Genomics England Privacy Policy

This privacy notice is valid from: 18 June 2020

Genomics England’s priority is to ensure that the data of all participants and everyone it deals with is protected – and that we are fully compliant with the latest data protection legislation. 

This page of our privacy notice gives general information about who we are, what we do and who to contact if you want more information (such as to exercise your information rights). 

The section below provides you with more detail about the how we use your personal data.

General Information

Who we are and what we do

Genomics England is a limited company wholly owned by the Department of Health and Social Care (company registration 08493132).

We were created to run the 100,000 Genomes Project, a project instigated by former Prime Minister David Cameron in order to research cancers and rare diseases.

That project has now come to an end. The Project is transitioning to where the main source of recruitment, sample and data acquisition, and mechanism for return of results will be via the NHS Genomic Medicine Service (NHS GMS).

What we use your personal data for 

Genomics England processes (uses) personal data for a number of reasons. This includes for research, providing the NHS Genomic Research Service, employing our staff, using this website, organising conferences and providing access to other research institutions and businesses.

We are registered with the Information Commissioner’s Office. Our registration number is ZA021653. 

Genomics England Limited is data controller for all the processing detailed in the areas below, with the exception of the data we process for the NHS GMS. We have included this here as it is a major part of our processing and one of the key services we provide under contract with the National Health Service (for this personal data we are termed a data processor, and any queries about this should be redirected to NHS England).

To find out about how we use your personal data, you just need to identify your relationship with us and click to expand the appropriate section below.

This page is valid from 18 June 2020

Description of data use

You may have visited your Genomic specialist at one of the NHS Genomic Medicine Centres, NHS Genomic Laboratory Hubs or another NHS organisation, and your DNA was sent off to be sampled and a report provided.

Purpose and lawful basis for processing

Purpose
Genomics England Limited are NOT the data controller for this data. This page is included to provide you with minimal information and links to NHS England’s information relating to their management of the service. You can find general information about the service on NHS England’s website.

Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (GDPR) on which to process it. Below is the lawful basis we use.

Purpose  Personal data (Article 6 GDPR)  Special category data (Article 9 GDPR) 
Providing the NHS England Genomic Medicine Service  Our processing of your data is governed by a contract with NHS England that is compliant with GDPR Article 28  Our processing of your data is governed by a contract with NHS England that is compliant with GDPR Article 28 

What are your rights?
To exercise your individual rights, you need to contact your clinician at the NHS Genomic Laboratory Hub where you provided your sample. 

You can also refer to the NHS England information relating to the NHS Genomic Medicine Service though their website.

Click to go back to the top of the page

This page is valid from 18 June 2020

Description of data use

Data in the National Genomic Research Library (NGRL or the Library) includes personal data donated for research through:

  • the 100,000 Genomes Project (including the pilot stages)
  • your consulting clinician as part of the NHS GMS
  • other genomic research projects (see below if you are unsure if this applies to you)
Purpose and lawful basis for processing

What do we collect?
The data we collect includes the following types of data (this may be expanded in the future):  

  • your sequenced genome created from samples of blood, tissue or saliva 
  • health data provided by your treating clinician at a clinic or through a research programme 
  • hospital episode data about you provided through NHS Digital 
  • data from Public Health England about you from their data repositories (such as cancer) 
  • in the future, this will include other sources such as your GP records

This data is part of the Library in its de-identified form and informs the research into cancers, rare conditions or other scientific projects (such as virus research).   

We do this by providing these organisations with a list of participant details (usually NHS number and date of birth). They are matched to data held by that organisation and sent to us securely. We bring all your information together into our secure Library for use by researchers. 

As part of your treatment or clinical care, you may provide personal information about you and your condition to your clinical team. This may include personal information, like name, address, date of birth and other demographic information. It may also include other information about your condition and how it affects you. As part of your treatment the information held about you may include scans, radiological images (for example, X-rays) or video, and these may all form part of the health data. 

The majority of the personal data that we have in the Library are from our initial pilot schemes, the 100,000 Genomes Project (see our previous privacy notice), and when people have added their data when they’ve had a test through the NHS Genomic Medicine Service. 

We also add other data to the Library from different sources.

For these groups of participants, we also add clinical data. You can download this file to see them and the extent to which we process your data.

Why do we need it and what do we do with it?
To ensure there is the richest possible health data set for research purposes we collect all sorts of data, even things that might at first look like they have no relevance to a health condition. This is because we don’t yet know what is important. For instance, we collect details about birth and childhood illnesses because these might – or might not – have an influence on a condition. While some information we collect may not be relevant for an individual, it might be very important in other people’s conditions. For instance, we collect information about mental health and disability which is an important symptom for many of the rare conditions we cover. 

By considering your health data and genome data together, researchers are able to develop a better understanding of the relationship between variations in the genome and the health of the individual. In rare diseases, they may be able to better explain the condition, arrive at a new diagnosis or suggest a new approach to treatment. In cancer, they may be able to predict the effect of a particular course of treatment, avoiding drugs that would not work for the individual concerned or selecting or developing drugs that have a better chance of success.

Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (GDPR) on which to process it. Below are the lawful bases we use.

Type of data and purpose  Personal data (Article 6 GDPR)  Special category data (Article 9 GDPR) 
Identifiable data used internally to match data together from different sources and make it ready for ‘publishing’ in the Library. 

 

We rely on Article 6(1)(f) – legitimate interests.   

 

We rely on Article 9(2)(j) – scientific research – alongside Article 89 GDPR and the Data Protection Act 2018 which details the responsibilities of the Research Ethics Committee (part of the Health Research Authority) for approving our research protocol. You can see our approved protocol here.
De-identified* data used in the Library. 

These are to conduct research and investigate and to test and develop new tools used to improve research.   

We rely on Article 6(1)(f) – legitimate interests – to process your data.    We rely on Article 9(2)(j) – scientific research – alongside Article 89 GDPR and the Data Protection Act 2018 which details the responsibilities of the Research Ethics Service (part of the Health Research Authority) for approving our research protocol. 

Legitimate Interests

When we discuss our research with you, we are unable to discuss every aspect of the use of your data, partly because it may be extensive, but partly because our research may lead us down avenues we do not yet know we need to go down. For this reason, we do not use consent as the lawful basis as we could not fulfil the GDPR requirement to be very detailed about what you are providing consent for. Genomics England therefore uses Legitimate Interests as its lawful basis in line with guidance from the Health Research Authority, which can be found here.

We have assessed our processing against your rights and have documented them appropriately. Our legitimate interests are that, as a company wholly owned by the Department of Health and Social Care, we collect your personal data to fulfil the function for which we were created, that is to create a de-identified library of genomic and health data for the purpose of research.

We keep you informed by the fact that you are provided with an opportunity to discuss your participation with a healthcare professional, through the provision of participant materials and our regularly reviewed and up-to-date privacy notice and website.

What does ‘de-identified’ data mean?
De-identification means that we take ‘strong’ identifiers out of the data, such as name, address (including postcode), date of birth and NHS number (where relevant), and replace them with a unique identifier that only we at Genomics England can use to re-identify you.  Researchers that are given access to the Library do so under strict agreements and their access is reviewed by our Access Review Committee, which includes patient and participant representatives. You can read more about the Committee on our website.

However, due to the detailed nature of the data it can never be truly anonymised, there is always a small risk that an individual may recognise your specific rare condition or other aspects of your health. This is because some clinicians also have access to the Library to conduct research they themselves are involved in.  

We only allow data to be taken out of the Library in aggregated form (for example, numbers in tables). There are strict controls around this and we have an ‘Airlock’ Committee which reviews each request prior to release. Sometimes there are very few individuals, even in a table showing numbers of individuals, and therefore we don’t allow tables with small numbers of individuals in them to be released either. This helps us further minimise the chance of re-identification.

How we comply with the common law duty of confidentiality
Common law is simply the build-up of past judgements in the courts which together make up ‘case law’. It is separate to data protection law which is made by act of parliament (such as the Data Protection Act or General Data Protection Regulation).

Where your data comes to us from your treating cliniciana member of their team or a researcher it is given to them by you under a duty of confidentiality. This means that your clinician must still comply with the common law and gain explicit consent before sharing your data with us for a health research purpose. This is why they will have a full discussion with you and you will sign our forms to say that you understand what we will do with your data. They must leave you with a good understanding of what we will do with your data. We will also provide you with information leaflets and we will keep updating this privacy notice for you to refer back to. You can also contact our data protection team at any time if you have further questions, via email: [email protected] 

Note that once you have given your permission for us to use your data in Library, you should contact us directly for any information about what we do with it, using the details and form on our web page about data access requests.

Questions about what your geneticist or clinician does in the use of your data to support your care in the NHS Genomic Medicine Service should be asked directly to them. Learn more about the NHS Genomic Medicine Service, managed by NHS England, through their website.

Where your personal data comes to us because you have been part of a separate research programme (for example, with a charity or commercial organisation), the common law would not normally apply.

Who do we share it with?
As part of the National Genomic Research Library we need to link the different types of health data held by other organisations to get a complete overview of your health data footprint so that we may carry out our research. In practice, in order to access and obtain health data held by other organisations, including NHS Digital, NHS England, GPs and Public Health England, we will share your personal information with these other organisations so that they can provide your personal information to us. 

Before we share any of your personal information, we ensure that agreements are in place that include strict rules and processes on how your personal information is shared safely and securely. 

Research users will have restricted access to de-identified datasets which contain only the information they need for their specific and approved research study. From this information they may produce additional research data based on their analysis. Researchers should not be able to work out who this data is about, or even who is participating in the research simply by looking at the information in the system. However, any non-trivial piece of health data – even a de-identified report of an appointment booking – could be re-identified by somebody who already has enough information about the individual in question. This is why Genomics England insists all access to its data takes place within our secure Research Environment, where it can be monitored. 

Access is also given to Genomics England Clinical Interpretation Partnerships (GeCIPs). Access is strictly controlled. You can learn about the work the different GeCIP domains are doing through our website. 

