Privacy Notice – Scientific Research

Privacy Notice

How we use personal data – and other data – in our scientific research

Overview

Genomics plc conducts scientific research using large amounts of data about the genetics and health of individuals. Almost all of this data is in the form of effectively anonymous ‘aggregate’ data. We also use some more detailed genetic and health data about individuals, however we do not know their identities.

More information about our scientific research is provided below.

What personal data do you use in your scientific research?

We obtain and use personal data that has been collected by others during scientific research studies. The data we obtain from the coordinators of these studies is in the form of: (1) genetic data (e.g. whole genome sequences, but more typically genotype data); and (2) data about many different traits (or ‘phenotypes’) including data concerning health. The two types of data are usually linked: we know that the genetic and trait data we have will be about the same person. We call this linked data individual level data.

The individual level data we use is personal data that has been ‘de-identified’ (or ‘pseudonymised’) by the providers of the data before we receive it. This means that we know that the individual level data relates to a single person, but the information that identifies that person has been removed by (and kept by) the provider of the data. This means that we do not know the identity of any individual in the individual level data we use in our scientific research.

 

What other data do you use in your scientific research?

Most of the data we use in our research is aggregate data. This means the data summarises the results from research on groups of people who have participated in a research study. It is effectively anonymous data. Most of the aggregate data we use is generated by other researchers and made freely available for use in scientific research.

 

How do you use personal data in your scientific research?

Genomics plc is a ‘data controller’ in respect of individual level data. This means that we make our own decisions about how such data is used in our scientific research.

We use individual level data (and also aggregate data) to try and better understand human biology. This involves a broad range of both fundamental and applied research into the genetic basis of human disease, as well as technological developments (e.g. new ways to analyse very large amounts of data). The results of our research can help to design new and better drugs and therapies to treat human disease.

We normally create aggregate data from individual level data. It is easier for us to analyse aggregate data at the very large scale needed to conduct our research. This means most of our the analyses we carry out in our research – and certainly most of the results – do not use and are not individual level data at all.

It is important that all data (individual level data and aggregate data) used in our research is accurate and up to date. We maintain processes to ensure that we only use current, correct data in our research. We also ensure that all data used in our research is only accessible to authorised people working for and with us.

Everyone who works for us has agreed to a set of standards that governs use of all data in our scientific research.

 

What are the legal bases for the use of personal data in your scientific research?

We first rely on our ‘legitimate interests’ to conduct our research using individual level data.

Secondly, because of the sensitivity of individual level data, we rely on certain ‘safeguards’ made possible by our ISO27001-certified internal processes covering our use of all genetic and related data in our research. These processes include requirements that data is kept secure, de-identified and/or converted into aggregate data wherever practical, and used only for permitted research activities. These processes are also designed to minimise the risk of data use that may cause problems for individuals (e.g. unauthorised disclosures about medical conditions of an identifiable individual). You can read more about our information security practices here.

Thirdly, we consider that our scientific research is in the public interest. We can demonstrate this in two ways. Firstly, the results of our analyses can improve the drug discovery and development processes: we can help to discover new drugs, and use existing drugs in better ways. Secondly, in certain circumstances, we will also share certain results (aggregate data) for wider use by the scientific community. We have also published some of our findings in scientific journals.

 

Where do you get personal data from?

Access to the individual level data we use in our scientific research is administered by the following sources:

 

In all cases, we have signed an agreement with the data provider before getting access to individual level data. Usually this means that we must: use individual level data only for agreed research purposes; keep the individual level data secure; respect research participant confidentiality; and only use and share individual level data and any results in accordance with terms and conditions imposed by the data provider.  

 

Who do you share personal data with?

We will only share individual level data with other researchers in cases where the data provider has allowed us to. In all other cases we do not share individual level data.

For any permitted sharing of individual level data (including outside of Europe) we will use secure, encrypted methods to avoid any unauthorised access to the data.

We may, on occasion, choose to share aggregate data with other researchers (in most cases there are no restrictions for this type of sharing). We are also required to return certain aggregate data to data providers, and may choose to publish such data in scientific journals.

 

How long do you store personal data that you use in your scientific research?

We retain individual level data in accordance with any conditions imposed by the provider of the data. Our scientific research is ongoing so, in practice, we will retain individual level data indefinitely. The same approach applies to our use of aggregate data.

 

Does your scientific research involve automated decision-making about individuals?

