This document explains what happens to your personal data when you take part in a research study run by Genomics Medicine Ireland (GMI). In particular –
- who are GMI and what do we do?
- what data does GMI collect?
- why does GMI collect your data?
- who can access your data?
- will your data be transferred outside of the EEA?
- how does GMI keep your data safe?
- how long does GMI keep your data?
- what happens to your data if you withdraw from a GMI study?
- what “legal basis” under GDPR does GMI rely on to collect and use your data?
- will you get feedback from GMI on your data?
- what are your rights under GDPR?
- what do you do if you have a query or complaint about how we collect and use your data?
- what if GMI makes changes to this privacy statement?
WHO ARE GMI AND WHAT DO WE DO?
GMI is an Irish commercial life sciences company carrying out research on the human genome to examine the relationship between genomics, health and disease. We conduct genomic research studies by working closely with hospitals, primary care centers, community care centers, universities and commercial partners. Through collaborations with commercial partners, we hope the insights gained through our studies will lead to the development of new treatments and diagnostics for a broad range of complex diseases, as well as better use of existing drug treatments. Our commercial partners will include pharmaceutical and biotech companies who develop new diagnostic tests, identify new risk factors or drug targets, and develop, test and market new drugs. GMI is part of the WuXI NextCODE group of companies. WuXi NextCODE is headquartered in Cambridge, Massachusetts, USA.
WHAT DATA DOES GMI COLLECT?
When you volunteer to participate in one of our research studies, with your consent we will collect the following data:
- health and lifestyle information from you directly;
- for some studies, physical measurement such as height, weight and blood pressure; and
- if you have a health condition, your medical team, with your permission, will provide information from your medical records.
Only the information required to address the research question will be taken from your medical records.
The data we collect will never include your name, address, date of birth and other demographic information which identifies you.
During our research studies we will also collect a biological sample from you such as blood, plasma or saliva. In some studies, we may also request access to a small portion of a tissue sample which was previously obtained from you. We use techniques such as whole genome sequencing, which reads every letter of your DNA (i.e. your “genomic instructions”), to enable us to collect your genomic data from these biological samples
This data is all known as “personal sensitive data” as it relates to your health.
WHY DOES GMI COLLECT YOUR DATA?
GMI collects your data in order to try to identify similarities across different diseases in order to maximise discoveries that could lead to drug discoveries and better use of existing drug treatments. This means that if you have a disease, we not only use your data to better understand your condition, but we will also use your data in other health-related analyses that are undertaken by GMI as a comparison in other diseases and to help us understand normal biological changes that may be associated with health.
We combine your data with data from thousands of other participants in our database to study the similarities and differences in the data and how they relate to health. Researchers then look for patterns that may give clues about the causes of health conditions, or patterns that might help us to better understand a condition or find a new way to treat it.
WHO IS THE CONTROLLER OF YOUR DATA?
GMI is the data controller of all de-identified medical health, lifestyle and genomic data.
The institution is the data controller of any personal information pertaining to study participants that remains at the study site and the institution continues to be the data controller of all medical files.
WHO CAN ACCESS YOUR DATA?
- GMI will add your data to a database with similar data from thousands of other study participants. GMI controls all access to the GMI database where your data is stored. Other than GMI, only your doctor and their affiliated institution, and our commercial partners and authorised research groups can access the GMI database as follows: Your doctor and the academic institution they are affiliated with can access the study data by coming onsite at GMI and using the GMI database to read and analyse the clinical, health and genomic data. They are only allowed access the study data for the research outlined in our patient information leaflet. They can never download any individual’s personal data from the GMI database.
- Our commercial partners, such as pharmaceutical and biotechnology companies, and approved research groups can access your data by remotely accessing the GMI database under strictly controlled conditions to read and analyse your clinical, health and genomic data for the research outlined in our information leaflet. They are only allowed access your data for the research outlined in our patient information leaflet, they can never download any individuals personal data from the GMI database.
- In some instances, with your consent, your doctor or their research team and the academic institution they are affiliated with, may obtain a copy of your clinical, health and genomic data for research as described in the Patient Information Leaflet. If we provide a copy of your data to your doctor or the academic institution, the hospital where your doctor works and the academic institution will be responsible for the storage and security of your data.
WILL YOUR DATA BE TRANSFERRED OUTSIDE OF THE EUROPEAN ECONOMIC AREA (EEA)?
Some of our commercial partners and authorised research groups may be located outside the EEA. These approved third parties can remotely access and read select de-identified datasets to address a specific research question but never download any data. This is called a data transfer, even though no data actually moves outside of our database.
