Oxford PharmaGenesis Privacy and Security Policies

Oxford PharmaGenesis Ltd (‘Oxford PharmaGenesis’, ‘we’, ‘our’, ‘us’) takes the protection of personal data very seriously.

This policy explains:

what information we may collect about you
how we use the information we collect about you
whether we will share this information with anyone else
your choices and how you can instruct us if you prefer to limit the use of your information
measures we have in place to safeguard your privacy.

Audience

This policy applies to our use of personal data about employees, workers, contractors, job applicants, website users, subscribers, clients, suppliers, healthcare professionals, contributors, event participants and other individuals who interact with us. It applies to personal data collected through our website, by email, through our systems, during recruitment, during employment or engagement with us, and through other business interactions.

1. About us

Oxford PharmaGenesis Ltd is the controller unless another group company, client or project contract states otherwise.. We are registered in England and Wales under company number 03488862; our registered office address is Tubney Warren Barn, Tubney, Oxfordshire OX13 5QJ, UK.

If you have any queries about this policy, please contact our Data Protection Officer, Richard White, by emailing info@pharmagenesis.com or calling +44 1865 390144.

2. What are personal data?

Personal data are information that relate to an identified or identifiable natural person, including your name, address, telephone number and email address. Personal data are also information that can be associated with you together with other information (e.g. your IP address).

3. Information we collect

We collect identity data, contact data, professional data, employment/recruitment data, right-to-work data, financial/payment data, event/delegate data, publication/contributor data, technical/usage data, marketing preferences, compliance/regulatory data, special category data where applicable, and criminal offence data where applicable. Special category data may include health data, sickness and absence information, disability or reasonable adjustment information, occupational health information, diversity monitoring information and information relating to race or ethnic origin, religious or philosophical beliefs or trade union membership where relevant. Criminal offence data may include information processed for background checks, sanctions checks, exclusion checks, compliance screening, legal claims or regulatory compliance where applicable. We process these categories of data only where we have an Article 6 lawful basis and, where required, an Article 9 condition, Article 10 condition and/or Data Protection Act 2018 Schedule 1 condition.

For employees, workers and contractors, this may include recruitment information, contact details, right-to-work information, employment or engagement records, job title, department, manager, salary or fee information, payroll and tax information, bank details, benefits information, pension information, training records, performance records, absence records, sickness records, occupational health information where applicable, disciplinary and grievance records, emergency contact details, IT account information, system access logs, device and security logs, and information needed to comply with employment, tax, social security, immigration, health and safety, equality, insurance, legal and regulatory obligations.

We use a variety of methods to collect data from you and about you, including the following.

Direct interactions. You may give us your identity, and contact and financial data by contracting with us, completing forms or by corresponding with us by post, phone, email, on our website or otherwise. This includes any personal data you provide when you:

apply for a career opportunity with us
complete a form on our website
subscribe to our publications
request marketing to be sent to you
enter a competition or complete a survey
provide feedback to us
participate at events or contribute to publications (or assess your suitability to participate or contribute), including, without limitation, to respond to your queries or comments.

On occasion, we may supplement the information we collect about you with records maintained by third parties to provide you with information or services you have requested. Where a proposed use of personal data is likely to result in a high risk to individuals, including certain uses of health data, special category data, criminal offence data, large-scale analytics, profiling, data matching, employee monitoring or new technologies, we will carry out a data protection impact assessment under UK GDPR Article 35 before processing.

Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, as set out below.

Technical Data from analytics providers, such as Google, based outside the EU.
Contact, financial and regulatory data from providers of technical, payment and delivery services to comply with industry standards and our policies.
Identity and contact data from publicly available sources such as Companies House, or equivalents in other territories in which we operate.
We may receive transaction and regulatory data from our clients if you are contracted with them and us.
Reference agencies, former employers and referees you have shared with us when applying for a career opportunity.

Automated technologies or interactions. As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. This may include the browser and operating system you are using, the URL that referred you to the website and the time of day when you interacted with us (‘usage information’).

Usage information may also include the IP address or other unique identifier (‘device identifier’) for any computer, mobile phone, tablet or other device (‘device’) used to access the website. A device identifier is a number that is automatically assigned to your device; our systems identify your device by its device identifier.

