics England process the following types of Special Categories of Personal Data:
- Racial or ethnic origin
- Genetic data
- Health data
All data that goes into the research environment is pseudonymised.
What does pseudonymised data mean?
Pseudonymisation means that we take information which would identify you directly out of the data, such as name, address, date of birth and NHS number, and replace them with a unique identifier that only we at Genomics England can use to re-identify you. Researchers that are given access to the Library do so under strict agreements and their access is reviewed by our Access Review Committee, which includes patient and participant representatives. Researchers must also have approval for their study prior to access being granted. The data can only be viewed by researchers, it cannot be taken out of the research environment without permission. You can read more about the Committee on our website.
Due to the detailed nature of the data it can never be truly anonymised, there is always a small risk that an individual may recognise your specific rare condition or other aspects of your health. This is because some clinicians also have access to the Library to conduct research they themselves are involved in.
Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (UK GDPR) on which to process it. Below are the lawful bases we use.
Type of data and purpose |
Personal data (Article 6 UK GDPR) |
Special category data (Article 9 UK GDPR) |
Identifiable data used to:
|
We rely on Article 6(1)(f) – legitimate interests. |
We rely on Article 9(2)(j) – scientific research |
Pseudonymised data used to conduct research and to investigate, develop and test new tools used to improve research. |
We rely on Article 6(1)(f) – legitimate interests. |
We rely on Article 9(2)(j) – scientific research |
Withdrawing your data from the Research Environment
If you would like to withdraw your data from the research environment please download and complete our Withdrawal Form.
You can email it to [email protected] or you can post it to Data Protection Team at the address in the contact us section of this notice.
Please be aware that this process and the consent you give to take part in this research is separate to the National data opt out.
The National data opt-out is a service that allows patients to opt out of their NHS confidential patient information being used for research and planning. You can find out more here. If you do choose to participate in the National Data Opt Out, we would no longer receive the additional data we receive from the NHS that researchers use and this would limit the value of the research chosen to take part in.
Description of data use
We will be collecting blood and saliva samples from you and your baby to assess the best way of collecting these samples to sequence a baby’s genome.
In addition to the samples we will also collect some other personal information to help us understand what methods work best to get good quality samples from different people.
What data do we collect?
The data we collect about you:
- Ethnicity
- Pregnancy and birth history
About your baby:
- Gender
- Ethnicity
- Date of birth
Although your care team will know you and your baby have taken part in the study, Genomics England won’t be collecting your name, address or any other contact details. We’ll be assigning you a code in order to de-identify or pseudonymise your data as much as possible and protect your privacy.
Lawful basis
UK GDPR classifies your personal data in two ways:
- Personal data – such as your name, email address and phone number
- Special category data – such as information relating to your health and including your DNA (your genomic sequence), or your ethnicity.
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation on which to process it. Below are the lawful bases we use:
Type of data and purpose |
Personal data (Article 6 UK GDPR) |
Special category data (Article 9 UK GDPR) |
Personal Data collected together with your blood or saliva sample |
We rely on Article 6(1)(f) – legitimate interests. |
We rely on Article 9(2)(j) – scientific research. |
What does pseudonymised data mean?
Pseudonymisation means that information which would identify you directly, such as name, address, date of birth and NHS number, is removed before the data is given to us and replaced with a unique identifier.
Due to the detailed nature of the data, it can never be truly anonymised, there is always a small risk that an individual may recognise your specific rare pregnancy and birth history or other aspects of your health if they have been involved in your care.
Description of data use
To analyse the whole genome sequences,
To refer children with positive findings for diagnostic testing,
To invite to take complete a survey on behalf of the study evaluation partner,
To process and reimburse travel claims,
To send text reminders to mothers about the study,
Check the consent status of participants
Manage withdrawals requests
To request additional data from the NHS, PHE, NDRS, ONS etc.
Put the data through the pseudonymisation process
Research
Develop and test new tools used to improve research.
What data do we collect?
