Ellison Oxford Limited Privacy Notice for users of the Pathogena Web Portal

This privacy notice is intended for academics and other professionals who access our Pathogena web portal to upload and analyse data as part of our programme to automate and accelerate processing, analysing, sharing and comparison of genomic sequencing worldwide. Use of the Pathogena Web Portal is subject to the terms of an https://www.eit-pathogena.com/end-user-license-agreement
We are committed to high standards of data management as part of our research, which includes our commitment to the privacy of user data and respecting individual rights under the data protection laws. We have a separate commitment in relation to any subjects whose personal data is analysed through our Pathogena web portal https://www.eit-pathogena.com/privacy-notice-research

Purpose of the privacy notice

This privacy notice explains our general practices and governance in our UK operations to look after personal data for users of the Pathogena web portal– where local laws or regulations require different processing (or contain restrictions) we will comply with the applicable local requirements.

If you have any questions, please contact us at pathogena.support@eit.org

Controller 

“We” refers to Ellison Oxford Limited, Company Number 1377507, whose registered office is at Three, Bunhill Row, London EC1Y 8YZ, who is the controller and responsible for personal data governed by this privacy notice.

Our Director, Legal is responsible for overseeing questions in relation to the privacy notice. If you have any questions about the privacy notice, please contact Director, Legal at Three, Bunhill Row, London, England, EC1Y 8YZ.

What personal data we collect and why 

We collect and/or use the following personal data when you access and use our Pathogena web portal:

  • Names and contact details of individual users (including gender, location, professional biographic details).

  • Account information including your employer or academic institute you work with (payment details where applicable).

  • Information relation to product and credit usage.

  • Log-in data including log-in credentials, passwords and log-in history for the Pathogena web portal.

  • Data upload history for access to the Pathogena web portal.

  • Information about your device, network or browser including IP address and operating system for data analysis together with user journey information around the Pathogena web portal.

  • Information connected with any compliments, complaints or investigations connected with your use of the Pathogena web portal.

We use this personal data for the following purposes

To provide and operate the services available via the Pathogena web portal, manage your user account with us, and to review and update the services that we offer.

To provide service updates, communicate regarding data upload issues or other activities, including informing you about related programmes which may be of interest

To deal with and respond to queries, compliments, complaints and investigations.

To communicate to provide product update information

To report potential outbreaks and enable appropriate monitoring or reporting of such outbreaks in accordance with international reporting protocols.

To comply with our legal obligations, to prevent fraud, and to deal with requests from authorities.

For our own legitimate interests, including to enforce our terms and conditions, to defend our rights and property, and to analyse and improve our performance and security.

To sell, assign or transfer the operations of the Pathogena web portal.

The Pathogena web portal uses cookies and similar technologies to its function and operations. This information is used to support the analysis and operation of the Pathogena web portal to ensure that it is working efficiently and effectively, and to enable us to make improvements. Details of the cookies and other relevant technologies used in the platform are available.

Our cookie policy

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.

We use the following cookies:

  • Strictly necessary cookies.

    These are cookies that are required for the operation of our website (essential cookies). They include, for example, cookies that enable you to log into secure areas of our website.

  • Analytical or performance cookies.

    These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

Cookie Name

Source

Purpose

Expiration

__Host-authjs.csrf-token

app.eit-pathogena.com

This helps prevent Cross-Site Request Forgery attacks.

End of browser session

__Secure-authjs.callback-url

app.eit-pathogena.com

This is used to store the URL to redirect to after authentication flows.

End of browser session

__Secure-authjs.session-token

app.eit-pathogena.com

This cookie stores an encrypted reference to the user's session.

30 days

session

portal.eit-pethogena.com

This cookie stores an encrypted reference to the user's session.

14 days

We do not share the information collected by the cookies with any third parties.

You can choose which cookies we can set by editing your browser settings to block cookies, however you may not be able to access all or parts of our website.

Except for essential cookies, all cookies will expire after 2 years.

Lawful basis for collecting and processing your personal data 

Our use of your personal data is for one or more of the following purposes:

  • We have a lawful basis to collect and process your personal data in connection with our contract with you to, to take steps to enter or perform the contract on the terms of our End User Licence Agreement and provide you with access to the Pathogena web portal and its related services.

  • We will use data where we have a legal obligation to do so, or to protect or defend our legal rights.

  • We have a lawful basis to rely on our legitimate interest to use data to manage, monitor, maintain and improve our services, provide service updates, support the development and opportunities to analyse data within the platform, liaise with authorities in connection with information of interest or concern connected with suspected pathogen outbreaks, for anti-corruption or transparency obligations, training or quality control. Where we rely on our legitimate interests we take reasonable steps to balance the rights of individuals and ensure that our use is reasonable and proportional.