We may also collect certain information about you by automated means such as cookies, web beacons and web-server logs. Non-essential cookies, pixels, web beacons and similar technologies will only be used where consent or another applicable PECR exemption applies. For more information, please see our cookie policy.

4. How we use your information

We will only use your personal data when the local law allows us to. Most commonly, we will use your personal data in the following circumstances.

When we need to perform obligations in a contract that we intend to enter into, or have entered into with you (‘contract reason’).
When it is necessary for our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests (‘legitimate interests reason’). Legitimate interest means the interest of our business in conducting and managing our business to enable us to provide the best service and most secure experience to you. We balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities in which our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us (by emailing info@pharmagenesis.com or calling +44 1865 390144).
When we need to comply with a legal or regulatory obligation that we are subject to (‘legal obligations reason’).

Generally, we do not rely on consent as a legal basis for processing your personal data, other than in relation to sending third-party direct-marketing communications to you via email or text message (‘consent reason’). You have the right to withdraw consent to marketing at any time by contacting us or by using the opt-out/unsubscribe link in any email that we send to you.

5. Purposes for which we will use your personal data

The legal bases we rely on to process your personal data are set out in the table below. We have also identified what our legitimate interests are, when appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data when more than one ground has been set out in the table below.

Purpose/activity

Lawful basis for processing, including basis of legitimate interest

Application for a career opportunity

Assessing suitability and right to work, right to work checks, reasonable adjustments, references, verification, legal claims and equal opportunities monitoring where applicable.

(a) Article 6(1)(f) legitimate interest

(b) Article 6(1)(b) contract

To manage our employment, worker and contractor relationships, including onboarding, payroll, benefits, pension administration, expenses, tax, social security, right-to-work checks, immigration compliance, performance management, training, absence management, sickness records, occupational health, reasonable adjustments, disciplinary and grievance matters, internal communications, IT access, system security, business continuity, legal claims, audits, insurance, regulatory compliance and termination of employment or engagement.

(a) UK GDPR Article 6(1)(b) contract, where processing is necessary for the employment, worker or contractor relationship.

(b) UK GDPR Article 6(1)(c) legal obligation, where processing is necessary to comply with employment, tax, social security, immigration, health and safety, equality, regulatory or other legal obligations.

(c) UK GDPR Article 6(1)(f) legitimate interests, including workforce administration, business management, system security, fraud prevention, legal claims, audit, compliance and business continuity.

(d) Where we process health, disability, sickness, occupational health or diversity information, we rely on UK GDPR Article 9(2)(b), Article 9(2)(f), Article 9(2)(g) or Article 9(2)(h), as applicable, together with the relevant Data Protection Act 2018 Schedule 1 condition where required.

(e) Where we process criminal offence data, we do so only where permitted by UK GDPR Article 10 and the Data Protection Act 2018.

To process and deliver contracts with healthcare providers, freelancers, employees or clients, including:

(a) managing payments, fees and charges

(b) collecting and recovering money owed to us

(d) HCP/expert engagement, publications, honoraria, travel, expenses, transparency reporting and compliance checks.

(a) Article 6(1)(b) contract

(b) Article 6(1)(f) legitimate interest

To allow website users and subscribers to participate in interactive features of our website

(a) Article 6(1)(b) contract

(b) Article 6(1)(f) legitimate interest

To enable participation at events or to contribute to publications (or assessing your suitability to participate or contribute), including, without limitation, to respond to your queries or comments

(a) Article 6(1)(b) contract

(b) Article 6(1)(f) legitimate interest

Marketing and communications, including when you complete a form on our website, subscribe to our publications, request marketing to be sent to you, enter a competition, complete a survey or provide feedback to us

(a) Article 6(1)(f) legitimate interest

(b) Article 6(1)(a) consent,

To enable us to operate our business, including developing new products and services, conducting research, managing our communications, producing training materials and programmes, determining the effectiveness of and optimizing our advertising, analysing our products and services, and performing accounting, auditing, billing and reconciliation activities

Preparation and provision of aggregated data reports showing anonymized information (including, without limitation, compilations, analyses, analytical and predictive models and rules, and other aggregated reports) for our business purposes. We do not use personal data to profile or make automated decisions.

