Oxford PharmaGenesis Privacy and Security Policies
Oxford PharmaGenesis Ltd (‘Oxford PharmaGenesis’, ‘we’, ‘our’, ‘us’) takes the protection of personal data very seriously.
This policy explains:
- what information we may collect about you
- how we use the information we collect about you
- whether we will share this information with anyone else
- your choices and how you can instruct us if you prefer to limit the use of your information
- measures we have in place to safeguard your privacy.
This policy applies to our use of data by employees and external data subjects, and includes information provided to us through our website, by email and via other means, or if you sign up to our mailing lists.
1. About us
Oxford PharmaGenesis is the data controller responsible for protecting personal information that you provide to us. We are registered in England and Wales under company number 03488862; our registered office address is Tubney Warren Barn, Tubney, Oxfordshire OX13 5QJ, UK.
If you have any queries about this policy, please contact our Data Protection Officer, Richard White, by emailing firstname.lastname@example.org or calling +44 1865 390144.
2. What are personal data?
Personal data are information that can be used to detect your identity, including your name, address, telephone number and email address. Personal data are also information that can be associated with you together with other information (e.g. your IP address).
3. Information we collect
We use a variety of methods to collect data from you and about you, including the following.
Direct interactions. You may give us your identity, and contact and financial data by contracting with us, completing forms or by corresponding with us by post, phone, email, on our website or otherwise. This includes any personal data you provide when you:
- apply for a career opportunity with us
- complete a form on our website
- subscribe to our publications
- request marketing to be sent to you
- enter a competition or complete a survey
- provide feedback to us
- participate at events or contribute to publications (or assess your suitability to participate or contribute), including, without limitation, to respond to your queries or comments.
On occasion, we may supplement the information we collect about you with records maintained by third parties to provide you with information or services you have requested.
Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, as set out below.
- Technical Data from analytics providers, such as Google, based outside the EU.
- Contact, financial and regulatory data from providers of technical, payment and delivery services to comply with industry standards and our policies.
- Identity and contact data from publicly available sources such as Companies House, or equivalents in other territories in which we operate.
- We may receive transaction and regulatory data from our clients if you are contracted with them and us.
- Reference agencies, former employers and referees you have shared with us when applying for a career opportunity.
Automated technologies or interactions. As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. This may include the browser and operating system you are using, the URL that referred you to the website and the time of day when you interacted with us (‘usage information’).
Usage information may also include the IP address or other unique identifier (‘device identifier’) for any computer, mobile phone, tablet or other device (‘device’) used to access the website. A device identifier is a number that is automatically assigned to your device; our systems identify your device by its device identifier.
4. How we use your information
We will only use your personal data when the local law allows us to. Most commonly, we will use your personal data in the following circumstances.
- When we need to perform obligations in a contract that we intend to enter into, or have entered into with you (‘contract reason’).
- When it is necessary for our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests (‘legitimate interests reason’). Legitimate interest means the interest of our business in conducting and managing our business to enable us to provide the best service and most secure experience to you. We balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities in which our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us (by emailing email@example.com or calling +44 1865 390144).
- When we need to comply with a legal or regulatory obligation that we are subject to (‘legal obligations reason’).
Generally, we do not rely on consent as a legal basis for processing your personal data, other than in relation to sending third-party direct-marketing communications to you via email or text message (‘consent reason’). You have the right to withdraw consent to marketing at any time by contacting us or by using the opt-out/unsubscribe link in any email that we send to you.
5. Purposes for which we will use your personal data
The legal bases we rely on to process your personal data are set out in the table below. We have also identified what our legitimate interests are, when appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data when more than one ground has been set out in the table below.
|Purpose/activity||Lawful basis for processing, including basis of legitimate interest|
|Application for a career opportunity
Assessing suitability and right to work
|(a) Legitimate interests reason
(b) Contract reason
(c) Legal obligation reason
|To process and deliver contracts with healthcare providers, freelancers, employees or clients, including:
(a) managing payments, fees and charges
(b) collecting and recovering money owed to us
(c) due diligence relating to credit checks in connection with payment terms
|(a) Contract reason
(b) Legitimate interests reason
|To allow website users and subscribers to participate in interactive features of our website||(a) Contract reason
(b) Legitimate interests reason
|To enable participation at events or to contribute to publications (or assessing your suitability to participate or contribute), including, without limitation, to respond to your queries or comments||(a) Contract reason
(b) Legitimate interests reason
(c) Legal obligation reason
|Marketing and communications, including when you complete a form on our website, subscribe to our publications, request marketing to be sent to you, enter a competition, complete a survey or provide feedback to us||(a) Legitimate interests reason
|To enable us to operate our business, including developing new products and services, conducting research, managing our communications, producing training materials and programmes, determining the effectiveness of and optimizing our advertising, analysing our products and services, and performing accounting, auditing, billing and reconciliation activities
Preparation and provision of aggregated data reports showing anonymized information (including, without limitation, compilations, analyses, analytical and predictive models and rules, and other aggregated reports) for our business purposes
|Legitimate interests reason
6. Disclosure of information
We may share your personal information and usage information:
- with companies within our group
- with third-party service providers that perform services on our behalf, including, without limitation, those that offer, host or operate our systems
- to comply with applicable law, a judicial proceeding, court order or other legal process, such as requirements of emergency services and/or law enforcement agencies
- to enforce our agreement with you
- to analyse and enhance our communications and strategies (including by identifying when emails sent to you have been received and read, and your location)
- in the event of any sale, assignment, transfer or acquisition of all or substantially all of the assets or shares of Oxford PharmaGenesis by a third party
- as aggregate or deidentified information with third parties for marketing, advertising, research and other purposes
If data are disclosed to sub-contractors during commissioned data processing, they shall be subject to this policy, and, if applicable, to other additional or relevant alternative data privacy provisions and contractual conditions.