- Name and contact details for the newborn and mother.
- The newborn’s sequenced genome created from samples of blood, tissue or saliva.
- The mother’s maternity record.
Types of data | Purpose | Personal data (Article 6 UK GDPR) | Special category data (Article 9 UK GDPR) |
Names and contact details | used for the purposes of providing updates on the Generations Study. | We rely on Article 6(1)(a) – consent. | N/A |
Name, contact details, NHS number, study & participant ID, whole genome sequencing, diagnostic outcome data, |
| We rely on Article 6(1)(f) – legitimate interests. | We rely on Article 9(2)(j) – scientific research. |
Name, contact details, NHS number, whole genome sequencing and analysis data. | Referral to NHS clinicians for additional rare disease screening where there is a positive finding. | Direct patient care | we rely on Art 9 (2)(h) Health or social care (with a basis in law) |
Name, contact details, pseudonymised data relating to WGS, analysis and diagnostic outcomes | Study evaluation | We rely on Article 6(1)(f) – legitimate interests. | We rely on Article 9(2)(j) – scientific research. |
Name, contact details, bank details | to process and reimburse travel claims | We rely on Article 6(1)(a) – consent. | N/A |
- The ethnicity of the biological parents.
- Medical test results.
- Electronic copies of the newborn’s health records from the NHS, your GP and other organisations (such as NHS Digital and Public Health England).
- Information about any illnesses or stays in hospital.
- Copies of hospital or clinic records, medical notes, social care, and local or national disease registries.
- Relevant imaging data from your NHS records, such as MRI scans, X-rays or pathology images.
Lawful basis
Who the data is shared with:
Study evaluation partners
NHS Trusts (diagnostic purposes)
Other researchers
Some personal data such as name, NHS Number, Date of Birth, Gender, Postcode is shared with those we receive lifelong data from such as NHS England. This is so they can identify participants to share data with Genomics England.
Pseudonymised data is shared with researchers
What does pseudonymised data mean?
Pseudonymisation means that we remove information which would identify you directly, such as name, address, date of birth and NHS number, and replace them with a unique identifier.
Due to the detailed nature of the data, it can never be truly anonymised, there is always a small risk that an individual may recognise your specific rare condition or other aspects of your health. This is because some clinicians also have access to the NGRL to conduct research, they themselves are involved in.
Who can access the National Genomic Research Library (NGRL)?
Before we grant anyone access to the NGRL, we ensure that agreements are in place that include strict rules and processes on how your pseudonymised personal information is shared safely and securely.
Researcher’s access is reviewed by our Access Review Committee, which includes patient and participant representatives. Researchers must also have approval for their study prior to access being granted. The data can only be viewed by researchers, it cannot be taken out of the research environment without permission. You can read more about the Committee on our website.
Those who are given permission to access the NGRL include:
Academic researchers through our Genomics England Clinical Interpretation Partnerships (GECIPs). You can learn about the work the different GECIP domains are doing through our website
Commercial researchers through our Discovery Forum
Clinicians
Genomics England employees
Description of data use
Data in the National Genomic Research Library (NGRL) includes personal data donated for use in research through:
- the 100,000 Genomes Project (including the pilot stages)
- other genomic research projects
What data do we collect?
The data we collect includes the following types of data:
- your sequenced genome created from samples of blood, tissue or saliva.
- Your medical test results.
- Electronic copies of your health records from the NHS, your GP and other organisations (such as NHS England and Public Health England).
- Information about any illnesses or stays in hospital – including your primary diagnosis and any historic diagnoses going back as far as medical records allow.
- Copies of hospital or clinic records, medical notes, social care, and local or national disease registries.
- Relevant imaging data from your NHS records, such as MRI scans, X-rays or pathology images.
