Oxford PharmaGenesis Privacy and Security Policies
Oxford PharmaGenesis Ltd (‘Oxford PharmaGenesis’, ‘we’, ‘our’, ‘us’) takes the protection of personal data very seriously.
This policy explains:
- what information we may collect about you
- how we use the information we collect about you
- whether we will share this information with anyone else
- your choices and how you can instruct us if you prefer to limit the use of your information
- measures we have in place to safeguard your privacy.
This policy applies whether you provide information to us through our website, by email or via other means.
1. Information about us
Oxford PharmaGenesis is the data controller responsible for protecting personal information you provide to us. We are registered in England and Wales under company number 03488862; our registered office address is Tubney Warren Barn, Tubney, Oxfordshire OX13 5QJ, UK.
If you have any queries about this policy, please contact our Data Protection Officer, Richard White by emailing firstname.lastname@example.org or by calling +44 1865 390144.
2. What are personal data?
Personal data are information that can be used to detect your identity and includes your name, address, telephone number and email address. Personal data are also information that can be associated with you together with other information e.g. your IP address.
3. Information we collect
We collect and store personal data you provide to us when you interact with us. On occasion we may supplement the information we collect about you with records maintained by third parties to provide you with information or services you have requested.
In addition to information you submit to us, we and our third-party service providers may use a variety of technologies that automatically or passively collect certain information whenever you interact with us. This may include the browser and operating system you are using, the URL that referred you to the website and the time of day you interacted with us (‘usage information’).
Usage information may also include the IP address or other unique identifier (‘device identifier’) for any computer, mobile phone, tablet or other device (‘device’) used to access the website. A device identifier is a number that is automatically assigned to your device; our servers identify your device by its device identifier.
4. How we use your information
We may also use your personal information and/or usage information to:
- consider your application if you have applied for a career opportunity with us
- enable and allow you to participate at events or to contribute to publications (or to assess your suitability to participate or contribute), including without limitation to respond to your queries or comments
- operate our business (including developing new products and services, conducting research, managing our communications, producing training materials and programmes, determining the effectiveness of and optimizing our advertising, analysing our products and services, and performing accounting, auditing, billing and reconciliation activities)prepare and provide aggregated data reports showing anonymized information (including, without limitation, compilations, analyses, analytical and predictive models and rules, and other aggregated reports) for our business purposes
- prepare and provide aggregated data reports showing anonymized information (including, without limitation, compilations, analyses, analytical and predictive models and rules, and other aggregated reports) for our business purposescomply with industry standards and our policies.
- ask for feedback on our services and products
- comply with industry standards and our policies.
5. Sharing your information
We may share your personal information and usage information:
- with companies within our group
- with third-party service providers that perform services on our behalf, including, without limitation, those that offer, host or operate our systems
- to comply with UK law, a judicial proceeding, court order or other legal process, such as requirements of emergency services and/or law enforcement agencies
- to enforce our agreement with you
- to analyse and enhance our communications and strategies (including by identifying when emails sent to you have been received and read, and your location)
- in the event of any sale, assignment, transfer or acquisition of all or substantially all of Oxford PharmaGenesis’ assets or shares by a third party
- with other third parties, with your consent
- as aggregate or de-identified information with third parties for marketing, advertising, research and other purposes
If data are disclosed to contractors during commissioned data processing they shall be subject to this policy, and, if applicable, to other additional or relevant alternative data privacy provisions and contractual conditions.
6. Data storage and security
We store information related to our global operation on protected servers located in Oxford and London. Information collected in connection with our North American operations is stored on protected servers located in Philadelphia.
We have appropriate measures in place to protect against unlawful disclosure, loss, misuse, unauthorized access or alteration of information we collect from you. We use encryption to help protect the transmission of personal information from you to us.
We also protect the security of your data during transmission online using Secure Sockets Layer (SSL) encryption software.
7. Your options
If you have provided us with personal data, we will keep your information in accordance with our retention policy. You may withdraw your consent to our processing by emailing us and we will apply your preferences in our future communications. If statutory retention periods require further provision, we will lock those records.
