This document explains what happens to your personal data when you take part in a research study run by Genomics Medicine Ireland (GMI). In particular –
- who are GMI and what do we do?
- what data does GMI collect?
- why does GMI collect your data?
- who can access your data?
- will your data be transferred outside of the EEA?
- how does GMI keep your data safe?
- how long does GMI keep your data?
- what happens to your data if you withdraw from a GMI study?
- what “legal basis” under GDPR does GMI rely on to collect and use your data?
- will you get feedback from GMI on your data?
- what are your rights under GDPR?
- what do you do if you have a query or complaint about how we collect and use your data?
- what if GMI makes changes to this privacy statement?
WHO ARE GMI AND WHAT DO WE DO?
GMI is an Irish commercial life sciences company carrying out research on the human genome to examine the relationship between genomics, health and disease. We conduct genomic research studies by working closely with hospitals, primary care centers, community care centers, universities and commercial partners. Through collaborations with commercial partners, we hope the insights gained through our studies will lead to the development of new treatments and diagnostics for a broad range of complex diseases, as well as better use of existing drug treatments. Our commercial partners will include pharmaceutical and biotech companies who develop new diagnostic tests, identify new risk factors or drug targets, and develop, test and market new drugs. GMI is part of the WuXI NextCODE group of companies. WuXi NextCODE is headquartered in Cambridge, Massachusetts, USA.
WHAT DATA DOES GMI COLLECT?
When you volunteer to participate in one of our research studies, with your consent we will collect the following data:
- health and lifestyle information from you directly;
- for some studies, physical measurement such as height, weight and blood pressure; and
- if you have a health condition, your medical team, with your permission, will provide us with information from your medical records.
Only the information required to address the research question will be taken from your medical records.
The data we collect will never include your name, address, date of birth and other demographic information which identifies you.
During our research studies we will also collect a biological sample from you such as blood, plasma or saliva. In some studies, we may also request access to a small portion of a tissue sample which was previously obtained from you. We use techniques such as whole genome sequencing, which reads every letter of your DNA (i.e. your “genomic instructions”), to enable us to collect your genomic data from these biological samples.
WHY DOES GMI COLLECT YOUR DATA?
GMI collects your data in order to try to identify similarities across different diseases in order to maximise discoveries that could lead to drug discoveries and better use of existing drug treatments. This means that if you have a disease, we not only use your data to better understand your condition, but we will also use your data in other health-related analyses that are undertaken by GMI as a comparison in other diseases and to help us understand normal biological changes that may be associated with health.
We combine your data with data from thousands of other participants in our database to study the similarities and differences in the data and how they relate to health. Researchers then look for patterns that may give clues about the causes of health conditions, or patterns that might help us to better understand a condition or find a new way to treat it.
WHO IS THE CONTROLLER OF YOUR DATA?
GMI is the data controller of all de-identified medical health, lifestyle and genomic data.
The institution is the data controller of any personal information pertaining to study participants that remains at the study site and the institution continues to be the data controller of all medical files.
WHO CAN ACCESS YOUR DATA?
- GMI will add your data to a database with similar data from thousands of other study participants. GMI controls all access to the GMI database where your data is stored. Other than GMI, only your doctor and their affiliated institution, and our commercial partners and authorised research groups can access the GMI database as follows: Your doctor and the academic institution they are affiliated with can access the study data by coming onsite at GMI and using the GMI database to read and analyse the clinical, health and genomic data. They are only allowed access the study data for the research outlined in our patient information leaflet. They can never download any individual’s personal data from the GMI database.
- Our commercial partners, such as pharmaceutical and biotechnology companies, and approved research groups can access your data by remotely accessing the GMI database under strictly controlled conditions to read and analyse your clinical, health and genomic data for the research outlined in our information leaflet. They are only allowed access your data for the research outlined in our patient information leaflet, they can never download any individual’s personal data from the GMI database.
- In some instances, with your consent, your doctor or their research team and the academic institution they are affiliated with, may obtain a copy of your clinical, health and genomic data for research as described in the Patient Information Leaflet. If we provide a copy of your data to your doctor or the academic institution, the hospital where your doctor works and the academic institution will be responsible for the storage and security of your data.
WILL YOUR DATA BE TRANSFERRED OUTSIDE OF THE EUROPEAN ECONOMIC AREA (EEA)?
Some of our commercial partners and authorised research groups may be located outside the EEA. These approved third parties can remotely access and read select de-identified datasets to address a specific research question but never download any data. This is called a data transfer, even though no data actually moves outside of our database.
We have technical and organisational measures in place to protect your personal data and ensure it is transferred in accordance with the requirements of the GDPR. This may involve the use of data transfer agreements in the form approved by the European Commission (known as standard contractual clauses) or the use of other mechanisms recognised by EU data protection law as ensuring protection for personal data transferred outside the EEA.
We do not allow access to any data for marketing or insurance purposes.
HOW DOES GMI KEEP YOUR DATA SAFE?