Lawful basis
UK GDPR classifies your personal data in two ways:
- Personal data – such as your name, email address and phone number
- Special category data – such as information relating to your health and including your DNA (your genomic sequence)
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation on which to process it. For us to use your health data for research, we must have a research protocol reviewed and approved by the Research Ethics Committee (REC). The REC is a legal body established as part of the Health Research Authority. The Health Research Authority is the UK public body responsible for authorising research and reviews all our materials to make sure they comply. Below are the lawful bases we use:
Type of data and purpose |
Personal data (Article 6 UK GDPR) |
Special category data (Article 9 UK GDPR) |
Identifiable data used internally to match data together from different sources and make it ready for ‘publishing’ in the NGRL. |
We rely on Article 6(1)(f) – legitimate interests. |
We rely on Article 9(2)(j) – scientific research. |
Pseudonymised data used in the NGRL. These are to conduct research and investigate, test and develop new tools used to improve research. |
We rely on Article 6(1)(f) – legitimate interests. |
We rely on Article 9(2)(j) – scientific research. |
What does pseudonymised data mean?
Pseudonymisation means that we remove information which would identify you directly, such as name, address, date of birth and NHS number, and replace them with a unique identifier.
Due to the detailed nature of the data, it can never be truly anonymised, there is always a small risk that an individual may recognise your specific rare condition or other aspects of your health. This is because some clinicians also have access to the NGRL to conduct research, they themselves are involved in.
Who can access the National Genomic Research Library (NGRL)?
Before we grant anyone access to the NGRL, we ensure that agreements are in place that include strict rules and processes on how your pseudonymised personal information is shared safely and securely.
Researcher’s access is reviewed by our Access Review Committee, which includes patient and participant representatives. Researchers must also have approval for their study prior to access being granted. The data can only be viewed by researchers, it cannot be taken out of the research environment without permission. You can read more about the Committee on our website.
Those who are given permission to access the NGRL include:
- Academic researchers through our Genomics England Clinical Interpretation Partnerships (GECIPs). You can learn about the work the different GECIP domains are doing through our website
- Commercial researchers through our Discovery Forum
- Clinicians
- Genomics England employees
Withdrawing your data from the NGRL
If you would like to withdraw your data from the NGRL please download and complete our Withdrawal Form.
You can email it to [email protected] or you can post it to Data Protection Team at the address in the contact us section of this notice.
Please be aware that this process and the consent you give to take part in this research is separate to the National Data Opt Out.
The National Data Opt-Out is a service that allows patients to opt out of their NHS confidential patient information being used for research and planning. You can find out more here. If you do choose to participate in the National Data Opt Out, we would no longer receive the additional clinical data we receive from the NHS, and this would limit the value of the research you have chosen to take part in.
Description of data use
Genomics England Limited is working as part of the GenOMICC consortium to develop a powerful database of genetic sequences combined with testing and health data to enable researchers to better understand and help in the fight against COVID-19.
This privacy notice relates to two uses of your information:
- Where you complete our web form to indicate your interest in contributing to the research; and
- Where you agreed to share your DNA and health records for research when:
- You were in hospital in the Intensive Care Unit with a severe case of COVID-19; or
- We invite you to take part after registering your interest on our web form
1. How we use the information we collect when you register an interest through our web form
Our web form collects:
- Your first name, surname, date of birth, email address and contact telephone number
- First part of your post code
- Your gender and ethnicity
- Whether or not you tested positive for COVID-19
- Whether or not you were treated for COVID-19 in a hospital Intensive Care Unit (and if so, which Intensive Care Unit)
- Whether or not you had mild symptoms of COVID-19
We will use the data to assess your suitability to take part in the research.
Who will we share it with?
To contact you about research, the information from the form will only be kept and used by Genomics England and the GenOMICC consortium members unless we get further permission from you.
2. How we use your data if you were in intensive care, or we invited you to join the research after you registered an interest via our online web-form
How we use this information
Your genome sequence and health records are pseudonymised, which means we, take all the identifiers out of the data (such as name, address, NHS number, date of birth, and replace them with a unique identifier. The data is then put in the COVID-19 research environment within our National Genomic Research Library (NGRL).