You may also email us to access information we hold about you, or to request rectification of any personal data we hold about you.
9. Contacting us
A cookie is a small file sent to your computer, mobile phone, tablet or other device when you visit a website. Cookies are sent by a web server to a web browser to enable the server to collect information from the browser and recognize your device on future visits. These types of files serve a number of different purposes such as remembering your preferences. Cookies help us to provide you with a better website, by enabling us to monitor which pages you find useful and which you do not.
We use traffic log cookies to identify which pages are being used. This helps us to analyse data about web page traffic and improve our website to tailor it better to our users’ needs. We only use this information for statistical analysis purposes.
Cookies do not give us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer; this may, however, prevent you from taking full advantage of the website.
We may not respond to web browser ‘do not track’ signals. If you would like additional information about online tracking and various opt-out mechanisms, please see www.allaboutdnt.com.
Our website may contain links to other websites that are owned and managed by third parties. Those websites have their own privacy policies and we do not accept any responsibility or liability for them.
Oxford PharmaGenesis GDPR positioning statement
Oxford PharmaGenesis Ltd, our subsidiaries and affiliates (‘Oxford PharmaGenesis’, ‘we’, ‘our’, ‘us’) take data protection very seriously. We are committed to protecting the confidentiality, integrity and availability of personal data.
This statement explains how we will use and process any personal data that is shared with us and the measures that we have in place to safeguard the privacy of data subjects.
1. What is the GDPR?
The General Data Protection Regulation (GDPR) is a framework for handling and protecting the personal data of individuals within the European Union (EU); it also addresses the export of personal data outside the EU. The primary goal of the regulation is to give EU citizens and residents control over their personal data and to simplify the regulatory environment for international business. GDPR replaces the data protection directive (Directive 95/46/EC) of 1995.
2. What is personal data?
Personal data is information that can be used to identify a person, and it includes their name, address, telephone number and email address. Personal data is also information that can be combined with other information to identify a person (e.g. an IP address).
3. How do we demonstrate compliance with the GDPR?
We strive to meet our GDPR obligations by protecting and managing personal information in a secure and consistent manner. To accomplish this, we employ a comprehensive information security programme that involves people, process and technology.
Privacy by design and default are integral to GDPR. We ensure that our employees understand and demonstrate compliance with these principles. We provide training on GDPR and its implications, including individual responsibilities in safeguarding personal data. All employees are provided with GDPR awareness training as part of our new starter induction.
We have appointed a Data Privacy Officer (DPO). We evaluate our service providers for GDPR compliance. A dedicated team of employees address our day-to-day data privacy and information security activities. In the event of a data privacy breach, our incident response policy is ready to be invoked.
To address the heightened emphasis of GDPR on accountability and transparency, we have implemented comprehensive governance across our offices; these measures help to minimize the risk of breaches and to protect personal data.
- the types of personal information that we collect
- how we use personal information
- with whom we share personal information
- rights in relation to our use of personal information
- security measures that we implement to protect the security of personal information
- how to contact us about our privacy practices.
Our service provider contracts have been reviewed to ensure that processing carried out by our third-party processors meets the GDPR requirements.
We have appropriate measures to continually assess the security that we have in place to protect against disclosure, loss, misuse, unauthorized access or alteration of personal information. These measures include:
- using encryption to help to protect the transmission of personal information (if appropriate)
- protecting the security of sensitive data
- ensuring that our employees, contractors and agents comply with our IT security policies.
Our IT services are outsourced to Planet IT, who comply with ISO/IEC 27001. Our data centres are on-site and access is strictly controlled with various levels of defence.
Information is replicated in real time between data centres over an encrypted channel and backups are regularly performed for business continuity purposes. All replicated/backup data are stored in an encrypted format and data are retained as per our retention policies.
We have several measures in place to protect systems and data. In addition to firewalls and backups, technologies such as anti-virus, anti-malware, encryption (at disk level) and automated patching are deployed. Our systems are scanned for vulnerabilities on a daily basis and compliance audits are performed regularly.
We hold Cyber Essentials Plus Certification. Our certificate can be viewed here