Privacy Policy

Introduction/Purpose

Genuity Science™ collects, uses, Processes and stores Personal Data about healthcare providers, Data Subjects or research study participants, collaborators, customers, suppliers, clients and other individuals who come into contact with us. We handle Personal Data with due care and in accordance with applicable Data Protection Laws.

We take our data protection responsibilities seriously. We understand that Personal Data must be Processed in accordance with Data Protection Laws. In this regard our employees, consultants and other individuals who handle Personal Data on our behalf, are expected to comply with this Policy and applicable Data Protection Laws.

Last update 6/22/2020

Scope

This Privacy Policy applies to Personal Data processed by Genuity Science (“we”, “us” or “our”) in our roles as a Data Controller and/or as a Data Processor.

This Policy is not an exhaustive statement of all of our data protection practices. For example, we may apply specific policies within certain environments which, while consistent with this Policy, may contain certain variations. We might also include a particular privacy notice at the point of capturing Personal Data on a new service – any specific consents obtained, or information provided will apply to that service and will supplement this Privacy Policy. We may also introduce additional user choices on our platforms which will be clearly explained to users as required by applicable Data Protection Laws.

Definitions / Abbreviations

TermExplanation
“Data Breach”means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,

Personal Data transmitted, stored or otherwise Processed.

“Data Controller”means an entity that controls Personal Data by deciding why and how

the Personal Data is Processed.

“Data Processor”means an entity that processes Personal Data on behalf of the Controller. A Data Processor may include service providers (for example,

a payroll service provider).

“Data Protection Officer”means the individual(s) appointed pursuant to Articles 37-39 of the GDPR to ensure that Genuity Science processes Personal Data in compliance with applicable Data Protection Laws.
“Data Protection Laws”means for the purposes of this Policy the General Data Protection Regulation (EU2016/679), the Irish Data Protection Act (2018) and all European Union (with direct effect) laws and regulations relating to processing of personal data and privacy, along with applicable HIPAA regulations.

 

“Data Subject”means the living individual to whom the Personal Data relates.
“European Economic Area”or “EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain,

Sweden, the UK, Iceland, Liechtenstein, and Norway.

“GDPR” or “General Data Protection Regulation”means the General Data Protection Regulation (EU2016/679) having direct effect within the EEA as of 25 May 2018.
“HIPAA” or “Health Insurance Portability and Accountability Act of 1996”means the legislation that contains data privacy and security provisions for safeguarding medical information in the United States.

 

“Personal Data”is any information relating to a living individual which allows the identification of that individual. Personal Data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual which is capable of directly or

indirectly identifying that individual.

“Processing”includes collecting, using, recording, organizing, altering, disclosing, destroying or holding Personal Data in any way. Processing can be done either manually or by using automated systems such as information technology systems and “Process” and “Processing” shall be

interpreted accordingly.

“Profiling”is the automated Processing of Personal Data for the purpose of assessing

certain aspects relating to an individual so as to analyze or predict the individual’s performance, decisions or behavior.

“Special Categories of Personal Data”are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic

data, biometric data (for example, fingerprints or facial images), health

data, data concerning sex life or sexual orientation and any Personal Data relating to a criminal offences or convictions.

 

 

Responsibility

The Company

  • Genuity Science is responsible for Processing of Personal Data.
  • Genuity Science has designed business practices to align with Data Protection Laws.
  • Genuity Science has established systems to respond to queries, requests and threats to the protection of the Personal Data that is processed by third parties on our behalf.
  • Genuity Science actively maintains, trains and audits its systems to ensure ongoing compliance with evolving laws and practices.
  • The nature of the Personal Data and the extent that a third party may be asked to Process Personal Data on our behalf will vary according to the responsibilities of that third party. Genuity Science will only share and receive Personal Data which is necessary to enable us and the relevant third party to perform our/their duties. In this context, information on current, past or prospective consultants, clients, or health care providers may be processed.