We also allow access to academic institutions for training and education purposes. The access by these organisations is approved in each case and strictly controlled. 

Researchers also include commercial organisations through our Discovery Forum. Again, their access is strictly controlled and monitored.   

Through their work, researchers may find that they want to research a specific group of individuals. However, they are not able to identify you in the Library. Genomics England has strict processes in place whereby your contact information will not be passed to them until we have your permission to do so. We will always give you the choice for your information not to be shared with them. 

No personal data held by Genomics England will be accessible to other government agencies which includes HMRC and the Child Support Agency. In the unusual situation that a request for data is made by a court order then this will be referred to Genomics England’s Legal Counsel as promptly as possible so that all representations may be made to the court, for example, to limit the information requested being released. We do not share information with insurance companies.

How long do we keep it?
We will keep personal data relating to our research purpose for 30 years, at which point it will be reviewed to see if we are able to justify keeping it. If we cannot, it will be deleted in line with our secure destruction procedures. Download our full retention schedule.

Withdrawing from the research
If you change your mind and want to withdraw your data from research, then you are free to do so. This will always be acted upon.

There are two options: 

  1. Partial withdrawal: ‘no further contact’ – this means Genomics England will not contact the you again although your clinical team will still get an initial report, but no more reports after this. The clinical team will ask you if you want to receive this initial report only (this only applies if you were part of the 100,000 Genomes Project). Genomics England will continue to use any samples already collected for research purposes and will continue to update and store information from your health and other records for use in approved research.
  2. Full withdrawal: ‘no further use’ – this means your data will no longer be part of our research database, although an initial report would still go to the clinical team for them to check if you want to receive this. After this there is no further contact. We would destroy any DNA samples that we hold and from that point forwards we would restrict researchers from accessing any information we hold by putting it beyond any future use. Data that has been used already in research cannot be altered as that would affect the research results on which discoveries may be made.

Finally, regardless of the option chosen above, we will keep an audit record to say that you were once part of the Project and then withdrew. This includes your surname, first name, date of birth, address and contact details.  

If you wish to withdraw, contact us at [email protected].

What are your rights when we use your data for research?

Individual right  Does it apply?  Reason if it doesn’t apply (where applicable) 
Right to be informed  

 
Right of access  

 
Right to rectification 

We rely on the exemption in the Data Protection Act 2018, Schedule 2, Paragraph 27(1)-(3) where to apply this would seriously impair the aims of the research. 
Right to erasure 

Because data may have been used to inform a research programme, we are unable to delete it.  We rely on the exception in GDPR Article 17(3)(d) to allow us to keep it in these circumstances.  The data will be reassessed after 30 years in line with our retention schedules. 
Right to restriction of processing 

We rely on the exemption in the Data Protection Act 2018, Schedule 2, Paragraph 27(1)-(3) where this would seriously impair the aims of the research. 
Right to data portability 

The GDPR only applies this right where GDPR consent or a contract are the lawful basis used.  Genomics England relies on a lawful basis of legitimate interests 
Right to object 

We rely on the exemption in the Data Protection Act 2018, Schedule 2, Paragraph 27(1)-(3) where this would seriously impair the aims of the research. 
Right to be informed of automated individual decision-making, including profiling 

We do not use your data to profile you or use it for automated decision-making. 

Do we use any data processors?
A data processor is another person or company who holds the data on our behalf. This might be to help us best use the vast amounts of data we hold, or because only they have the expertise to provide us with a certain service. A good example of this is our sequencing partners. Illumina are a sequencing company based in Cambridge and provide us with a service to take your tissue or blood sample and create the electronic file which is your DNA sequence. 

A list of our processors can be downloaded here.

All of our processors are bound by contract which restrict them to only use your data for very specific purposes.

Do we make any overseas transfers?
No. Your data is not transferred out of the United Kingdom and we ensure all our suppliers are contractually bound to that rule. Only summary data which cannot identify you is allowed out of the Library, and all requests to take summary data out are reviewed by a committee.

Click to go back to the top of the page

This page is valid from 18 June 2020

Description of data use

Genomics England Limited is working as part of the GenOMICC consortium to develop a powerful database of genetic sequences combined with testing and health data to enable researchers to better understand and help in the fight against COVID-19.

Purpose and lawful basis for processing

Why do we need it and what do we with it?

This privacy notice relates to two uses of your information:

  1. Where you complete our web form to indicate your interest in contributing to the research; and
  2. Where you agreed to share your DNA and health records for research when:
    • You were in hospital in the Intensive Care Unit with a severe case of COVID-19or
    • We invite you to take part after registering your interest on our web form

1. How we use the information we collect when you register an interest through our web form

Our web form collects:  

  • Your first name, surname, date of birth, email address and contact telephone number  
  • First part of your post code 
  • Your gender and ethnicity 
  • Whether or not you tested positive for COVID-19
  • Whether or not you were treated for COVID-19 in a hospital Intensive Care Unit (and if so, which Intensive Care Unit) 
  • Whether or not you had mild symptoms of COVID-19  

In the first instance, we will assess the data and may invite you to take part in research. Our aim is to collect a group of people to contribute to our research where we can look at the different aspects of their genetic makeup up that might make them susceptible to the virus. Having information such as first part of post code, ethnicity and gender helps us ensure we are collecting enough representative data. 