Article 6(1)(f) legitimate interest

6. Disclosure of information

Except as described in this privacy policy, or as notified to you at the time we collect your information, we will not share your personal information with any third party. Any information you give us is held with appropriate care and security and will only be used as set out in this policy or in ways to which you have consented. These may include communicating with you regarding our programme of events, completing a transaction you may have requested, and sending you periodic communications and surveys.

We may share your personal information and usage information:

with companies within our group
with third-party service providers that perform services on our behalf, including, without limitation, IT/cloud hosting, Microsoft, analytics, CRM/email marketing, payment providers, travel/event providers, professional advisers, insurers, auditors, recruitment providers, group companies, clients, regulators/law enforcement
payroll providers, pension providers, benefits providers, occupational health providers, HR system providers, IT/security providers, recruitment providers, background screening providers, professional advisers, insurers, auditors, regulators, tax authorities, immigration authorities and other public authorities where required by law
to comply with applicable law, a judicial proceeding, court order or other legal process, such as requirements of emergency services and/or law enforcement agencies
to enforce our agreement with you
to analyse and enhance our communications and strategies (including by identifying when emails sent to you have been received and read, and your location)
to investigate, prevent or take action regarding actual or suspected illegal activities, suspected fraud, emergencies, violations of this privacy policy or other agreement, or as evidence in litigation in which we are involved, or to protect our rights, property or the rights or property of our users, third parties and/or the public
in the event of any sale, assignment, transfer or acquisition of all or substantially all of the assets or shares of Oxford PharmaGenesis by a third party
as aggregate or deidentified information with third parties for marketing, advertising, research and other purposes
to conduct web analytics to track the use of our website; this information is shared with Google Analytics and stored on servers in the USA (for more information on Google Analytics, please refer to Google’s privacy policy; alternatively, you can opt out of Google Analytics here https://tools.google.com/dlpage/gaoptout?hl+en=GB)

If data are disclosed to sub-contractors during commissioned data processing, they will be subject to this policy, and, if applicable, to other additional or relevant alternative data privacy provisions and contractual conditions.

Where local employment, tax, social security, immigration, health and safety or data protection laws require different handling of employee, worker or contractor personal data, we will comply with those local requirements.

7. Data storage and security

We store and process personal data in systems hosted in the UK, EEA and other locations where our service providers operate. Where personal data are transferred outside the UK or EEA, we use appropriate transfer safeguards as required by applicable data protection laws. We and our third-party sub-processors have appropriate measures in place to protect against unlawful disclosure, loss, misuse, unauthorized access or alteration of information we collect from you. We use encryption to help to protect the transmission of personal information from you to us.

We also protect the security of your data during transmission online using Secure Sockets Layer (SSL) encryption software. Our security measures are selected having regard to the nature, scope, context and purposes of processing and the risk to individuals.

These measures may include access controls, encryption, confidentiality controls, backup and recovery arrangements, vulnerability management and measures designed to maintain the confidentiality, integrity, availability and resilience of systems and services.

Employee, worker and contractor records are subject to access controls and are made available only to those who need access for HR, management, payroll, IT, legal, compliance, finance, security, audit or business administration purposes.

8. Your options

If you have provided us with personal data, we will keep your information in accordance with our retention policy or applicable retention criteria, including employee, worker and contractor retention periods for HR, payroll, tax, pension, legal claims, regulatory and audit purposes.

Depending on the circumstances, you may have the right to request access to your personal data, rectification of inaccurate personal data, erasure of personal data, restriction of processing, data portability, objection to processing, and not to be subject to solely automated decisions that have legal or similarly significant effects. Where we rely on consent, you may withdraw that consent at any time, although this will not affect processing carried out before withdrawal.

You may exercise your rights by contacting us using the details in Section 10. We may ask you to clarify your request where reasonably needed and will carry out reasonable and proportionate searches. We may also refuse or limit a request where an exemption applies under applicable data protection laws.

Some rights may be limited where we need to retain or process employee, worker or contractor data to comply with legal obligations, manage the employment or engagement relationship, establish or defend legal claims, maintain business records, ensure system security or comply with regulatory requirements.