Researchers can look at the data and perform their research but cannot take any of the data out unless it is anonymised and approved by our committee.
Who shares data with us?
So that we can get the richest possible data for our research environment, the following organisations supply us with information about you and your health data:
Type of Organisation |
Data collected |
NHS England |
|
Public Health Data (England, Northern Ireland, Scotland and Wales) |
|
The Intensive Care National Audit and Research Centre (ICNARC) |
|
International Severe Acute Respiratory and Emerging Infection Consortium |
|
Lawful basis
UK GDPR classifies your personal data in two ways:
- Personal data – such as your name, email address and phone number
- Special category data – such as information relating to your health and including your DNA (your genomic sequence)
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation on which to process it. For us to use your health data for research, we must have a research protocol reviewed and approved by the Research Ethics Committee (REC). The REC is a legal body established as part of the Health Research Authority. The Health Research Authority is the UK public body responsible for authorising research and reviews all our materials to make sure they comply. Below are the lawful bases we use:
Use of data |
Type of data |
Personal data (Article 6 UK GDPR) |
Special category data (Article 9 UK GDPR) |
|
1. When you registered your interest to join the COVID-19 research project |
To allow us to contact you for research |
Personal data Special category data |
We rely on Article 6(1)(a) – Consent |
We rely on Article 9(2)(a) – explicit consent |
So we can send you more information by email |
Personal data only |
We rely on Article 6(1)(a) – Consent |
n/a |
|
2. When you agreed to join the COVID-19 research project and were in intensive care or we invited you after you registered an interest |
Personal data Special category data |
We rely on Article 6(1)(f) – Legitimate interests |
We rely on Article 9(2)(j) – a research purpose |
|
Withdrawing your data
If you would like to withdraw your data from this project, please download and complete our Withdrawal Form.
You can email it to [email protected] or you can post it to Data Protection Team at the address in the contact us section of this notice.
Please be aware that this process and the consent you give to take part in this research is separate to the National Data Opt Out.
The National Data Opt-Out is a service that allows patients to opt out of their NHS confidential patient information being used for research and planning. You can find out more here. If you do choose to participate in the National Data Opt Out, we would no longer receive the additional clinical data we receive from the NHS, and this would limit the value of the research you have chosen to take part in.
Description of data use
Genomics England Limited is working with Imperial College London to assist in their research into helping to better understand and help in the fight against COVID-19. This is called the REACT-GE Study.
This privacy notice relates only to the personal information Genomics England collects about you. Imperial College London (REACT-GE) and the University of Edinburgh (GenOMICC) have their own privacy notices for the studies describing how they use your data. These are linked below.
The data Genomics England holds comes from:
- The completed web form where you have agreed to take part in the research; and
- Where we have collected your DNA and health information directly.
1. How we use the information we collect when you register an interest through our web form
Our web form collects:
- A unique code created by the REACT study
- Your first name, surname, date of birth, full address and contact details
- Your gender and ethnicity
- Whether or not you tested positive for COVID-19
- Whether or not you were treated for COVID-19 in a hospital Intensive Care Unit
- A list of symptoms you experienced
This information is sent to our provider, Trust MSS, who will use it to arrange an appointment, collect your samples, ensure you have our information leaflets and ensure you complete the consent form.
Who will we share it with?
To contact you about research, the information from the form will only be kept and used by the organisations that are part of the REACT-GE and GenOMICC studies and their trusted third parties unless we get further permission from you.
2. How we use your data as part of the COVID-19 genomic research study and the National Genomic Research Library (NGRL/Library)
When you join the REACT-GE study, you also join the GenOMICC study. The information that Genomics England uses for both studies is the same and is placed in our secure COVID-19 research environment and our secure National Genomic Research Library research environment.
