2. Collecting Personal Data
By personal data we mean identifiable information about you, such as your name, email address, gender, mobile and home telephone number and your IP address. Given the nature of our services, personal data also includes information about a patient’s health [and genetic data]. These are special categories of personal data under applicable data protection legislation, and we process such personal data because it is necessary for the purposes of medical diagnosis and we obtain your consent when you sign the Patient Consent for Tissue Acquisition.
Information you provide to us
If you are a patient, we will collect your personal data when you complete a Patient Consent for Tissue Acquisition form, in particular, we require your name, date of birth and address together with details of your hospital/clinician. As noted on the Patient Consent for Tissue Acquisition form, by completing the form, you agree that we will also receive a copy of your pathology report containing information about your heath and any additional health information that your clinician/hospital determines is useful for us to receive in order to provide our services to you. We also will receive information from you about who is responsible for the payment of your invoices.
If you are a clinician or if you are otherwise acting on behalf of a hospital or other health care organisation, we will receive information about you when you complete our Test Request Form,or register online, in particular your name, data of birth, telephone number, email address and address together with billing details.
We will tell you at the time of collection of your personal data is providing some personal data is optional.
We will also collect such personal information about you that you choose to provide to us from time to time, including if you engage with us on social media, provide a review or testimonial to us, apply for a job with us or otherwise contact us including with queries, comments or complaints.
When you contact us by email or post, we may keep a record of the correspondence and we may also record any telephone call we have with you.
All personal data that you provide to us must be true, complete and accurate. At our request, you shall promptly provide evidence of your identity.
COVID-19 is a new “Notifiable Disease” and all positive Coronafocus Test Results must be reported by Oncologica to the proper officer of the local authority, as is required by law pursuant to the Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010. This may include name, date of birth, gender, home address, telephone number, NHS number, occupation, place of work, ethnicity.
The Laboratory will be unable to erase the test results, which are required as evidence of clinical practice.
Information we automatically collect about you
When you use our website, we automatically collect and store information about your device and your activities. This information could include (a) technical information about your device such as type of device, web browser or operating system; (b) your preferences and settings such as time zone and language; and (c) how long you used the website and which services and features you used.
Some of this information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why, and how you can control them, please see our Cookies Policy.
Information we receive from others
If you are a patient, you agree that we will receive personal data about you from your clinician if you have engaged a clinician. We may also receive information about you from your private health insurers if you have a private health insurance policy.
Likewise, if you are a clinician it possible that we receive personal data about you from a patient although we do not generally request any such personal data from patients.
If we reasonably believe that any of the information you have provided to us is inaccurate, we may receive information from third parties confirming or otherwise, your identity.
Special Categories of personal data
If you are a patient, we shall obtain health and genetic information about you from your clinician, within Patient Consent for Tissue Acquisition, and whilst carrying out our tests and any discussions we may have with you and/or your clinician. Under applicable laws, health and genetic information is known as ‘special categories’ of personal data.
As noted above, the lawful basis for our processing of your special categories of personal data is your express consent evidenced by your signature of the Patient Consent for Tissue Acquisition form. We keep a record of your consent. You may withdraw your consent at any time, but we might then not be able to complete the tests and/or your report, and in any case, please see the ‘Right to be forgotten’ information under paragraph 7 below.
3. Lawful use of your personal data
The main reason that we use your personal data is to prepare and then to provide you with a test report in accordance with the Oncologica Test Terms and Conditions. We may contact you with further information about the test report from time to time, particularly if you have or your clinician has any queries in relation to the content or meaning of your test report.
We may from time to time need to use your personal data to comply with any legal obligations, demands or requirements, for example, as part of anti-money laundering processes or to protect a third party’s rights, property, or safety. We would not, however, expect to use your test report in this way.
We will use the results of your test report on an anonymous basis for our research and analytics. This helps us to continue to improve our services for all patients and such processing is therefore in the public interest.
If you are a clinician, then, for our legitimate interests, we may use your personal data to send you information about our services from time to time. Please see the Your rights section is you do not wish to receive such information.