Role of the Data Protection Officer

In relation to data protection compliance the DPO’s responsibilities include, but are not limited to:

  • answering questions about the Processing of Personal Data as described in this Policy;
  • supervising requests by Data Subjects with regard to their Personal Data;
  • handling complaints by Data Subjects;
  • giving permission to Process Personal Data for purposes other than that for which they were collected, and, if necessary, determining additional conditions to be applied to such Processing;
  • giving permission for Processing Special Categories of Personal Data pursuant to a foreign legal obligation;
  • acting as our point of contact with data protection regulators and reporting to regulators as required;
  • giving instructions for audits, if any, to external auditors with regard to compliance with this Policy;
  • supervising the recording and reporting of Data Breaches (in accordance with the Data Breach Reporting Procedure); and
  • supporting our compliance with this Policy.

Data Protection Principles

When Processing Personal Data, we comply with the following data protection principles:

  • We obtain and Process Personal Data fairly;
  • We keep Personal Data only for one or more specified, explicit and lawful purposes;
  • We Process and disclose Personal Data only in ways which are compatible with these purposes;
  • We keep Personal Data safe and secure;
  • We keep Personal Data accurate, complete and, where appropriate, up-to-date;
  • We ensure that Personal Data is adequate, relevant and not excessive; and
  • We retain Personal Data for no longer than is necessary for the purposes for which we Process it.

Uses of Personal Data

Genuity Science processes the following personal data:

Genuity Science’s Website:

  • Email addresses for replies to general information queries received through our website.
  • If an individual would like to register their interest in one of Genuity Science’s studies in Ireland, with the individual’s consent, Genuity Science processes names and email addresses. This Personal Data is processed to notify Data Subjects if a Genuity Science study site opens in either the hospital and/or the GP practice they have indicated.
  • With the consent of the Data Subject, the Data Subject provides their medical consultant or GP’s name or practice information. This data is processed to build metrics to help Genuity Science better understand geographic demand for new study locations.

Genuity Science’s Research Studies:

  • As part of Genuity Science research studies, on the basis of the Data Subject’s consent and the legitimate interest of Genuity Science, Genuity Science processes medical, health, lifestyle and data derived from DNA (genomic data). This data is processed in pursuit of the company’s scientific research to uncover any correlations between an individual’s biological make up/health and disease.

Suppliers, Collaborators and Customers:

Personal details: name, title, position, work identification numbers, department, business unit, and contact details: address and phone number(s) work location.

Where Genuity Science provides sequencing services to customers or collaborators as a data processor only, all relevant data is processed strictly on a fully pseudonymized basis.

Purposes of Processing Personal Data

Genuity Science only uses Personal Data for the purpose(s) for which the Personal Data has been obtained.

The Processing purposes are clearly specified and , the Data Subject(s) will be informed about these, at the time of Personal Data collection or as soon as reasonably possible thereafter, and to the extent reasonably possible.

Some examples of the reasons for which Genuity Science Processes the above information include, without limitation:

  • relationship management;
  • marketing, PR, promotional activities and information provision concerning us and/or our services and products;
  • the improvement of our websites, services and products;
  • management information;
  • determining business strategy;
  • carrying out internal audits or investigations and the implementation of audit measures for internal management;
  • preventing and detecting unlawful and/or criminal behavior directed towards us or our customers and employees, and preventing theft and/or fraud;
  • scientific research into the correlation between health and disease;
  • providing services to customers and collaborators and
  • fulfilling legal obligations.

Legal Bases for Processing Personal Data

Genuity Science only Processes Personal Data if one or more of the legitimate grounds set out below, which allow for compliant Processing of such Personal Data, apply:

Consent

Personal Data can be processed if the Data Subject has given his or her consent (preferably in writing or via e-mail). The consent relates to the specific purpose for which the Personal Data is required.