So that you can easily find what information is being used by the different organisations, the following table provides links:
Study name |
Imperial College London (ICL) |
University of Edinburgh |
Genomics England |
REACT-GE |
This link will take you to the privacy notice detailing how ICL uses your information: download here |
n/a |
The following drop-down sections of this web page (see above) describe how Genomics England uses your data for each study: ‘You agreed to donate your sequenced DNA and health data to the 100,000 Genomes Project or the National Genomic Research Library; AND ‘If you provided your DNA sample and health information as part of our COVID-19 research with the GenOMICC consortium’ |
GenOMICC |
n/a |
This link will take you to the privacy notice detailing how the University of Edinburgh uses your information: view here |
Lawful basis
UK GDPR classifies your personal data in two ways:
- Personal data – such as your name, email address and phone number
- Special category data – such as information relating to your health and including your DNA (your genomic sequence)
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation on which to process it. For us to use your health data for research, we must have a research protocol reviewed and approved by the Research Ethics Committee (REC). The REC is a legal body established as part of the Health Research Authority. The Health Research Authority is the UK public body responsible for authorising research and reviews all our materials to make sure they comply. Below are the lawful bases we use:
Use of data |
Type of data |
Personal data (Article 6 UK GDPR) |
Special category data (Article 9 UK GDPR) |
|
Personal data Special category data |
We rely on Article 6(1)(f) – Legitimate Interests |
We rely on Article 9(2)(j) – a research purpose |
2. When you ‘sign up’ to the REACT-GE study at the appointment with Trust MSS |
Personal data Special category data |
We rely on Article 6(1)(f) – Legitimate interests |
We rely on Article 9(2)(j) – a research purpose. |
Withdrawing your data
If you would like to withdraw your data from this project, please download and complete our Withdrawal Form.
You can email it to [email protected] or you can post it to Data Protection Team at the address in the contact us section of this notice.
Please be aware that this process and the consent you give to take part in this research is separate to the National Data Opt Out.
The National Data Opt-Out is a service that allows patients to opt out of their NHS confidential patient information being used for research and planning. You can find out more here. If you do choose to participate in the National Data Opt Out, we would no longer receive the additional clinical data we receive from the NHS, and this would limit the value of the research you have chosen to take part in.
Description of data use
You can find out more about the Research Network and the Discovery Forum on our website.
What data do we collect?
We collect personal data which includes your name, address, telephone number, email address, gender, job title, affiliations and research institutions.
We will also ask for your contact details at your organisation, such as direct telephone and email address.
To complete our membership information, we also need to know your skills and experience, qualifications, skills, training and other compliance requirements and professional memberships.
Where we organise events, we may collect health and dietary information to better cater for you.
Why do we need it and what do we do with it?
We may use your personal data for the following purposes:
- When we process your application for membership of the Research Network or Discovery Forum
- Carrying out administration in relation to your membership.
- To communicate with you.
- To comply with applicable laws and regulations.
- Other purposes relating to our operations, including managing accounts and records, legal, regulatory and internal investigations and debt administration.
Who do we share it with?
We may share your personal data with third parties to enable us to:
- Carry out our activities in managing the Research Network or Discovery Forum.
- Monitor and improve the Genomics England research environments.
- Develop working partnerships.
- Organise events.
Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (UK GDPR) on which to process it. Below are the lawful bases we use.
Purpose |
Personal data (Article 6 UK GDPR) |
Special category data (Article 9 UK GDPR) |
Managing the Research Network and Discovery Forum membership where the individual joins |
We rely on Article 6(1)(b) entering into a contract with the data subject |
Where required (for example in organising events) we will rely on Article 9(2)(a) explicit consent |
Managing the Research Network or Discovery Forum membership where you join as part of an institution |
We rely on Article 6(1)(f) – legitimate interests. We need to manage the relationship with our institutional members appropriately. You should ensure your institution appropriately informs you of the purposes for which they share data with us in the first instance |
Where required (for example in organising events) we will rely on Article 9(2)(a) explicit consent |
Description of data use
Individuals who have consented to participate in a Genomics England user study to help us improve services and the customer journey. This could be as an individual participant or representative of an organisation taking part in an independent engagement activity commissioned by Genomics England.
