Privacy Notice for Participants in the 100,000 Genomes Project
This Privacy Notice is Version 1. Dated 24 May 2018. See other Policy Notices here.
This Privacy Notice describes how we collect, store and process personal information about you as a Participant in the 100,000 Genomes Project and in accordance with the General Data Protection Regulation (GDPR).
At Genomics England we take privacy seriously and will only use your personal information for the benefits of research or for clinical care. As a Participant you have been kind enough to volunteer for the 100,000 Genomes Project and you will have been referred for inclusion in the 100,000 Genomes Project by your clinician and may have certain rare diseases yourself or in your family, or you may have cancer. You will, in most cases, have been invited to take part by a clinical team and in all cases you will have given your consent to providing your personal information by completing and signing a consent form.
Genomics England is a ‘data controller’ and we want you to be clear about how we collect, store and use personal information about you, how we protect the privacy of your personal information and how you can access your personal information should you choose to do so.
It is therefore important that you read this Privacy Notice as it will explain:
- What information we collect and why we collect it.
- Where the information comes from
- How we use that information.
- How we keep the information private
- The choices we offer, including how to access and update information.
We’ve tried to keep this Privacy Notice it as simple as possible, but if you’re not familiar with the terms used in it, such as Health Data, Genome Data then visit our Data types and storage page to read about these key terms.
Information we collect, store and process about you
We collect, store and process your personal information and this information includes health data from clinical care that has been given to us about your genome sequence data which is obtained after we have processed samples of blood, tissue, and saliva. We also produce interpretation reports once we have analysed all your information and these reports are provided to your clinical team for review.
Why is this information collected
By considering your health data and genome data together, researchers will be able to better understand the relationship between variations in the genome and the health of the individual. In rare diseases, they may be able to better explain the condition, arrive at a new diagnosis or suggest a new approach to treatment. In cancer, they may be able to predict the effect of a particular course of treatment, avoiding drugs that would not work for the individual concerned or selecting or developing drugs that have a better chance of success.
Under the GDPR, personal data can only be processed where one of the specific conditions set out in the GDPR is satisfied. We rely on the provision that allows data controllers to process personal data on the basis of legitimate interests: the interests on which we rely are our interests in carrying out medical research and in providing clinical care.
There are also specific provisions in the GDPR in relation to special categories of personal data (including genetic, biometric and health data), under which such data can only be processed on limited grounds. In order to process such data, we rely on the provisions that allow such data to be processed for research purposes and for providing clinical care.
What type of data is collected
As part of your treatment or clinical care, you may provide personal information about yourself and your condition to your clinical team. This may include personal information, like name, address, date of birth and other demographic information. It may also include other information (much of it very personal) about your condition and how it affects you. As part of your treatment the information held about you may include photos, scans, images or video and these may all form part of the health data.
To ensure there is the richest possible health data set for research purposes we collect all sorts of data, even things that at first look might not have any relevance to a health condition. This is because we don’t yet know what is important. For instance, we collect details about birth and childhood illnesses because these might – or might not – have an influence on a condition. While some information we collect may not be relevant for an individual, it might be very important in other people’s conditions. For instance, we collect information about mental health and disability which is an important symptom for many of the rare conditions we cover.
Where is data collected from
Some of your health data will come from NHS hospitals and GPs or other health care teams that have provided you with care at any time; other health data will come from NHS healthcare organisations (such as NHS Digital, NHS England and Public Health England) that will either provide care in the future or support organisations that provide that care.
Information that we may share or link to other organisations
As part of the 100,000 Genomes Project we need to link different types of your health data, that is held by other organisations, to get a complete overview of your health data footprint so that we may carry out our research. In practice in order to access and obtain health data held by other organisations, including NHS Digital, NHS England and Public Health England, we may share your personal information with these other organisations so that they can provide your personal information to us.
Before we share any of your personal information we ensure that agreements are in place that include strict rules and processes on how your personal information is shared.
Keeping data private
Research users will have restricted access to de-identified datasets which contain only the information they need for their specific and approved research study. From this information they may produce additional research data based on their analysis. Researchers should not be able to work out who this data is about, or even who is participating in the Project, simply by looking at the information in the system. However, any non-trivial piece of health data – even a de-identified report of an appointment booking – could be re-identified by somebody who already has enough information about the individual in question. This is why Genomics England insists all access to its data takes place within their secure environment, where it can be monitored.
No data held by Genomics England will be accessible to other government agencies which includes HMRC and the Child Support Agency In the unusual situation that a request for data is made by a court order then this will be referred to Genomics England’s Legal Counsel as promptly as possible so that all representations may be made to the court, for example, to limit the information requested being released. We do not share information with insurance companies.