Genuity Science ensures that Data Subjects are adequately informed about the Processing purposes before consent is requested. If there are multiple Processing purposes, separate consents may be required for each Processing type. The consent(s) provided are held on file as evidence of the consent(s) given.

Data Subjects may withdraw their consent to these types of Processing activities at any time (Please also see 6.4.3) by contacting our Data Protection Officer.

Contractual Necessity

This applies, for example, in relation to Processing of Personal Data necessary for the purposes of:
<ul

  • accounts payable/accounts receivable, including any debt-collection process;
  • relationship management;
  • marketing, PR, promotional activities and
  • supply of contractual deliverables to customers and other parties

Legitimate Interests

  • Examples of our or a third party’s legitimate interest for Processing include, without limitation, carrying out regular business activities including:
  • where a research participant withdraws their consent to processing, pseudonymized Personal Data gathered as part of Genuity Science’s research studies can be processed for Genuity Science’s legitimate interests (and its commercial partners) in the pursuit of scientific research, provided that:
    • Genuity Science destroys the identifying link between the Personal Data and the participant;
    • destroys the participant’s bio-sample;
    • Genuity Science is satisfied that to destroy the Personal Data or to cease processing in respect of it would seriously impair the success of the scientific research, such that it has compelling legitimate grounds for engaging in continued processing which override the interests, rights and freedoms of individual participants; and
    • the legitimate interest relates to the specific purpose for which the Personal Data is required.
  • the improvement of, and communication about, our websites, services and products;
  • determining business strategy;
  • carrying out internal audits or investigations and the implementation of audit measures for internal management;
  • preventing and investigating theft or fraud and/or breach of Genuity Science’s codes and policies, including possible legal offences, whether actual or suspected; and/or
  • guaranteeing rights, liberties, and/or the health or safety of our employees, contractors or third parties.

Legal obligation:

Such Processing may include, for example, the disclosure of Personal Data if demanded by the judiciary or a tax authority. Such Processing may also include Processing of Personal Data for anti-money laundering purposes.

Data Subject Rights:

Data Subjects have certain rights under applicable Data Protection Laws, as explained below. The procedures below explain how Data Subjects’ rights are given effect, upon receipt by our Data Protection Officer of a written request or objection relating to the processing of their Personal Data by us when we are acting as a Data Controller:

Request for inspection and access:

Every Data Subject is entitled to apply to us requesting a summary and a copy of his/her Personal Data processed by us or on our behalf.

Request for correction/addition/removal:

If Personal Data processed by us is believed to be inaccurate or incomplete, the Data Subject is entitled to request that Genuity Science take measures to have such Personal Data corrected, added to, protected or deleted.

Objection by the Data Subject:

Every Data Subject is entitled to object to the Processing of his/her Personal Data based on the legitimate interests of the Controller.

Request for transfer of Personal Data:

Every Data Subject can request that Genuity Science provides his/her Personal Data in a structured and electronic form to the Data Subject or, if technically consistent with our information technology systems, to transfer the Personal Data in an electronic form directly to a third party identified (in writing) by the Data Subject.

Restriction of Processing:

The Data Subject can request that Genuity Science restricts the Processing of his/her Personal Data where the accuracy of the Personal Data is contested, the Processing by us is unlawful, or Genuity Science no longer needs the Personal Data.

Right to object to automated decision making:

The Data Subject has a right to object to any automated decision making, including Profiling, which produces legal effects concerning him or her or similarly significantly affects him/her.

Security:

Security of Personal Data

Through our policies, Genuity Science has implemented a range of technical and organizational security measures to protect Personal Data from unlawful or unauthorized destruction, loss, change, disclosure, acquisition or access.

Genuity Science operates and encourages a culture of data privacy and security awareness supported by regular employee training, both at induction and throughout their employment.

Genuity Science ensures that all Personal Data controlled by us is held securely using appropriate security measures.