We also give you the opportunity to join our mailing list. If you tick the box to agree to this, we will only use your name and email address to allow us to send you emails.

Who will we share it with?  

To contact you about research, the information from the form will only be kept and used by Genomics England and the GenOMICC consortium members unless we get further permission from you. 

If you agree to join our mailing list, your data will only be used by Genomics England to send you information about what we do and what events we might have coming up, for example. We may also ask you to do further surveys, but this will only be about our work. The only information we will use for this purpose is your name and email address. 

How long will we keep it?  

Genomics England maintains a retention schedule for all the different types of personal data we hold.  

The information held for contacting you about the research study will be kept for 2 years after the recruitment has completed and will then be deleted. This is because people may later decide they do not wish to take part and we may wish to recruit more participants to the initial study.  

You can stay on our mailing list as long as you like. You will always have the option to unsubscribe or you can email us using the details below if you want to be removed. 

Where will the data be held?  

Where Genomics England holds the data it will be held in our secure UK data centres. 

The contact information from the questionnaire is collected with a survey service called SmartSurvey. Their data is held within the UK and European Economic Area and you can read about their service here. 

Our mailing lists (where we will use only email and name) are held and managed using MailChimp, a US Company which is a member of the US/EU privacy shield. The US/EU privacy shield ensures your data is held with the same rights applying in the European Union. You can read about their service here,

All data is protected by encryption at rest and when transferred to the latest standard.

2. How we use your data if you were in intensive care or we invited you to join the research after you registered an interest via our online web-form 

How we use this information  

You will either have agreed to share your DNA and health data with us when you were in hospital, or you will have agreed to share your DNA and health data when you discussed sharing it with one of the GenOMICC team  In both cases this would have been a healthcare professional as a member of the GenOMICC consortium who will have discussed the sharing with you and asked you to sign to take the sample and to agree for your additional health data to be collected by us.  

Your blood sample was then sent to our genetic sequencers and will be sent on to us. This is always by secure, encrypted transfer.

At the same time, we ask the different health and agencies for copies of any information about you.   

We match them up in our data centre, take all the identifiers out of the data (such as name, address, NHS number, date of birth) and then put them in the COVID-19 research environment within our National Genomic Research Library (the Library). This means the data are de-identified.   

Our library is like a reference library. This means that individuals that can look at the data and perform their research but cannot take any of the data out unless it is anonymised. For it to be effectively anonymised, there must be no chance of it identifying an individual and normally this would only be in the form of numbers in a table or report. Our Airlock Committee assesses any requests to remove this data so that we can be sure it has been properly anonymised. 

All of the researchers accessing the de-identified data for COVID-19 research will be approved by our Access Review Committee, and this means that we check whether or not they have the right approval from the Health Research Authority.

Who will we share it with?  

So that we can get the richest possible data for our research, the following organisations supply us with information about you and your health data: 

Type of Organisation  Data collected  
NHS Digital (England only)* 
  • Mortality data 
  • Hospital episode statistics 
  • Emergency Care Data Sets 
  • Mental Health 
  • Cancer registration 
  • Diagnostic imaging dataset (No images) 
  • Patient reported outcome measures 
  • Secondary uses dataset 
Public Health Data (England, Northern Ireland, Scotland and Wales) 
  • COVID-19 test results  
The Intensive Care National Audit and Research Centre (ICNARC) 
  • Health data from intensive care 
International Severe Acute Respiratory and Emerging Infection Consortium 
  • Admission 
  • PMH 
  • ventilation 
  • smoking 
  • Outcome data 

*Some of the data sources are only shared with us only whilst the COVID-19 pandemic is happening and where public bodies are instructed to share by the Secretary of State for Health and Social Care under The Health Service (Control of Patient Information) Regulations 2002. You can read more about them by clicking here. This data is time limited and will cease to be provided to us at a certain time dependent on the instruction from the Secretary of State (currently 30 September 2020).

Research users will have restricted access to de-identified datasets which contain only the information they need to complete their COVID-19 research. From this information they may produce additional research data based on their analysis. Researchers should not be able to work out who this data is about, or even who is participating in the research simply by looking at the information in the system. However, any non-trivial piece of health data – even a de-identified report of an appointment booking – could be re-identified by somebody who already has enough information about the individual in question. This is why Genomics England insists all access to its data takes place within our secure Research Environment, where it can be monitored.

Through their work, researchers may find that they want to research a specific group of individuals. However, they are not able to identify you in the COVID-19 research environment. Genomics England has strict processes in place whereby your contact information will not be passed to them until we have your permission to do so. We will always give you the choice for your information not to be shared with them.

No personal data held by Genomics England will be accessible to other government agencies which includes HMRC and the Child Support Agency. In the unusual situation that a request for data is made by a court order then this will be referred to Genomics England’s Legal Counsel as promptly as possible so that all representations may be made to the court, for example, to limit the information requested being released. We do not share information with insurance companies.