Withdrawing participation from the 100,000 Genomes Project
If a participant changes their mind and wants to withdraw from the 100,000 Genomes Project then they are free to do so and this will always be acted on without delay as we aim to make this process as easy as possible. There are two options:
Option 1 – partial withdrawal: ‘no further contact’ – this means Genomics England will not contact the participant again although the clinical team will still get an initial report about the rare condition or cancer but no more reports after this. The clinical team will ask the participant if they want to receive this initial report only. Genomics England will continue to use any samples already collected for research purposes and will continue to update and store information from the participant’s health and other records for use in approved research.
Option 2 – full withdrawal: ‘no further use’ – this means the participants would no longer be in the 100,000 Genomes Project although an initial report would still go to the clinical team for them to check if the participant wants to receive this. After this there is no further contact. We would destroy any DNA samples that we hold and from that point forwards we would restrict researchers from accessing any information we hold by putting it beyond any future use. Data that has been used already in research cannot be altered as that would affect the research results on which discoveries may be made.
Finally regardless of the option chosen above we will keep an audit record to say that the participant was once part of the Project and then withdrew. This includes their surname, first name, date of birth, address and contact details. This information is held in a very secure area with access limited to a very small number of staff within Genomics England.
Children in the 100,000 Genomes Project
When participants in the 100,000 Genomes Project reach the age of 16 they will be given the opportunity to give their own consent as an adult to remain in the Project. They will be contacted by their clinical team to complete this process.
Information that is captured when we are contacted
Genomics England can be contacted by phone, email or via our website. When you contact us we may record your details so we can best answer your query and provide you with a response. We will keep a record of these communications in case you contact us again but these records will not be used for other purposes. We review the information we hold and the length of time these are held as part of our records management policy.
We may contact you by post to keep you informed about the 100,000 Genomes Project or to discuss clinical trials that may be of interest to you. We may use email to do this if you prefer and where you have provided us with your email address.
Accessing and updating your personal information
Under the GDPR you have the right of access to your personal information; you also have rights to rectify the information or have it erased, and to restrict or object to processing. These rights are subject to various exceptions, including in relation to information processed for research purposes.
Genomics England aims to ensure we have the most accurate data and up to date information but we do recognise that this may not always be the case. If the information we hold is wrong we strive to give you ways to update it quickly or to request it is deleted. When updating your personal information, we may ask you to verify your identity before we can act on your request.
There may also be situations where we may reject requests that we believe are unreasonably repetitive or require disproportionate technical effort. We may also reject requests that we believe risk the privacy of others and where these circumstances apply we will contact you to discuss our concerns.
Where we can provide information access and correction, we will do so free of charge. In certain cases we may charge reasonable amounts where we believe this is appropriate due to the effort that may be needed to satisfy the request. Again where we believe this is the case we will contact you to discuss the matter further.
Like all organisations we take our data security extremely seriously and therefore we make backups of all our data. This helps to protect this vital data from accidental or malicious destruction. Because of this, after we have deleted information, at your request, we may not immediately be able to delete residual copies from our backup systems. We will confirm to you as part of our discussions how we can address your privacy concerns in this respect.
Information security and period of storage
We work hard to protect all data from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold. In particular:
- We encrypt much of the data we hold
- We use access control techniques
- We restrict access to personal information to only those staff who need to see this information
- All staff and suppliers who need to access this information are subject to strict contractual confidentiality obligations. They may be disciplined or their contract terminated if they fail to meet these obligations.
- We continually review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems.
We store your personal data for no longer than is necessary to carry out our legitimate interests of medical research and providing clinical care. We have implemented appropriate technical and organisational measures to keep your personal data safe and to safeguard your rights and freedoms.
This Privacy Notice may change from time to time. We will post any Privacy Notice changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Notice changes). We will also keep prior versions of this Privacy Notice in an archive for your review.
Contact details and useful information
The address of Genomics England is:
For general enquires our contact details can be found on our Contact us page.
Complaints and requests for information
When we receive formal written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including the Information Commissioners Officer, to resolve any complaints.
If you have a complaint, issue or question relating to this privacy notice or data protection you can contact our Data Protection Officer by the following methods:
By Phone – Call 0207 882 5030 (main switchboard) and ask for the Data Protection Officer.
By email – firstname.lastname@example.org
By letter – Addressed to the Data Protection Officer at the address above.
Genomics England is registered with the Information Commissioners Office Data Protection Register. Our registered number is ZA021653.