Data Breach / Security Breach

In the event of a Data Breach, Genuity Science will comply with applicable Data Protection Laws governing the reporting of such breaches and manage the Data Breach in accordance with our Security Incident Management protocols.

Our Security Incident Management protocols are followed as soon as it is identified that a possible Data Breach has occurred.

Data Transfers Outside the EEA

Research study Participants’ Data:

Genuity Science collates pseudonymized personal data collected from volunteer Data Subjects for the scientific research studies, in collaboration with its academic and/or commercial partners, in a database.

The database that contains participants’ pseudonymized Personal Data (including health, lifestyle and genomic data) is stored in the EU and all decisions about the Processing of Irish Data Subjects’ Personal Data are made in Ireland.

Access to EU citizens’ pseudonymized Personal Data may need to be provided to individuals or entities located outside the EEA, either internally within the Genuity Science organization, or externally to third party academic and/or commercial researchers on a strictly controlled and monitored basis. This restricted access is deemed to be a data transfer for the purposes of Data Protection Laws. Therefore, any such data transfer occurs in accordance with the consent of the Data Subject and applicable Data Protection Laws, utilizing an appropriate EU approved data transfer mechanism, such as Standard Contractual Clauses.

Genuity Science takes all reasonable and proportionate steps to ensure that this pseudonymized Personal Data is treated securely and in accordance with this Policy at all times.

Contact Data:

Genuity Science may receive Personal Data, such as contact information, from an individual through use of Genuity Science’s online contact forms or other communication channels. Genuity Science transfers this Personal Data across its office and laboratory locations and has appropriate, EU Commission approved data transfer mechanisms in place to ensure the compliant transfer of such Personal Data.

Customer Data:

In the course of providing services to customers and other parties, Genuity Science may receive Personal Data of EU citizens in its role as a Data Processor of such Personal Data. Genuity Science will only transfer such Personal Data outside of the EEA on the explicit direction of the customer in its capacity as a Data Controller and subject to the implementation of the appropriate EU Commission approved data transfer mechanisms, such as Standard Contractual Clauses.

Disclosing Personal Data to Third Parties:

From time-to-time, Genuity Science may disclose Personal Data to third parties or allow third parties to access Personal Data processed by us.

Where we share such Personal Data with third parties in our capacity as a Data Controller, notwithstanding the Processing of the Personal Data by the third party, Genuity Science remains a Controller of the Personal Data.

Where we share such Personal Data with third parties in our capacity as a Data Processor, notwithstanding the sub-processing of the Personal Data by the third party, Genuity Science remains a Controller of the Personal Data and responsible for such third-party sub-processing activities.

Links and Third-Party Applications:

The Genuity Science website contains hyperlinks to external social platforms. Clicking on any of these links will direct you to an independent, third-party website with its own privacy policy, and which may place its own third-party cookies on your device. Genuity Science has no control over, and no responsibility or liability for, third-party websites that you may access via our website, or their collection, use and disclosure of your personal information through advertisement cookies or other technologies that you may encounter in connection with your use of such websites or third-party applications.

Data Retention:

Genuity Science keeps Personal Data of Data Subjects only as long as the Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which that Personal Data has been collected).

DATA PROTECTION QUERIES OR COMPLAINTS:

Genuity Science is committed to protecting Personal Data and Processing Personal Data in compliance with Data Protection Laws. If Data Subjects wish, they can raise a query or make a complaint about compliance with this Policy, Data Protection Laws and/or regulations by sending their complaint or query to our Data Protection Officer. The Data Protection Officer is responsible for handling complaints arising from, or made in accordance with, this Policy.

Should you wish to raise a query or make a complaint about compliance with our personal data processing practices, please contact the Genuity Science Data Protection Officer (DPO) regarding any questions or concerns relating to Genuity Science’s approach to data protection.