How long will we keep it?  

On our form you agree that the data we collect can be used more widely in the National Genomic Research Library for research. This is whilst you are alive and will continue after your death. 

Where your information is to be used in research, we will keep the data for 30 years, at which point it will be reviewed to see if we are able to justify keeping it. If we cannot, it will be deleted in line with our secure destruction procedures. Download our full retention schedule.

Where will the data be held?  

Genomics England holds the data in our secure United Kingdom data centres. We do not transfer it outside the UK.

Withdrawing from the research 

If you change your mind and want to withdraw your data from our research, then you are free to do so at any time. This will always be acted upon. 

There are two options:  

  • Partial withdrawal: ‘no further contact’ – this means Genomics England will not contact you again. Genomics England will continue to use any samples already collected for research purposes and will continue to update and store information from your health and other records for use in approved research.
  • Full withdrawal: ‘no further use’ – this means your data will no longer be part of our research database, although an initial report would still go to the clinical team for them to check if you want to receive this. After this there is no further contact. We would destroy any DNA samples that we hold and from that point forwards we would restrict researchers from accessing any information we hold by putting it beyond any future use. Data that has been used already in research cannot be altered as that would affect the research results on which discoveries may be made. 

If you would like to withdraw, please download and complete our Withdrawal Form.

You can email it to [email protected] or you can post it to the Senior Data Protection Manager at the address below.

Lawful basis

GDPR classifies your personal data in two ways:  

  • Personal data – such as your name, email address and phone number
  • Special category data – such as information relating to your health and including your DNA (your genomic sequence)  

For us to use your data, we must identify a lawful basis in the General Data Protection Regulation on which to process it. For us to use your health data for research, we must have a research protocol reviewed and approved by the Research Ethics Committee (REC). The REC is a legal body established as part of the Health Research Authority. The Health Research Authority is the UK public body responsible for authorising research and reviews all our materials to make sure they comply. Below are the lawful bases we use:  

Use of data  Typof data  Personal data (Article 6 GDPR)  Special category data (Article 9 GDPR) 
1. When you registered your interest to join the COVID-19 research project  To allow us to contact you for research 

 

Personal data 

Special category data 

We rely on Article 6(1)(a) – Consent  

 

We rely on Article 9(2)(a) – explicit consent  

 

So that you can receive more information from us by email 

 

Personal data only 

We rely on Article 6(1)(a) – Consent  

 

n/a 
2. When you agreed to join the COVID-19 research project and were in intensive care or we invited you after you registered an interest  Personal data 

Special category data  

We rely on Article 6(1)(f) – Legitimate interests  We rely on Article 9(2)(j)  a research purpose 

 

GDPR Article 89 (1); 

 

DPA 2018 Section 19(3)(4); and 

 

CLDC – Explicit consent** 

 **The Common Law Duty of Confidentiality (CLDC) 

Common law is simply the build-up of past judgements in the courts which together make up ‘case law’. It is separate to data protection law which is made by act of parliament (such as the Data Protection Act or General Data Protection Regulation). 

Where your data comes to us from your treating clinician (for example at the hospital, GP surgery or other healthcare provider)the common law considers that you have provided that information to them under a duty of confidence.

This means that for us to use that information, we must gain explicit consent so that the above organisations can share your data with us for our research purpose. So that our consent is valid, the GenOMICC research nurse must have a full discussion with you. You must also sign our record of discussion form to say that you understand what we will do with your data. The form records that you have been provided with our patient information leaflet which gives more detail about what we will do with your information. You can also contact our data protection team at any time if you have questions, via email: [email protected]   

Note that once you have given your permission for us to use your data in the Library, you should contact us directly for any information about what we do with it, using the details and form on our web page about data access requests.

Questions about what your geneticist or clinician does in the use of your data when they supported your care in hospital will be a separate record and you should go directly to your clinician or the hospital that treated you to learn about how they use your data.

Legitimate Interests

When we discuss our research with you, we are unable to discuss every aspect of the use of your data, partly because it may be extensive, but partly because our research may lead us down avenues we do not yet know we need to go down. For this reason, we do not use consent as the lawful basis as we could not fulfil the GDPR requirement to be very detailed about what you are providing consent for. Genomics England therefore uses Legitimate Interests as its lawful basis in line with guidance from the Health Research Authority, which can be found here.

We have assessed our processing against your rights and have documented them appropriately. Our legitimate interests are that, as a company wholly owned by the Department of Health and Social Care, we collect your personal data to fulfil the function for which we were created, that is to create a de-identified library of genomic and health data for the purpose of research.

We keep you informed by the fact that you are provided with an opportunity to discuss your participation with a healthcare professional, through the provision of participant materials and our regularly reviewed and up-to-date privacy notice and website.

Do we use any data processors (sub-contractors) to process your data? 