We will implement technical and organisational measures to protect your personal data and ensure it is transferred in accordance with the requirements of the GDPR. This may involve the use of data transfer agreements in the form approved by the European Commission (known as standard contractual clauses) or the use of other mechanisms recognised by EU data protection law as ensuring protection for personal data transferred outside the EEA.
We do not allow access to any data for marketing or insurance purposes.
HOW DOES GMI KEEP YOUR DATA SAFE?
Personal identifiers, such as your name or date of birth, are never used to label your samples or clinical information. All samples and study information are assigned random study ID numbers at the clinic in a process called pseudonymisation. This process is used to mask your identity.
We have a very high level of technical and organisational measures in place to protect your data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. We ensure that all personal data controlled by us is stored securely in Europe using the highest level of security measures.
Only your doctor, their research team or the GMI study personnel at the research study site has access to your traditional identifiers such as your name and date of birth. They keep that information so they can facilitate a request to withdraw from the study. These traditional identifiers will never leave the research study site.
At GMI we never receive any personal information such as your name, date of birth or address. All your data in GMI’s database is de-identified. GMI study monitors will liaise with your doctor and the research team at the research study site to check that the study is being carried out correctly, adhering to the institution’s approved ethics terms and ensuring the correct consent is in place. The study monitors will never remove any traditional identifiers such as your name and date of birth from the research study site.
Our commercial partners and approved researchers will only have restricted access to select de-identified datasets which contain only the information they need for the specific and approved research study. Furthermore, your data can only be read or analysed by these researchers on the execution of a legal agreement. These researchers are prohibited from attempting to identify an individual participant from the data in the database.
HOW LONG DOES GMI KEEP YOUR DATA?
As science advances, we will continue to analyse the data in our database for many years to come. For this reason, your medical, lifestyle and biological data generated as part of the study will be retained forever for scientific research purposes, in accordance with EU data protection laws (GDPR). This data will only be processed for the purposes outlined in the leaflet you receive at the study site. It will not contain any information that traditionally would be used to identify you (such as name or date of birth).
WHAT HAPPENS TO YOUR DATA IF YOU WITHDRAW FROM A STUDY?
If you wish to withdraw from a GMI study and your DNA has not been converted into data we will destroy your biological sample and delete your medical and lifestyle data.
If your DNA has been converted into data and included in our database, we will destroy your biological sample however, your data cannot be deleted from research already in progress or completed, or from published results and findings, as it would seriously impair the achievement of the scientific research project.
WHAT “LEGAL BASIS” UNDER GDPR DOES GMI RELY ON TO COLLECT AND USE YOUR DATA?
The lawful basis under the European General Data Protection Regulation (GDPR) that GMI relies on when we collect and use your data is “explicit consent”.
In accordance with the European and Irish data protection laws, we will only process, store and use your data in a manner that is consistent with the basis on which you joined GMI’s research study as described in the information materials and consent form you receive at the research study site.
WILL YOU GET FEEDBACK FROM GMI ON YOUR DATA?
With the exception of our Rare Disease Programme, all participants join GMI’s studies on the explicit understanding (as described in the information leaflet and consent form) that there will be no feedback of any individual information that was discovered about you from using your data.
WHAT ARE YOUR RIGHTS UNDER GDPR?
You are entitled to a copy of any part or all of your personal data processed by us. In order to request access to your data, you will need to contact the research study site where you signed up to our study, as GMI does not know who you are. GMI will provide a copy to you of any of your personal data that it holds but please be aware that any request for a copy of your medical data should be made directly to you doctor.
Your rights to restrict processing and erasure: these rights do not apply in the context of scientific research under GDPR..
WHAT DO YOU DO IF YOU HAVE A QUERY OR COMPLAINT ABOUT HOW WE COLLECT AND USE YOUR DATA?
Please contact our Data Protection Officer (DPO) regarding any questions or concerns relating to GMI’s approach to data protection. Please write to the DPO using the email address: firstname.lastname@example.org or via the post: FAO The Data Protection Officer, Genomics Medicine Ireland, Building 4, Cherrywood Business Park Dublin D18 K7W4.
Participants in our studies have the right to contact Ireland’s data protection authority, the Data Protection Commission (DPC), if you have any concerns about GMI’s use of personal data and/or GMI’s approach to data protection.
WHAT IF GMI MAKES CHANGES TO THIS PRIVACY STATEMENT?
This privacy statement may change from time to time. We will keep prior versions of our Privacy statements in an archive and these are available on request.