Please write to the DPO using the email address: dataprivacy@genuitysci.com or by post to:

The Data Protection Officer
Genuity Science (Ireland) Limited
Cherrywood Business Park, Building 4,
Co. Dublin,
Ireland.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Policy

GENUITY SCIENCE
NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires certain health care entities to develop policies and procedures to ensure the privacy and security of, and safeguard access to and disclosure of, health information, also known as “protected health information” (PHI).  The federal government has privacy rules which require GENUITY to provide you with information on how Genuity Science might use or disclose your PHI.

HIPAA requires Genuity Science to maintain the privacy of your PHI.  This Notice is intended to inform you of Genuity Science’s legal obligations under HIPAA and related regulation to:

  • Protect the privacy of your PHI it may hold;
  • Provide you with this Notice explaining our duties and practices regarding your PHI;
  • Comply with the terms of this Notice.

This Notice informs you about how Genuity Science uses and discloses any PHI it may hold and explains the rights that you have with regard to the PHI that Genuity Science maintains about you.

HOW GENUITY SCIENCE MAY USE OR DISCLOSE YOUR PHI WITHOUT AUTHORIZATION

Genuity Science is only permitted to use or disclose your PHI without your authorization if it falls within one of the categories below. If your PHI contains information regarding your mental health or certain diseases (including HIV/AIDS tests or results), we may be required by state and federal confidentiality laws to obtain your consent prior to certain disclosures.

 

The following categories describe different ways that we may use and disclose your PHI. For each category of uses or disclosures, we try to explain what we mean and provide some examples.

 

Categories for Uses and Disclosures

We will use your PHI for Treatment:  your PHI may be used to assist with medical treatment or services and may be disclosed to authorized healthcare professionals involved in your care.

We will use your PHI for Payment:  your PHI may be used or disclosed in order to obtain payment for the services provided. For example, your PHI may be disclosed to bill you or your health insurer for your tests.

We will use your PHI for Health Care Operations:  your PHI may be used or disclosed for activities necessary to support our healthcare operations, for example, for quality verification or internal audits, and other activities that may improve the quality of care given to patients. Your PHI may be used and disclosed to other companies (“business associates”) to support administrative functions.

We are likely to use or disclose your PHI for the following purposes:

 

HIPAA authorizes Genuity Science, and its business associates, to use and/or disclose your PHI without your authorization in the following instances and for the following purposes.

When Required By Law.  We may disclose your PHI when required to do so by federal, state or local law.

For Health and Safety Purposes.  We may disclose your PHI where necessary to prevent a serious threat to your health and safety or that of another person.

Special Situations – We are permitted to use or disclose your PHI for the following purposes:

Your PHI may be used and disclosed without your authorization in the following special circumstances:

For Active Members of the Military and Veterans to comply with the laws and regulations governing military services and veterans’ affairs.

For Workers’ Compensation to comply with the laws which provide benefits for work-related illnesses or injuries.

In Emergency Situations to provide for a family member or close personal friend involved in your care in the event or an emergency or to a disaster relief entity in the event of a disaster. Your PHI may be disclosed to other persons involved in your care in more limited circumstances.

Research: We may disclose your PHI to researchers when their research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your information.

For Organ, Eye and Tissue Donation, if you are an organ donor, to an organ or procurement organization to facilitate an organ, eye, or tissue donation and transplantation.

Regarding Deceased Individuals to coroners, medical examiners, and funeral directors so those professionals may perform their duties.

To Correctional Facilities, if you are an inmate in a correctional facility, for certain purposes, such as providing health care to you or protecting your health and safety or that of others.

In other cases, such as marketing, the sale of PHI, the use or disclosure of psychotherapy notes or other uses or disclosures not set out in this notice, we may use or disclose your PHI with your written authorization.  You may revoke your authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose PHI except as described above (or as permitted by any other authorizations that have not been revoked). However, please understand that we cannot retrieve any PHI disclosed to a third party in reliance on your prior authorization.  Once your PHI has been disclosed pursuant to your authorization, the protections HIPAA provides may no longer apply to the disclosed PHI, and the information may be re-disclosed by the recipient without your knowledge or authorization.

YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION

The procedures below explain how your rights are given effect, upon receipt by our Data Protection Officer of a written request

Right to Request Restrictions:  You have the right to request that Genuity Science not make uses or disclosures of your PHI for the purposes of treatment, payment, or healthcare operations. You may also ask that we limit the information we give to someone who is involved in your care, such as a family or friend. Please note that we are not required to agree to your request unless, and except as otherwise required by law, the disclosure you want to restrict pertains solely to a healthcare item or service for which you have paid for out of pocket in full. If we do or must agree, we will honor your limits unless it is an emergency situation.  To request a restriction of your PHI, please submit your request in writing.

Right to Receive Confidential Communications or Communications by Alternative Means or at an Alternative Location:  You have the right to ask that we communicate with you by another means or at a different address, for example, at home rather than at work.  To request communications by another means or at an alternative location, please submit your request in writing to the Genuity Science Privacy Officer (dataprivacy@genuitysci.com) and you should state the alternative means by, or location at which you would like to receive, your PHI

Right to Inspect and Copy:  You have the right to inspect and receive a copy of your PHI that Genuity Science or its business associates maintain in a designated record set with certain exceptions.  We may ask you to make this request in writing to the Privacy Officer, and we may charge a reasonable fee for the cost of producing and mailing the copies. In certain situations, we may deny your request and will tell you why we are denying it. In some cases, you may have the right to ask for a review of our denial.

Right to Amend:  if you believe that the PHI held by Genuity Science or its business associates in a designated record set is incomplete or incorrect, you have the right to request an amendment. Your request must be made in writing and submitted to the Genuity Science Privacy Officer identified below. You must provide a supporting reason for your request and include your contact information. Genuity Science may deny your request if it is not in writing or if it does not include a supporting reason. Genuity Science may also deny your request if you have asked to amend information that:

  • Was not created by or for Genuity Science, unless you provide Genuity Science with information that the person or entity that created the information is no longer available to make the amendment;
  • Is not part of the PHI maintained by or for Genuity Science in a designated record set;
  • Is not part of the health record information that you would be permitted to inspect and copy; or
  • Is accurate or complete.

Right to Receive an Accounting of Disclosures:  You have the right to request a list of certain disclosures of your PHI, known as an “accounting”. The accounting lists instances where Genuity Science or its business associates disclosed some portion of your PHI to others and to whom that disclosure was made.  The accounting does not include disclosures for treatment, payment, and health care operations; disclosures made to or authorized by you; and certain other disclosures.  You may request an accounting of the disclosures made up to six years before your request and you may request such a list by writing to the Genuity Science Privacy Officer. If you want an accounting that covers a time period of less than six years, please state that in your written request for the accounting.

Right to Request a Paper Copy of this Notice:  You have a right to receive a copy of this Notice at any time.  To obtain it, submit a written request to the Privacy Officer (dataprivacy@genuitysci.com).

Right to Complain:  You have the right to complain to Genuity Science and to the Department of Health and Human Services if you believe your privacy rights have been violated.  To file a complaint with Genuity Science, submit a written complaint to the Privacy Officer.  Genuity Science will not retaliate or discriminate against you or otherwise withhold services, payment, or privileges from you because you file a complaint with Genuity Science or with the Department of Health and Human Services.

Right to Receive A Notice of Certain Breaches:  You have the right to receive notice in the event that we or one of our business associates create, receive, maintain or transmit your PHI in an unsecured manner (such as in paper form or if the PHI is in electronic form but is not secured) and a breach of our safeguards occurs.

Policy Changes: Genuity Science reserves the right to revise this notice and to make the new notice effective for all PHI that it maintains.  We will post a revised copy of the notice on our website. .

Contact us.  If you have any questions or concerns about this notice or Genuity Science’s privacy practices, please contact our privacy officer by email at dataprivacy@genuitysci.com