Personal identifiers, such as your name or date of birth, are never used to label your samples or clinical information. All samples and study information are assigned random study ID numbers at the clinic in a process called pseudonymisation. This process is used to mask your identity or Code your Data.
We have a robust level of technical and organisational measures in place to protect your data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. We ensure that all personal data controlled by us is stored securely in Europe using the highest level of security measures.
Only your doctor, their research team or the GMI study personnel at the research study site has access to your traditional identifiers such as your name and date of birth. They keep that information so they can facilitate a request to withdraw from the study. These traditional identifiers never leave the research study site.
At GMI we never receive any personal information such as your name, date of birth or address. All your data in GMI’s database is de-identified. GMI study monitors shall liaise with your doctor and the research team at the research study site to check that the study is being carried out correctly, adhering to the institution’s approved ethics terms and ensuring the correct consent is in place. The study monitors never remove any traditional identifiers such as your name and date of birth from the research study site.
Our commercial partners and approved researchers shall only have restricted access to select deidentified datasets which contain only the information they need for their specific and approved research study. Furthermore, your data can only be read or analysed by these researchers on the execution of a legal agreement. These researchers are prohibited from attempting to identify an individual participant from the data in the database.
HOW LONG DOES GMI KEEP YOUR DATA?
As science advances, we will continue to analyse the data in our database for many years to come. For this reason, your medical, lifestyle and biological data generated as part of the study will be retained for the duration of the scientific research, in accordance with EU data protection laws (GDPR). This data will only be processed for the purposes outlined in the leaflet you receive at the study site. It will not contain any information that traditionally would be used to identify you (such as name or date of birth).
WHAT HAPPENS TO YOUR DATA IF YOU WITHDRAW FROM A STUDY?
If you wish to withdraw from a GMI study and your biological sample has not been converted into data we will destroy your biological sample and delete your medical and lifestyle data.
If you wish to withdraw from a GMI study and your biological sample has been converted into data and included in GMI’s database, then it will be necessary for GMI to retain your Coded Data in GMI’s database and continue to process and analyse it in order to achieve the scientific purpose of the research. Your data cannot be withdrawn from published results or findings.
GMI will destroy the code that links your Coded Data to your name so that it will no longer be possible to link your Coded Data held by GMI back to your details held at the study site.
GMI will also destroy any remaining biological sample so it can no longer be used.
Where GMI continues to process your Coded Data, GMI ensures that high levels of security measures are in place to protect all data in the database.
WHAT “LEGAL BASIS” UNDER GDPR DOES GMI RELY ON TO COLLECT AND USE YOUR DATA?
The information or data that GMI collects for this study is known as “personal sensitive data” under Irish Data Protection Laws as it relates to your health. Under Irish Data Protection Laws, your explicit consent is the lawful basis on which GMI can process your personal data in the first instance.
In the event that you exercise your right to withdraw from this study as outlined below, GMI may need to continue to process your data based on the legitimate interests of GMI (and its commercial partners) in the pursuit of scientific research, as deletion of your data would seriously impair the purpose of the research.
In accordance with the European and Irish data protection laws, we shall only process, store and use your data in a manner that is consistent with the basis on which you joined GMI’s research study as described in the information materials and consent form you receive at the research study site.
WILL YOU GET FEEDBACK FROM GMI ON YOUR DATA?
With the exception of our Rare Disease Programme, all participants join GMI’s studies on the explicit understanding (as described in the information leaflet and consent form) that there shall be no feedback of any individual information that maybe discovered about you from using your data.
WHAT ARE YOUR RIGHTS UNDER GDPR?
Your rights to object, to restrict processing, to be forgotten, erasure and withdrawal are managed through your ability to withdraw from a GMI study as outlined above.
You are entitled to a copy of any part or all of your personal data processed by GMI upon request, which shall be provided to you in accordance with Irish Data Protection Law.
In order to request access to, or correct errors in, your personal data, you will need to contact the study site/clinic where you signed up to our study, as GMI does not know your identity.
GMI’s processing includes profiling of the data it collects. This consists of automated processing of personal data to analyse certain personal aspects concerning participant’s health. However, GMI does not make any automated decisions based on this Profiling exercise
All participants join GMI’s studies on the explicit understanding that there shall be no feedback of any information that maybe discovered about you from using your personal data.
WHAT DO YOU DO IF YOU HAVE A QUERY OR COMPLAINT ABOUT HOW WE COLLECT AND USE YOUR DATA?
Please contact our Data Protection Officer (DPO) regarding any questions or concerns relating to GMI’s approach to data protection. Please write to the DPO using the email address: firstname.lastname@example.org or via the post: FAO The Data Protection Officer, Genomics Medicine Ireland, Building 4, Cherrywood Business Park Dublin D18 K7W4.
Participants in our studies have the right to contact Ireland’s data protection authority, the Data Protection Commission (DPC), if you have any concerns about GMI’s use of personal data and/or GMI’s approach to data protection.
WHAT IF GMI MAKES CHANGES TO THIS PRIVACY STATEMENT?
This privacy statement may change from time to time. We keep prior versions of our Privacy statements in an archive and these are available on request.