Pexxi and GDPR
What is the GDPR? The GDPR creates a new data protection regime throughout the EU, “designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy”. The Data Protection Act 2018 makes provision for how the GDPR will operate in the UK.
How does the GDPR affect Pexxi? The GDPR applies to anything we do with your personal data, such as collecting, storing or using it in any way. We are a Data Controller under the GDPR. We process personal data, including something known as ‘special category personal data’ (SCPD). SCPD includes genetic data and data concerning health. Article 6 of the GDPR details the six criteria for the lawfulness of processing data. Pexxi can only process personal data if it meets at least one of these. We rely on the provision that allows us to process personal data based on our legitimate interests. Pexxi is committed to – and will continue to deliver – a workable consent process that allows participants to make informed choices on how their confidential data is used.
Where can I find out more? There are resources available to help people understand and make informed choices on the ways in which we use their data. Data Protection Officer (DPO): In compliance with the GDPR and the Data Protection Act 2018, Pexxi has appointed a Data Protection Officer. Our DPO is a senior, qualified data practitioner who, amongst other duties:
- helps us to monitor internal compliance with the GDPR;
- informs and advises on our data protection obligations, including under the new Data Protection Act; and
- provides advice and is the first point of contact for any questions on how we use data.
Pexxi’s DPO can be contacted – email@example.com.
Data Access and Use: more information on how we use data, as well as our Privacy Notices, can be found on our website – here.
Information Commissioner’s Office (ICO): the ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO is an excellent resource on data protection issues and is the body responsible for investigating concerns.
Health Research Authority (HRA) guidance for those in the health and social care research sector can be found here.
Privacy Notice for Website Users
Version 1 – Dated 2 May 2019
1. About us. We are Uniq Health Ltd, also known as Pexxi, a company registered in England and Wales (Company No. 10972015).
2. Introduction and purpose of this Privacy Notice. This Privacy Notice sets out key information that it is essential for you to know when you provide information to Pexxi. This informs you of what to expect when Pexxi collects information from you, such as when you visit our website or subscribe to our newsletter. It does not apply to information from Pexxi’s system users. We are the data controller for your personal data and this Privacy Notice describes how we process it. By processing, we mean any operations such as collecting, organising, structuring, storing and destroying personal data. We will put in place appropriate technical measures to protect your personal data and to ensure that we process it:
- Fairly and proportionately;
- Only in ways that are relevant to the purposes for which it is to be used;
- Accurately so that it is complete and up to date;
- So that it is kept no longer than is necessary;
- So that it is protected by security safeguards to prevent loss, unauthorised destruction, use or disclosure;
- In accordance with the General Data Protection Regulation (GDPR) 2018 and the Data Protection Act 2018.
3. Our right to change our Privacy Notice. We may make changes to our Privacy Notice and when we do we will post our changed Privacy Notice on our website and it will then apply. We will always put the date and version of our Privacy Notice at the top, so that you can easily find this information.
4. What is personal data? Personal data is any information about a living individual that can be used to identify the individual, such as name, address, date of birth, email address, photographs or videos. It may also include special categories of personal data. This is information concerning: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health data; data concerning a person’s sex life or sexual orientation.
5. What information we collect. When you use our website on or register to receive our newsletters we collect the following personal data when you provide it to us, such as:
- Email address
6. Your personal data and how we process it. We only ever use your personal data lawfully and when you have given us your consent to the processing of it. Most commonly we will use your personal data in the following circumstances:
- To allow you to register to receive our newsletters.
- To communicate with you on events, news and updates from Pexxi.
You may withdraw your consent at any time by clicking the ‘unsubscribe’ bottom of any email we sent to you or by contacting us at firstname.lastname@example.org. We will never sell your personal data or share it with third parties who might use it for their own purposes.
7. How we protect your personal data. The security of your personal data is very important to us. We will ensure that we have in place appropriate organisational and technical measures to prevent unauthorised access, improper use, alteration, destruction or accidental loss of your personal data.
8. How long we keep your personal data. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for.
9. Your rights and your personal data. Under certain circumstances, by law you have a number of rights in respect of your personal data. These include the right to:
- Request access to your personal information, known as a ‘data subject access request’. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request that we correct the personal data we hold about you if it is inaccurate or out of date.
- Request that we erase your personal data where there is no good reason for us continuing to process it.
- Request that we restrict the processing of your personal data where there is a dispute about its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party where our processing of it is under a contract or based on your consent and the processing is carried out by automated means.
If you want to obtain access to, request correction or erasure of, restrict the processing of or request the transfer of your personal information please contact email@example.com. For more information on your rights and your personal data please see the Information Commissioner’s website.
If you consider that we have not handled your personal data lawfully then please contact our Data Protection Officer. You also have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues.
You can contact the Information Commissioner at:
Information Commissioner’s Office: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Tel: 0303 123 1113
Contact details and useful information
If you have any questions about this Privacy Notice and how we handle your personal data then please contact our Data Protection Officer at firstname.lastname@example.org.
Privacy Notice for Participants in Survey
Version 1. Dated 4 May 2019
This Privacy Notice describes how we collect, store and process personal information about and in accordance with the General Data Protection Regulation (GDPR).
At Uniq Health we take privacy seriously and will only use your personal information for the benefits of research or for clinical care.