No. We do not identify individuals in the course of our research. We also do not work directly with individual research participants. Accordingly, the results of our research cannot – by automated means or otherwise – be used by us to make any decisions in respect of an individual.

 

Can you identify individual research participants from your scientific research data?

In practice: no. We never try to find the identities of individual research participants. Everyone who works for us has agreed in writing that they will not seek to re-identify individual participants from any data used in our research.

The additional information that would allow us to identify an individual from individual level data is kept by the providers of the data. That additional information is rightly considered highly sensitive and confidential, and would never be disclosed to us or other researchers. We do not need that additional information in order to carry out our scientific research.

It is theoretically possible to identify an individual using large volumes of aggregate data as a starting point. To do so would require additional information from the data providers and other sources, and a lot of detailed analysis. We do not have, or need, such additional information, and we will not attempt to identify individuals from the aggregate data we use in our scientific research.

Sometimes we may need to know – if we are allowed to do so by the providers of the data – that the same individual is present in different sets of research data, and which is the relevant data. Again, the relevant individual level data would always remain ‘de-identified’ or ‘pseudonymised’.

 

Do you work directly with individual research participants?

We do not. All the individual level data we use comes from other sources. In all cases, the data providers will have ‘de-identified’ or ‘pseudonymised’ the individual level data before we receive it.

 

What rights do I have in relation to the use of personal data in your research?

As members of the scientific research community, we are grateful to everyone who has participated in research. However, for legal and practical reasons (see below) individual research participants do not have any rights to directly require us to take action in respect of personal data relating to you that is being used in our scientific research. We will always comply with requests from providers of individual level data (and aggregate data) to alter or stop use of such data in our research.

We could not comply with any requests made directly to us in respect of individual level data. There are two reasons for this: firstly, we do not have information in our possession to allow us to identify individuals; and, secondly, legal exemptions also apply to the use of personal data in scientific research activities such as ours.

If you are concerned about the use of individual level data that may have been made available to us by one of our sources you should contact those sources directly. You could also contact scientific researchers with whom you had direct interactions with when participating in a research study. You will probably have a consent form and/or information leaflet if you participated in such a study: contact details should be provided on such paperwork. You will have most likely have direct rights (e.g. to access, rectification, erasure, withdrawal of consent, restriction of further processing) of when dealing with them directly.

 

What are the Genomics plc Data Standards?

The values described in our Data Standards underpin the conduct of our scientific research. Everyone one who works for Genomics plc must agree to work in accordance with the Data Standards. They are set out below:

Responsibility – We will use Data responsibly and in accordance with all applicable laws.

BenefitWe will use Data to try and better understand human biology in ways that can help improve healthcare, including the development and use of therapeutics.

Context – We will assume that the original providers of Data are bound by: obligations of confidentiality and privacy towards research participants; the consent given by donors of biological samples that generated Data; and conditions of approval by research ethics committees / institutional review boards for use and generation of Data in research.  

Sensitivity – We will acknowledge that the sensitivity of Data depends on the nature of its use – ie. how Data may relate to other information, people, decisions and actions – rather than how we or others may categorise Data.

Purpose – We will use Data only for the purposes communicated to and permitted by the Data provider.

Anonymity – We will assume that certain Data could, either alone or in combination with other Data or associated information in our possession, identify a person. However, we will not use any Data in order to identify any individuals.

Security – We will store all Data securely; grant access only to those who need to use for Genomics plc business; and always act in accordance with company policies relevant to Data security.  

Acknowledgement – We will acknowledge the sources of Data appropriately, and will always include relevant details of Data providers in any papers that we publish.

Accuracy – We will take all reasonable steps to: keep Data updated and accurate; and permanently delete and remove Data from our systems if requested to do so by a Data provider.

(In our Data Standards we use Data to mean: all scientific data that is typically used for our company’s purposes (eg. genetic, genotypic, phenotypic, eQTL data, and associated data, whether whole genome sequences, exome sequences, individual level data, human mutation, summary statistics, or annotated data. This is not an exhaustive list.)

Who do I ask if I have any questions?

Our Data Protection Officer is Liam Curren. His contact details are:

e: dpo@genomicsplc.com or t: +44 01865 981600.

Please remember that because all the individual level data we have is de-identified or pseudonymised before it is transferred to us we will not be able to tell you if we have data relating to you. 

Who do I contact if I have a complaint?

The Information Commissioner’s Office is the official regulator of personal data in the UK. You can find its contact details here: https://ico.org.uk/

We may update this privacy notice from time to time. (Last updated: 21 May 2018)