4. Who do we share your data with?
We send the test report to the patient, but if the patient has a clinician named on the Test Request Form then we will also send a copy of the test report to the clinician. A patient can request at any time that we send a copy of their test report to an alternative clinician. If we receive such a request we shall first confirm with the alternative clinician that the patient is indeed a patient of that clinician and on receipt of such confirmation, we shall send them the test report.
Unless we are requested to do so otherwise, we shall not share your test report with your insurers.
For our legitimate interests, we may share your personal data with any service providers, sub-contractors and agents that we may appoint to perform functions on our behalf and in accordance with our instructions, payment providers, IT service providers, accountants, auditors and lawyers. We shall provide our service providers, sub-contractors and agents only with such of your personal data as they need to provide the service for us and if we stop using their services, we shall request that they delete your personal data or make it anonymous within their systems.
5. Where we hold and process your personal data
Some or all of your personal data may be stored or transferred outside of the European Economic Area (the EEA) for any reason, including for example, if our email server is located in a country outside the EEA or if any of our service providers are based outside of the EEA.
Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data (like New Zealand), or to a third party where we have approved transfer mechanisms in place to protect your personal data – i.e., by entering into the European Commission’s Standard Contractual Clauses, or by ensuring the entity is Privacy Shield certified (for transfers to US-based third parties).
We shall process your personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. In particular, access is restricted to employees who need to know your personal data, and we use appropriate password protection and appropriate strong encryption electronic measures within our electronic data management systems.
However, unfortunately, because of the nature of electronic storage, we cannot promise that your personal data will always remain secure. If there is a security breach, we will do all that we can as soon as we can to stop the breach and minimise the loss of any data.
7. Your rights
You have a number of rights under applicable data protection legislation.
Right of access: You have the right to obtain from us a copy of the personal data that we hold for you.
Right to rectification: You can require us to correct errors in the personal data that we process for you if it is inaccurate, incomplete or out of date.
Right to portability: You can request that we transfer your personal data to another service provider or clinician.
Right to restriction of processing: In certain circumstances, you have the right to require that we restrict the processing of your personal information.
Right to be forgotten: You also have the right at any time to require that we delete the personal data that we hold for you, where it is no longer necessary for us to hold it. However, whilst we respect your right to be forgotten, we may still retain your personal data in accordance with applicable laws. In practice, this means that:
- we can delete your name and other contact details within our primary access systems within a reasonable time from your request;
- we may need to retain your test report (which will also include your name and contact details) in our archive system for a longer period of time because it is impractical for us to isolate individual test reports within the archive and/or we need to retain your data to establish, exercise or defend any legal claim that may arise;
- we will not restore your test reports back within our primary systems except where there is a serious security breach or we need to establish, exercise or defend any legal claim that may arise;
- our archives are subject to the Security paragraph noted above.
Right to stop receiving marketing information: If you are a clinician, you can ask us to stop sending you information about our services, but please note we shall continue to contact you in relation to any matters relating to patients where you are the noted clinician.
We reserve the right to charge an administrative fee if your request in relation to your rights is manifestly unfounded or excessive.
8. Retention of personal data
All test reports are retained in digital form, in a secure and encrypted environment and are confidentially stored in accordance with data protection and GDPR regulations on records management, which may be updated from time-to-time. We regularly review our data retention storage policy to ensure compliance with industry practice.
We endeavour to keep personal data only for as long as is necessary. However, we have legitimate interests for retaining your personal data and that includes your test report after we have sent the test report to the patient, including:
- to deal with any follow up queries or questions that the patient or clinician might have;
- to refer to if the patient requires any additional services from us – subsequent reports will be more helpful and appropriate if we have all previous health information about a patient;
- to establish, exercise or defend any legal claim that may arise.
We may also be required to retain personal data for a particular period of time to comply with legal, auditory or statutory requirements, including requirements of HMRC in respect of financial documents.
Please note that if you are a clinician and you ask us to remove you from our marketing list, we shall keep a record of your name and email address to ensure that we do not send to you marketing information.
Retention times are detailed in MP017: Control of Records.
Last updated: July 2020