What data do we collect?
This information will be directly provided by you. We may ask for various types of personal data about you, including:
- your general and identification information (name, first name, last name, gender and contact details).
- your function (title, user group i.e., participant, NHS researcher).
- your electronic identification data where required for the purpose of conducting the research (login, passwords, badge number and picture, IP address, online identifiers/cookies, logs, access and connection times, voice and image recording using ‘Microsoft Teams.
- Depending on the study we may also ask for some special category data about you which can include ethnicity, health data, disabilities, sexual orientation or religious beliefs.
If you intend to provide us with personal data about other individuals ( e.g. associates/colleagues), you must provide a copy of this Privacy Notice to the relevant individuals, directly or through your employer, where relevant.
Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (UK GDPR) on which to process it. Below are the lawful bases we use.
Purpose |
Personal data (Article 6 UK GDPR) |
Special category data (Article 9 UK GDPR) |
Taking part in user studies |
We rely on Article 6(1)(a) – consent |
We rely on Article 9(2)(a) – consent |
Withdrawing your consent
If you would like to withdraw your consent for us to process your data, email [email protected] or write to us at the address in the 'contact us' section of this notice.
What data do we collect?
We hold basic personal identifiers about you such as name, work telephone number and e-mail address, gender, job title and specialism. If you are also a member of the GECIP you will need to refer to that section of the Privacy Notice as well.
What do we do with it?
We will use your data within the patient’s record so:
- we know who to contact in respect of any findings relating to your patient’s care.
- To communicate with you
- To comply with applicable laws and regulations
We rely on legitimate interests (Article 6(1) (f)) to process your personal data.
Please note that if you access our service using your NHS Care Identity credentials, the identity access and management services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get a national digital identity and authenticate your claim to that identity, and uses that personal information solely for that single purpose. For any personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately which is managed in accordance with our Privacy Policy.
Description of data use
You may have joined a mailing list, contacted us via the website or social media, or attended one of our conferences.
What data do we collect?
When you subscribe to our newsletter, we will collect your name and email address.
When you make an enquiry or complaint, we will collect your name and email address as well as any personal data relating to the complaint, for example so that we can identify you in our systems.
When you make an application for a copy of your data or any of your other statutory rights, we will collect personal data such as name and title, date of birth, address, email address and what area of the organisation you have dealt with.
Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (UK GDPR) on which to process it. Below are the lawful bases we use.
Purpose | Personal data (Article 6 UK GDPR) | Special category data (Article 9 UK GDPR) |
Sending newsletters | We rely on Article 6(1)(a) – consent | We do not collect any special category data for this purpose |
Contacting us | We rely on Article 6(1)(f) – legitimate interests | We do not collect any special category data for this purpose |
Contacting us to make a Freedom of Information request | We rely on Article 6(1)(c) – legal obligation | We do not collect any special category data for this purpose |
Withdrawing your consent
If you would like to withdraw your consent for us to process your data, please download and complete our Withdrawal Form.
You can email it to [email protected] or you can post it to Data Protection Team at the address in the contact us section of this notice.
Description of data use
You may have sent us your CV or applied for a job with us.
What data do we collect?
We need personal data including name, address, date of birth, nationality, gender and preferred language.
We also need CVs, references, records of skills and experience, including job titles, work history, working hours, qualifications, skills, training and other compliance requirements and professional memberships.
We also need details of any disabilities, work restrictions and/or required adjustments where we may need to help you work with us. This type of data is referred to as special category data.
Why do we need it and what do we with it?
We will use your data to assess your application as part of our recruitment process and before we offer a contract of employment to you.
How long we keep it
We will only keep your personal data for as long as necessary to fulfil the purposes of the recruitment exercise. Should your application be successful we will transfer your personal data to your personnel file and your personal data will be kept in accordance with our policies and practices for our employees.
All profiles on our recruitment system will be deleted after one year.
Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (UK GDPR) on which to process it. Below are the lawful bases we use.
Purpose | Personal data (Article 6 UK GDPR) | Special category data (Article 9 UK GDPR) |
Recruitment | We rely on Article 6(1)(b) – performance of a contract or entering into a contract Where we take details of any reasonable adjustments you require, where regards the Equality Act 2010, the lawful basis we rely on for processing this information is article 6(1)(c) to comply with our legal obligations under that Act. | We rely on Article 9(2)(b) – employment – this relates to our responsibilities as an employer. |
Recruitment checks | We rely on Article 6(1)(f) – legitimate interests – it is in our legitimate interests to ensure nothing in your previous history precludes you from working for us or might put the organisation or other workers at risk from fraud or harm | We rely on Article 9(2)(b) – employment – this relates to our responsibilities as an employer. |
Who do we share your data with?
We use third parties to help make the recruitment process as smooth as possible. Any third party with whom we share your personal data will be required to protect it and put in place appropriate technical and security measures in accordance with our instructions. They are required to keep your personal data confidential.
Where will my data be held?
Genomics England holds all recruitment data in our secure United Kingdom data centres.
Your personal data and how we process it
Genomics England processes your data for a number of reasons:
- To meet our obligations under the employment contract we have entered into with you, for example, in order to pay you and provide your contractual and non-contractual benefits.
- To comply with a legal obligation for example, to comply with health and safety requirements.
- Where it’s within our legitimate interests provided that we safeguard your fundamental rights and interests for example, carrying out appraisals or disciplinary proceedings.
Where we refer to “legitimate interests”, we refer to the interests of Genomics England in being able to carry out its activities and in being able to manage its staff efficiently and effectively.
Where we process special categories of personal data, we do so on one or more of the following legal bases:
- The processing is necessary for performing or exercising our obligations or rights in connection with your employment contract.
- The processing is necessary for the purposes of our legitimate interests.
- Special category data is processed either with your consent or for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
Type of information |
Examples |
|
Personal details |
Name, address, date of birth, nationality, gender, work restrictions. |
|
Special category data |
Ethnicity, sex, health or disability, religious beliefs and sexual orientation. Individuals are not obliged to answer questions in relation to ethnicity, religious beliefs and sexual orientation. If you choose to share this information, it will be used for data analysis and monitoring purposes. We collect details of any health conditions that have led to absence from work or may mean you need additional support to carry out your role. We need this information to continue to pay you at the appropriate level, provide you with the support you need and to provide contractual and non-contractual benefits such as Death in Service. |
|
Contact details used to contact you at work or home. |
Telephone numbers and e-mail addresses. |
|
Emergency contact details. |
Name, address, telephone, e-mail addresses of your emergency contacts and their relationship to you. |
|
Information about your recruitment and suitability to work for us and/or a relevant third party. |
Information included in an application form, CV or covering letter provided as part of an application, references, interview notes, right to work documents, information to identify you such as passport details, records/results of pre-employment checks which includes criminal record checks, credit and fraud checks. |
|
Information that we need to pay you your salary or expenses. |
Bank account details, national insurance or social security numbers (where applicable), payroll records, salary, driving licence, vehicle registration and insurance details, travel loan applications. |
|
| Information to allow you to access our buildings and systems. | Employee identification number, photographs, video images. | |
| Information relating to your performance at work. | Appraisal forms, notes or recordings of 1 to 1s and other meetings or interviews, personal development plans, personal improvement plans, correspondence and reports, appraisal/ disciplinary/ grievance documentation. | |
What data do we collect?
The personal data we process may include:
- your title, name, full postal address, email or telephone contact details.
- your job title and role.
- dietary need
- accessibility needs.
- For certain events we collect biographical information about you from publicly available sources and this may include photographs. This information will be provided to the host(s) to help with the flow of the event.
When using video conferencing applications such as Zoom or Microsoft Teams, your name, username, email address, your computer’s IP address, MAC address and device name may be collected.