7. Data storage and security
We store information on protected servers located in Oxfordshire, UK. We and our third-party sub-processors have appropriate measures in place to protect against unlawful disclosure, loss, misuse, unauthorized access or alteration of information we collect from you. We use encryption to help to protect the transmission of personal information from you to us.
We also protect the security of your data during transmission online using Secure Sockets Layer (SSL) encryption software.
8. Your options
If you have provided us with personal data, we will keep your information in accordance with our retention policy. You may withdraw your consent to our processing your data by emailing us and we will apply your preferences in our future communications. If statutory retention periods require further provision, we will lock those records.
You may also email us to access information that we hold about you, or to request rectification of any personal data that we hold about you
10. Contacting us
Oxford PharmaGenesis GDPR positioning statement
Oxford PharmaGenesis Ltd, our subsidiaries and affiliates (‘Oxford PharmaGenesis’, ‘we’, ‘our’, ‘us’) take data protection very seriously. We are committed to protecting the confidentiality, integrity and availability of personal data.
This statement explains how we will use and process any personal data that is shared with us and the measures that we have in place to safeguard the privacy of data subjects.
1. What is the GDPR?
The General Data Protection Regulation (GDPR) is a framework for handling and protecting the personal data of individuals within the European Union (EU); it also addresses the export of personal data outside the EU. The primary goal of the regulation is to give EU citizens and residents control over their personal data and to simplify the regulatory environment for international business. GDPR replaces the data protection directive (Directive 95/46/EC) of 1995.
2. What is personal data?
Personal data is information that can be used to identify a person, and it includes their name, address, telephone number and email address. Personal data is also information that can be combined with other information to identify a person (e.g. an IP address).
3. How do we demonstrate compliance with the GDPR?
We strive to meet our GDPR obligations by protecting and managing personal information in a secure and consistent manner. To accomplish this, we employ a comprehensive information security programme that involves people, process and technology.
Privacy by design and default are integral to GDPR. We ensure that our employees understand and demonstrate compliance with these principles. We provide training on GDPR and its implications, including individual responsibilities in safeguarding personal data. All employees are provided with GDPR awareness training as part of our new starter induction.
We have appointed a Data Privacy Officer (DPO). We evaluate our service providers for GDPR compliance. A dedicated team of employees address our day-to-day data privacy and information security activities. In the event of a data privacy breach, our incident response policy is ready to be invoked.
To address the heightened emphasis of GDPR on accountability and transparency, we have implemented comprehensive governance across our offices; these measures help to minimize the risk of breaches and to protect personal data.
- the types of personal information that we collect
- how we use personal information
- with whom we share personal information
- rights in relation to our use of personal information
- security measures that we implement to protect the security of personal information
- how to contact us about our privacy practices.
Our service provider contracts have been reviewed to ensure that processing carried out by our third-party processors meets the GDPR requirements.
We have appropriate measures to continually assess the security that we have in place to protect against disclosure, loss, misuse, unauthorized access or alteration of personal information. These measures include:
- using encryption to help to protect the transmission of personal information (if appropriate)
- protecting the security of sensitive data
- ensuring that our employees, contractors and agents comply with our IT security policies.
Our IT services are outsourced to Planet IT, who comply with ISO/IEC 27001. Data is held in our on-site server rooms and hosted in Microsoft cloud environments; access is strictly controlled with various levels of defence.
Information is replicated in real time between data centres over an encrypted channel and backups are regularly performed for business continuity purposes. All replicated/backup data are stored in an encrypted format and data are retained as per our retention policies.
We have several measures in place to protect systems and data. In addition to firewalls and backups, technologies such as anti-virus, anti-malware, encryption (at disk level) and automated patching are deployed. Our systems are scanned for vulnerabilities on a daily basis and compliance audits are performed regularly.
We hold Cyber Essentials Plus Certification. Our certificate can be viewed here