We comply with the law by ensuring all our data processors: 

  • Are properly assessed to ensure they can meet our operational and technological control expectations; 
  • Have a contract in place with us which restricts them to only using the data for purposes we authorise (unless we give them written approval); 
  • Don’t further sub-contract it without our explicit permission; 
  • Give us guarantees about the security under which the data are kept; and 
  • Are subject to us auditing, if required, their procedures and processes  

Our key data processors for collecting your information to see if you are eligible for our research are: 

  • Microsoft 365 (our office and data storage providers) 
  • MailChimp (email service) 
  • SmartSurvey (provided us with the webform and hold the data collected) 

Our key data processors when you are part of the research study are: 

  • Amazon Web Services (UK data centre for storage and processing) 
  • Lifebit (secure research software provider within our Amazon organisational unit) 
  • You can find a list of all our processors and links to their security information here 

Click to go back to the top of the page

This page is valid from 18 June 2020

Description of data use

You may have sent us your CV or applied for a job with us before.

Purpose and lawful basis for processing

Purpose
This privacy notice sets out key information that it is essential for you to know when you provide information to Genomics England as part of the recruitment process.

What do we collect?
We need personal data such as name, address, date of birth, nationality, gender and preferred language.

We need special category data such as details of any disabilities, work restrictions and/or required adjustments where we may need to help you work with us. 

We also need CVs, references, records of skills and experience, including job titles, work history, working hours, qualifications, skills, training and other compliance requirements and professional memberships.

Why do we need it and what do we with it?
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: 

  • To process your personal data as part of our recruitment exercise and before we offer a contract of employment to you

How long we keep it
We will only retain your personal data for as long as necessary to fulfil the purposes of the recruitment exercise. Should your application be successful we will transfer your personal data to your personnel file and your personal data will be retained in accordance with our policies and practices for our employees. You can refer to our Staff Privacy Notice (below) in such a situation and it will set out all relevant details.

Should your application be unsuccessful, we will destroy your personal data within one month.

Download our full retention schedule.

Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (GDPR) on which to process it. Below are the lawful bases we use.

Purpose  Personal data (Article 6 GDPR)  Special category data (Article 9 GDPR) 
Recruitment  We rely on Article 6(1)(b) – performance of a contract or entering into a contract 

Where we take details of any reasonable adjustments you require, where regards the Equality Act 2010, the lawful basis we rely on for processing this information is article 6(1)(c) to comply with our legal obligations under that Act. 

We rely on Article 9(2)(b) – employment – this relates to our responsibilities as an employer. 

 

Recruitment checks  We rely on Article 6(1)(f) – legitimate interests – it is in our legitimate interests to ensure nothing in your previous history precludes you from working for us or might put the organisation or other workers at risk from fraud or harm  We rely on Article 9(2)(b) – employment – this relates to our responsibilities as an employer. 

What are your rights?

Individual right  Does it apply?  Reason if it doesn’t apply 
Right to be informed  

With the exception of confidential references provided prior to employment, by reference to the exception provided by the Data Protection Act 2018, Schedule 2, Part 4, Paragraphs 18(a)-(d) 
Right of access  

With the exception of confidential references provided prior to employment, by reference to the exception provided by the Data Protection Act 2018, Schedule 2, Part 4, Paragraphs 18(a)-(d) 
Right to rectification 

 
Right to erasure 

 
Right to restriction of processing 

 
Right to data portability 

The GDPR only applies this right where GDPR consent or a contract are the lawful basis used. Genomics England relies on a lawful basis of legitimate interests 
Right to object 

 
Right to be informed of automated individual decision-making, including profiling 

There is no processing to which this right applies 

Do we use any data processors?
A list of our suppliers can be downloaded here.

Do we make any overseas transfers?
Occasionally we may transfer your personal information outside the European Economic Area (EEA). Any third party with whom we share your personal data will be required to protect it and put in place appropriate technical and security measures to protect it in accordance with our instructions.

We limit access to your personal data to those who have a business need to know. They will only process your personal data in accordance with our instructions under a contract and they are required to keep your personal data confidential.

Click to go back to the top of the page

This page is valid from 18 June 2020

Description of data use

You can find out more about the Discovery Forum on our website.

Purpose and lawful basis for processing

Purpose
This privacy notice sets out key information that it is essential for you to know when you provide information to Genomics England as part of the Discovery Forum. Our purpose of processing is to process and manage your membership of the Genomics England Discovery Forum.

What do we collect?
We need personal data such as your name, address, telephone number, email address, work or institution address, and job title.

To complete our membership information, we also collect information about your skills and experience, qualifications, training and other compliance requirements and professional memberships.

Where we organise events, we may collect health and dietary information to better cater for you.

Why do we need it and what do we do with it?
We may use your personal data for the following purposes: 

  • When we process your application for membership of the Discovery Forum or carry out further administration in relation to your membership
  • When you join our mailing list
  • To communicate with you
  • To comply with applicable laws and regulations
  • Other purposes relating to our operations, including managing accounts and records, legal, regulatory and internal investigations and debt administration
  • To inform ethics committees reviewing your data access requests

Who do we share it with?
We may share your personal data with third parties where it is necessary to enable us to carry out our activities in managing the Discovery Forum. For example, we may share your personal data with other members of the Discovery Forum and other organisations with whom we collaborate; we will always seek permission before we do this. We may also share your personal data with third parties such as event organisers. Any third party with whom we share your personal data will be required to protect it and put in place appropriate technical and security measures in accordance with our instructions. They are required to keep your personal data confidential.