Purposes
Genomics England will process your personal data for the following purposes:
- To reserve a place for you at the event(s) you desire to attend.
- To provide you with information about the event(s) for which you have registered, that includes event updates, and possible changes, cancellation or similar information.
- To provide you with information about accessibility, transportation, parking.
- To fulfil and monitor our legal responsibilities, for example, under public safety legislation.
- In accordance with your preferences, to communicate with you about other events, news, and opportunities.
Lawful basis
We ask for your consent to process your personal data for the purposes set out above.
Who will the data be shared with?
We may share some of the information with external organisations providing services for the event you are attending, in particular we may share your information (including dietary requirements) with catering service if you are attending an event where catering is offered. The information shared will only be used to provide the service required and will not be kept by these external organisations after the event is concluded.
Withdrawing your consent
If you would like to withdraw your consent for us to process your data email [email protected] or write to us at the address in the contact us section of this notice.
Your rights over your data
You have a number of rights in respect to your data and we explain in more detail what these are below. We will ask for proof of identity when you make a request, we do this to make sure we are processing the correct data for the request.
- Access to your personal information – you may ask us for a copy of the personal information we hold on you this is known as a subject access request.
- Rectification of your personal information – if we hold inaccurate information about you, let us know and we can update it.
- Erasing your personal information – you can ask to have the data we hold on you deleted. This isn’t an absolute right, and we have to balance your requests against other factors such as legal or regulatory requirements.
- Restrict processing of your personal information – you can ask us to stop using your personal data in certain circumstances. For example, if you have objected to your data being processed where the lawful basis is legitimate interests.
- Data portability – you can ask us to transfer your personal information to a third party of your choice.
- Right to object – you can object to any processing where we rely on legitimate interests to process your data.
- Automated decision making and profiling – you will be informed if we use any automated decision making or profiling and have the right to request human intervention, express your view and challenge the decision.
If you wish to make an individual rights request, and to help us identify what information you require, please download this form and send it to the email address below.
We aim to respond to all valid requests within one month. It may take us longer if the request is particularly complicated or you have made several requests. We’ll always let you know if we think a response will take longer than one month.
We may not always be able to do what you have asked. This is because your rights will not always apply, for example, if it would impact the duty of confidentiality we owe to others, or if the law allows us to deal with the request in a different way. We will always explain to you how we are dealing with your request.
More details on how your data is handled
Genomics England’s priority is to ensure that the data of all participants and everyone it deals with is protected – and that we are fully compliant with the latest data protection legislation.
Who do we share your data with?
We may share your personal data, this will only be with third parties we use to provide marketing or for the purposes of seeking legal or other professional advice; to respond to a legal request or comply with a legal obligation.
Any third party with whom we share your personal data will be required to protect it and put in place appropriate technical and security measures in accordance with our instructions. They are required to keep your personal data confidential.
Where will my data be held?
Genomics England holds all health and genomic data in our secure United Kingdom data centres.
Occasionally we may transfer your personal information outside the European Economic Area (EEA). For any supplier we use overseas we will always conduct due diligence and ensure the appropriate safeguards are in place to protect your data.
How long do we keep your data?
We will only keep your personal data for as long as necessary, you can ask us for more information.
Contacting us
Genomics England has appointed a Data Protection Officer who can be contacted at the address below:
The Data Protection Officer
Genomics England Limited
One Canada Square
London
E14 5AB
If you have any other questions about how we process your data please contact the Data Protection Team using the email below.
Complaints to the Information Commissioner
You also have the right to complain to the UK Information Commissioner if you don’t feel we are using your data in line with your rights, or if you feel we haven’t dealt with your request properly. Please come to Genomics England in the first instance to give us a chance to respond and resolve your query.
You can contact the ICO on their website using the link below or via their helpline at 0303 123 1113.
Updates to our privacy notices
Our privacy notices are regularly updated and each will have a ‘valid from’ date at the top.