Uniq Health is a ‘data controller’ and we want you to be clear about how we collect, store and use personal information about you, how we protect the privacy of your personal information and how you can access your personal information should you choose to do so.
It is therefore important that you read this Privacy Notice as it will explain:
- What information we collect and why we collect it.
- Where the information comes from
- How we use that information.
- How we keep the information private
- The choices we offer, including how to access and update information.
Your privacy matters to us. If you have any questions about this Privacy Notice then please email@example.com.
2. Information we collect, store and process about you
We collect, store and process your personal information and this information includes health data and past and current experiences on hormonal contraceptives which is obtained through our survey..
3. Why is this information collected
Your answers will help us better understand your needs and incorporate the findings when finalising our product.
Under the GDPR, personal data can only be processed where one of the specific conditions set out in the GDPR is satisfied. We rely on the provision that allows data controllers to process personal data on the basis of legitimate interests: the interests on which we rely are our interests in carrying out medical research and in providing clinical care.
There are also specific provisions in the GDPR in relation to special categories of personal data (including genetic, biometric and health data), under which such data can only be processed on limited grounds. In order to process such data, we rely on the provisions that allow such data to be processed for research purposes and for providing clinical care.
4. What type of data is collected
This includes personal information, like name, address, date of birth and other demographic information. It also includes other information (much of it very personal) about your condition and how it affects you.
To ensure there is the richest possible health data set for research purposes we collect all sorts of data, even things that at first look might not have any relevance to a health condition. This is because we don’t yet know what is important.
5. Where is data collected from
From the survey. Before we share any of your personal information we ensure that agreements are in place that include strict rules and processes on how your personal information is shared.
6. Keeping data private
Research users will have restricted access to de-identified datasets which contain only the information they need for their specific and approved research study. From this information they may produce additional research data based on their analysis. Researchers should not be able to work out who this data is about, or even who is participating in the Project, simply by looking at the information in the system. However, any non-trivial piece of health data – even a de-identified report of an appointment booking – could be re-identified by somebody who already has enough information about the individual in question. This is why Uniq Health insists all access to its data takes place within their secure environment, where it can be monitored.
7. Withdrawing participation
If a participant changes their mind and wants to withdraw then they are free to do so and this will always be acted on without delay as we aim to make this process as easy as possible. There are two options:
Option 1 – partial withdrawal: ‘no further contact’ –
Option 2 – full withdrawal: ‘no further use’ –
Finally regardless of the option chosen above we will keep an audit record to say that the participant was once part of the Project and then withdrew. This includes their surname, first name, date of birth, address and contact details. This information is held in a very secure area with access limited to a very small number of staff within Uniq Health.
8. Information that is captured when we are contacted
Uniq Health can be contacted by email or via our website. When you contact us we may record your details so we can best answer your query and provide you with a response. We will keep a record of these communications in case you contact us again but these records will not be used for other purposes. We review the information we hold and the length of time these are held as part of our records management policy.
We may contact you by email to keep you informed about our products or to discuss clinical trials that may be of interest to you. We may use email to do this if you prefer and where you have provided us with your email address.
9. Accessing and updating your personal information
Under the GDPR you have the right of access to your personal information; you also have rights to rectify the information or have it erased, and to restrict or object to processing. These rights are subject to various exceptions, including in relation to information processed for research purposes.
Uniq Health aims to ensure we have the most accurate data and up to date information but we do recognise that this may not always be the case. If the information we hold is wrong we strive to give you ways to update it quickly or to request it is deleted. When updating your personal information, we may ask you to verify your identity before we can act on your request.
There may also be situations where we may reject requests that we believe are unreasonably repetitive or require disproportionate technical effort. We may also reject requests that we believe risk the privacy of others and where these circumstances apply we will contact you to discuss our concerns.
Where we can provide information access and correction, we will do so free of charge. In certain cases we may charge reasonable amounts where we believe this is appropriate due to the effort that may be needed to satisfy the request. Again where we believe this is the case we will contact you to discuss the matter further.
Like all organisations we take our data security extremely seriously and therefore we make backups of all our data. This helps to protect this vital data from accidental or malicious destruction. Because of this, after we have deleted information, at your request, we may not immediately be able to delete residual copies from our backup systems. We will confirm to you as part of our discussions how we can address your privacy concerns in this respect.
10. Information security and period of storage
We work hard to protect all data from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold. In particular:
- We encrypt much of the data we hold
- We use access control techniques
- We restrict access to personal information to only those staff who need to see this information
- All staff and suppliers who need to access this information are subject to strict contractual confidentiality obligations. They may be disciplined or their contract terminated if they fail to meet these obligations.
- We continually review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems.
We store your personal data for no longer than is necessary to carry out our legitimate interests of medical research and providing clinical care. We have implemented appropriate technical and organisational measures to keep your personal data safe and to safeguard your rights and freedoms.
This Privacy Notice may change from time to time. We will post any Privacy Notice changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Notice changes). We will also keep prior versions of this Privacy Notice in an archive for your review.
Contact details and useful information
The address of Uniq Health is: UCL BaseKX, 103c Camley Street, London, N1C 4PF
For general enquires – firstname.lastname@example.org
Complaints and requests for information
When we receive formal written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including the Information Commissioners Officer, to resolve any complaints.
If you have a complaint, issue or question relating to this privacy notice or data protection you can contact our Data Protection Officer by the following methods:
By email – email@example.com