How long we keep it
We will only retain your personal data for as long as you are a part of the Discovery Forum. Download our full retention schedule.

Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (GDPR) on which to process it. Below are the lawful bases we use.

Purpose  Personal data (Article 6 GDPR)  Special category data (Article 9 GDPR) 
Managing membership of the Discovery Forum for individual users  We rely on Article 6(1)(b) – entering into a contract with the individual in order to manage our membership We rely on Article 9(2)(a) – explicit consent in the limited circumstances (such as arranging events) where we may take details of health conditions to enable you to access those events
Managing membership of the Discovery Forum for organisations who give individual users access  We rely on Article 6(1)(f) – legitimate interests in managing members of the Forum who have joined through an institution. You should ensure your institution appropriately informs you of the purposes for which they share data with us in the first instance  We rely on Article 9(2)(a) – explicit consent in the limited circumstances (such as arranging events) where we may take details of health conditions to enable you to access those events

What are your rights?

Individual right  Individual membership 

Does it apply? 

Corporate membership 

Does it apply? 

Reason if it doesn’t apply 
Right to be informed  

 
Right of access  

 
Right to rectification 

 
Right to erasure 

We need to continue to use the data in order to maintain a legal defence should there be a requirement to investigate access to data in the Research Environment.

We will rely on the exception in GDPR Article 17(3)(e) 

Right to restriction of processing 

 
Right to data portability 

This is not applicable to this processing 
Right to object 

 
Right to be informed of automated individual decision-making, including profiling 

There is no automated decision making or profiling undertaken on your personal data 

Do we use any data processors?
We may disclose your personal data to third parties including the authorities, our advisors, suppliers of IT services and third parties engaged by us for the purpose of providing services requested by you; to protect any intellectual property rights in any materials displayed on or otherwise available from our website; for the purposes of seeking legal or other professional advice; to respond to a legal request or comply with a legal obligation; and to enforce the Discovery Forum rules. 

Any third party with whom we share your personal data will be required to protect it and put in place appropriate technical and security measures in accordance with our instructions. They are required to keep your personal data confidential. 

A list of our processors can be downloaded here.

Do we make any overseas transfers?
Occasionally we may transfer your personal information outside the European Economic Area (EEA). This will generally only be for the purposes of emailing information to you using MailChimp and asking for feedback using SurveyMonkey. Both are registered with the European Union and United States Privacy Shield. This offers the appropriate safeguards to data equivalent to that promised by the European Union member states.

Click to go back to the top of the page

This page is valid from 18 June 2020

Description of data use

You can find out more about the different GeCIP domains on our website.

Purpose and lawful basis for processing

Purpose
This Privacy Notice sets out key information that it is essential for you to know when you provide information to Genomics England as part of the Genomics England Clinical Interpretation Partnership (GeCIP).

What do we collect?
We need personal data such as your name, address, telephone number, email address, gender, job title, affiliations and research institutions.

We will also collect your contact details at your organisation, such as direct telephone and email address.

To complete our membership information, we also need to know your skills and experience, qualifications, skills, training and other compliance requirements and professional memberships.

Where we organise events, we may collect health and dietary information to better cater for you.

Why do we need it and what do we do with it?
We may use your personal data for the following purposes: 

  • When we process your application for membership of the GeCIP or carry out further administration in relation to your membership
  • When you join our mailing list
  • To communicate with you
  • To comply with applicable laws and regulations
  • Other purposes relating to our operations, including managing accounts and records, legal, regulatory and internal investigations and debt administration

Who do we share it with?
We may share your personal data with third parties where it is necessary to enable us to carry out our activities in managing the GeCIP, and monitoring and improving the Genomics England research environments. For example we may share your personal data with other members of GeCIP and other organisations with whom we collaborate for the purposes of verifying your identity and for developing working partnerships. We may also share your personal data with third parties such as event organisers for health and safety purposes. 

How long we keep it
We will only retain your personal data for as long as necessary to fulfil the purposes of the membership and to keep appropriate records. Download our full retention schedule.

Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (GDPR) on which to process it. Below are the lawful bases we use.

Purpose  Personal data (Article 6 GDPR)  Special category data (Article 9 GDPR) 
Managing GeCIP membership where the individual joins  We rely on Article 6(1)(b) entering into a contract with the data subject Where required (for example in organising events) we will rely on Article 9(2)(a) explicit consent
Managing GeCIP membership where you join as part of an institution  We rely on Article 6(1)(f) – legitimate interests. We need to manage the relationship with our institutional members appropriately. You should ensure your institution appropriately informs you of the purposes for which they share data with us in the first instance Where required (for example in organising events) we will rely on Article 9(2)(a) explicit consent

What are your rights?

Individual right  Personal membership 

Does it apply? 

Institutional membership 

Does it apply? 