  • Where possible we will collect personal data directly from yourself, or automatically when you log into the Pathogena web portal. Occasionally we will be provided with information about you via your academic institution or we may use publicly available information on academic websites or other material you have publicly posted.

How we protect your personal data 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed; these measures include encryption, firewalls, access control, and backup systems. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We work with leading third party suppliers of IT systems to support those technical measures, but they are not able to use this data for their own business purposes.

However, no method of transmission or storage is completely secure, and we cannot guarantee the absolute security of your personal data. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

You are responsible for ensuring the accuracy and completeness of information you submit into the Pathogena web portal and please report any concerns to us.

International Transfers 

Our connected entities and external third parties may be based outside the UK, so processing of personal data relating to users of the Pathogena web portal may involve transfers of data outside the UK. At present the data is hosted in the UK, but you may use the Pathogena web portal from anywhere around the world. Users of the Pathogena web portal who are based in other countries will be transferring data into the UK.

We may transfer data to countries that are deemed to provide adequate protection for personal data and ensure that we have specific contracts to give that protection, where appropriate in accordance with the law.

Data retention: how long do we use your personal data 

We keep your personal data for as long as necessary to fulfil the purposes for which we collected it, or as required by law. Account information will be retained for at least 6 years after you cease to be an active user of the Pathogena web portal – in case we need to contact you with regards to your use of the portal or any data you have imported into the database.

Pseudo-anonymised or anonymised records and any data which has been used to create aggregated data sets will be retained for longer periods, as they will be aggregated with other data for the purposes of our research or internal business purposes.

When we no longer need to identify personal data, we will delete it or anonymise it in accordance with our data retention policy. This will not apply to anonymised or aggregated data sets.

Who we share information with 

The Pathogena web portal is accessible from and collects data from sources around the world. We may transfer and use personal data within the portal outside the country where it is collected and where you are operating from. We have appropriate measures in place to protect information including personal data when it is transferred outside the country in which it was collected. We comply with our obligations under the UK Data Protection Act and UK GDPR.

The Pathogena web portal has functionality which enables data sharing between organisations to support research. This can be enabled by contacting pathogena.support@eit.org. We will not share your data with other organisations or users without this consent. This does not include personal data relating to the initial contributors (although we may identify which academic institution or geographical location sourced the contribution).

We will make information available to comply with international protocols for monitoring and reporting infectious diseases which may include anonymised, pseudo-anonymised data as well as some personal data about contributors.

Our partners who support us with the work that we are doing at Ellison Institute Oxford together with our professional advisors.

Local and overseas regulators, courts and agencies where necessary, or where appropriate to comply with our legal obligations or protect or defend our rights.

With those third party data processors who support us to provide the services, including but not limited to:

  • Oracle Inc: They store our data and provide compute for analysis.

  • Auth0: They manage our log-in system, storing user names and passwords.

  • University of Oxford: They develop core parts of the analysis pipelines and on occasion may access data for development purposes.

  • Software Development Agencies: They help develop the product and platform, in limited circumstances they may provide third line support investigating bugs or problems.

  • Microsoft: Provide communications platforms for support emails with users.

  • SendGrid: Aid in the delivery of user sign up and password reset emails.

  • Sentry.IO: Supports the identification and resolution of issues to ensure a more reliable service.

  • Insightly: Securely holds user information.

What rights you have over your personal data 

You have the following rights over your personal data that we are processing in connection with the access to the Pathogena web portal, subject to applicable laws and conditions:

  • The right to access your personal data and to obtain a copy of it. This does not include the right to a copy of the data you have uploaded, as it is your responsibility to retain a copy of that data.

  • The right to rectify your personal data if it is inaccurate or incomplete.

  • The right to erase your personal data if you no longer want us to use it.

  • The right to restrict the processing of your personal data in certain circumstances, such as when you contest its accuracy or object to its use.

  • The right to object to the processing of your personal data for direct marketing purposes or for other legitimate interests.

  • The right to withdraw your consent to the processing of your personal data at any time, where we ask you to give us your consent.

  • The right to data portability, which means to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

  • The right to lodge a complaint with a supervisory authority if you are unhappy with how we handle your personal data.

How to contact us 

If you have any questions or requests about your personal data, or if you want to exercise your rights, please contact us at pathogena.support@eit.org.

If you are unhappy with the way that we have handled our personal data obligations, please contact us. If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to your supervisory authority. For UK users, the Supervisory Authority is the ICO – who can be contacted via: Helpline number: 0303 123 1113; or Website: https://www.ico.org.uk/make-a-complaint

How we update this notice 

We may update this notice from time to time to reflect changes in our practices, technologies, or legal requirements. We will notify you of any material changes by posting the updated notice on our website. The date of the last update is indicated below. We encourage you to review this notice regularly to stay informed about how we use your personal data.

August 2024.