9. Changes to this privacy policy

We may update this privacy policy from time to time. Where changes are material or where applicable law requires, we will take reasonable steps to bring the changes to your attention.

10. Contacting us

If you have any queries, requests or complaints about this privacy policy or how we handle your personal data, you can contact us by emailing info@pharmagenesis.com or by writing to us at the address in Section 1. You may complain to us about how we handle your personal data. We will acknowledge and handle complaints in accordance with our data protection complaints process. If you are not satisfied with our response, you may complain to the Information Commissioner’s Office (ICO). You can find information about how to complain to the ICO at https://ico.org.uk/concerns/.

Oxford PharmaGenesis GDPR positioning statement

Oxford PharmaGenesis Ltd, our subsidiaries and affiliates (‘Oxford PharmaGenesis’, ‘we’, ‘our’, ‘us’) take data protection very seriously. We are committed to protecting the confidentiality, integrity and availability of personal data.

This statement explains how we will use and process any personal data that is shared with us and the measures that we have in place to safeguard the privacy of data subjects.

1. What is the GDPR?

The General Data Protection Regulation (GDPR) is a framework for handling and protecting the personal data of individuals within the European Union (EU); it also addresses the export of personal data outside the EU. The primary goal of the regulation is to give EU citizens and residents control over their personal data and to simplify the regulatory environment for international business. GDPR replaces the data protection directive (Directive 95/46/EC) of 1995.

2. What is personal data?

Personal data is information that can be used to identify a person, and it includes their name, address, telephone number and email address. Personal data is also information that can be combined with other information to identify a person (e.g. an IP address).

3. How do we demonstrate compliance with the GDPR?

We strive to meet our GDPR obligations by protecting and managing personal information in a secure and consistent manner. To accomplish this, we employ a comprehensive information security programme that involves people, process and technology.

People

Privacy by design and default are integral to GDPR. We ensure that our employees understand and demonstrate compliance with these principles. We provide training on GDPR and its implications, including individual responsibilities in safeguarding personal data. All employees are provided with GDPR awareness training as part of our new starter induction.

We have appointed a Data Privacy Officer (DPO). We evaluate our service providers for GDPR compliance. A dedicated team of employees address our day-to-day data privacy and information security activities. In the event of a data privacy breach, our incident response policy is ready to be invoked.

Process

To address the heightened emphasis of GDPR on accountability and transparency, we have implemented comprehensive governance across our offices; these measures help to minimize the risk of breaches and to protect personal data.

Our global privacy policy sets out our practices related to personal data privacy and security, including:

the types of personal information that we collect
how we use personal information
with whom we share personal information
rights in relation to our use of personal information
security measures that we implement to protect the security of personal information
how to contact us about our privacy practices.

Our service provider contracts have been reviewed to ensure that processing carried out by our third-party processors meets the GDPR requirements.

Technology

We have appropriate measures to continually assess the security that we have in place to protect against disclosure, loss, misuse, unauthorized access or alteration of personal information. These measures include:

using encryption to help to protect the transmission of personal information (if appropriate)
protecting the security of sensitive data
ensuring that our employees, contractors and agents comply with our IT security policies.

Our IT services are outsourced to Planet IT, who comply with ISO/IEC 27001. Data is held in our on-site server rooms and hosted in Microsoft cloud environments; access is strictly controlled with various levels of defence.

Information is replicated in real time between data centres over an encrypted channel and backups are regularly performed for business continuity purposes. All replicated/backup data are stored in an encrypted format and data are retained as per our retention policies.

We have several measures in place to protect systems and data. In addition to firewalls and backups, technologies such as anti-virus, anti-malware, encryption (at disk level) and automated patching are deployed. Our systems are scanned for vulnerabilities on a daily basis and compliance audits are performed regularly.

We hold Cyber Essentials Plus Certification. Our certificate can be viewed here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
rc::a	never	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c	session	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_SM6GE1X6E7	2 years	This cookie is installed by Google Analytics.
_gat_UA-51509974-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_cfuvid	session	Description is currently not available.
AnalyticsSyncHistory	1 month	No description
li_gc	5 months 27 days	No description

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
player	1 year	Vimeo uses this cookie to save the user's preferences when playing embedded videos from Vimeo.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.