Reason if it doesn’t apply 
Right to be informed  

 
Right of access  

 
Right to rectification 

 
Right to erasure 

We need to continue to use the data in order to maintain a legal defence should there be a requirement to investigate access to data in the Research Environment on the behalf of a data subject 

We will rely on the exception in GDPR Article 17

Right to restriction of processing 

 
Right to data portability 

This is not applicable to this processing 
Right to object 

 
Right to be informed of automated individual decision-making, including profiling 

There is no automated decision making or profiling undertaken on your personal data 

Do we use any data processors?
We may disclose your personal data to third parties including the authorities, our advisors, suppliers of IT services and third parties engaged by us for the purpose of providing services requested by you; to protect any intellectual property rights in any materials displayed on or otherwise available from our website; for the purposes of seeking legal or other professional advice; to respond to a legal request or comply with a legal obligation; and to enforce the GeCIP rules.

Any third party with whom we share your personal data will be required to protect it and put in place appropriate technical and security measures in accordance with our instructions. They are required to keep your personal data confidential.

A list of our processors can be downloaded here.

Do we make any overseas transfers?
Occasionally we may transfer your personal information outside the European Economic Area (EEA). This will generally only be for the purposes of emailing information to you using MailChimp and asking for feedback using SurveyMonkey. Both are registered with the European Union and United States Privacy Shield. This offers the appropriate safeguards to data equivalent to that promised by the European Union member states. 

Click to go back to the top of the page

This page is valid from 18 June 2020

Description of data use

You could have joined a mailing list, contacted us via the website or social media, or attended one of our conferences.

Purpose and lawful basis for processing

Purpose
This informs you of what to expect when Genomics England collects information from you, such as when you visit our website, subscribe to our newsletter, or contact us to make an enquiry or complaint. This includes exercising your individual rights under GDPR (such as asking for a copy of your data).

What do we collect?
When you subscribe to our newsletter, we need your name and email address. 

When you make an enquiry or complaint, we need your name and email address as well as any personal data relating to the complaint, for example so that we can better identify you in our systems.

When you make an application for a copy of your data or any of your other statutory rights, we need personal data such as name and title, date of birth, address, email address and what area of the organisation you have dealt with. Please see the general privacy information at the top of this page for more details.

Who do we share it with?
We will never sell your personal data or share it with third parties who might use it for their own purposes.

If you make a complaint relating to the services we provide as part of the NHS Genomic Medicine Service, we will share your complaint with NHS England, as they are the owners of the service.

How long we keep it
We will only retain your personal data for as long as necessary to fulfil the purposes of our mailing list and you can unsubscribe at any time by clicking the ‘unsubscribe’ link at any time at the bottom of the email.

Download our full retention schedule.

Lawful basis
For us to use your data, we must identify a lawful basis in the General Data Protection Regulation (GDPR) on which to process it. Below are the lawful bases we use.

Purpose  Personal data (Article 6 GDPR)  Special category data (Article 9 GDPR) 
Registering for newsletters  We rely on Article 6(1)(a) – consent  We do not collect any special category data for this purpose 
Contacting us (filling in our web form or emailing us  We rely on Article 6(1)(a) – consent  We do not collect any special category data for this purpose 

What are your rights?

Individual right  Does it apply?  Reason if it doesn’t apply 
Right to be informed  

 
Right of access  

 
Right to rectification 

 
Right to erasure 

 
Right to restriction of processing 

 
Right to data portability 

 
Right to object 

 
Right to be informed of automated individual decision-making, including profiling 

There is no automated decision making or profiling used on this data 

Do we use any data processors?
A list of our processors can be downloaded here.

Do we make any overseas transfers?
Please see the list of processors.

Click to go back to the top of the page

Your rights over your data

Genomics England takes your individual rights in data protection legislation seriously. These rights are to: 

  • Be informed about how we use your personal data 
  • Be provided with a copy of it 
  • Object to, or restrict our use of it 
  • Have it erased 
  • Have it provided to another organisation in a common format 
  • Be informed if we use it for profiling or in any automatic decision making 

These rights don’t apply to every use of your data, and each right is explained more fully in the table in each of the pages linked above.

If you wish to make an individual rights request, and to help us identify what information you require, please download this form and send it to the email address below.

Contacting us 

If you need to contact us for any reason, please do so by writing to: 

Email: [email protected] 

Address: The Data Protection Officer
Genomics England Limited
Dawson Hall
Charterhouse Square
London
EC1M 6BQ 

The Data Protection Team will answer your query as soon as possible. Genomics England has appointed a Data Protection Officer as required by law, and you can contact them in the same way.

Your right to complain to the Information Commissioner 

You also have the right to complain to the UK Information Commissioner if you don’t feel we are using your data in line with your rights, or if you feel we haven’t dealt with your request properly.

You can contact them at:

Website: https://ico.org.uk/global/contact-us/
Helpline: 0303 123 1113

Updates to our privacy notices 

Our privacy notices are regularly updated and each will have a ‘valid from’ date at the top. You can view an archive of our privacy notices.


Useful links

Loading...