African Biosciences Ltd sets out this policy on how we protect your information provided when you use this website and take tests through our company.
Part A: Introduction
African Biosciences Ltd provides molecular diagnostics and DNA testing services. This policy relates to personal information in the course of caring out testing services, why we collect and hold it, and how we protect it. By personal information we mean information from which a living person can be identified. We may also provide you with supplemental information about our use of your personal information in specific circumstances or in connection with specific services.
Regulatory background: GDPR
The voluntarily adapt the EU General Data Protection Regulations (which are known as GDPR) regarding when we collect or use personal information. The regulations were introduced to protect peoples’ data. It applies where we process personal information. Processing includes collecting information, storing it, disclosing it, using it and destroying it. The regulations say that information should only be processed in one or more specified circumstances, which are known as ‘lawful bases’. The lawful bases on which we may process your personal information include:
- Where you have given your consent. We have shortened this to ‘consent’ in the statement).
- Where necessary to carry out the terms of a contract, for example the contract for us to provide testing services. We have shortened this to ‘perform contract’.
- Where necessary to comply with a legal obligation. We have shortened this to ‘comply with law’.
- Where we or someone else has a legitimate interest, which is not overridden by your interests. We must always balance your interests and rights with our interests if we are to process your information on this basis. We have shortened this to ‘legitimate interest’.
In this statement we have grouped the types of personal information that we may hold into broad categories. The categories are:
- General information including contact information
- Information obtained in order to provide a quote/arrange our testing services
- Information obtained through the process of providing our testing services
- Payment and transactional information
- Marketing information
We also collect, use and share aggregated information such as statistical data. Aggregated information could be derived from personal data, including your test results but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate information to report on our performance, particularly when tendering for business, to identify trends within our business, and to improve our services, and their accuracy. Other examples of how we use aggregated data are for business management, planning and tracking purposes.
Part B: What personal information we hold, and how we use it
General contact information/communication records
This may include your name, address, phone number, email address, communications consent and other information that you may provide to us during routine communications such as when you ask us to respond to a query.
Other Use of Information
We may also use personal information which we hold to enforce our rights under our terms and to handle any complaints or disputes that may arise, to defend any proceedings which may be brought against us or to participate in any proceedings to which we are joined, and to comply with law or any applicable regulations. Where we do so, our lawful basis will be that we have a legitimate interest or are complying with law.
Changes in why we use your information
We will only use personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use personal information for an unrelated purpose, we will notify you (where appropriate through your solicitor or other third party) and we will explain the legal basis which allows us to do so.
Please note that we may process personal information without your knowledge or consent, but only where this in compliance with the above rules, where this is required or permitted by law.
Part C: How we collect your information
We use different methods to collect personal information including:
Direct interactions. You may give us your personal information by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal information you provide when you
- order our services;
- subscribe to one of our publications or mailing lists;
- request marketing to be sent to you;
- enter a competition, promotion or survey; or
- give us feedback or contact us
Through an intermediary or third party. Examples of where intermediaries provide personal information include where a solicitor appointed to represent someone provides information on their behalf, the lead party in a court case (meaning the party who provides instructions in relation to the testing of various parties involved in the case), or a local authority or governmental department who conduct and pay for testing, and companies who ask us to carry out testing of their staff. A third party may also request a quote for testing and provide information even where they are not acting on behalf of the person whose information they provide.
- Automated technologies or interactions. We may automatically collect information about equipment, browsing actions and patterns of visitors to our website.
- Third parties or publicly available sources. We may receive personal information about you from various third parties and public sources including:
- Information from:
- analytics providers such as Google
- advertising networks
- search information providers
- providers of technical, payment and delivery services
Part D: Sharing your information
In this section we provide information on who we share your information with, and why. Our policy on disclosing test results.
- If an adult is tested, we will always provide the results to them.
- If the person ordering the test wishes the results to be provided to people other than the person being tested, including to themselves, we will seek the consent of the person being tested before the sample is taken. If the person being tested does not consent to this, we will not take the sample.
- We will only carry out a test which has been ordered by a court where the person being tested consents to the results being shared in accordance with the court order.
- We will share test results with any person who can show that they have parental control in respect of a child being tested, even if they do not place the order. The exception to this is where a court order forbids us from providing results to that person.
For Service Providers
- We use a range of service providers and consultants in order to help run our businesses and to provide our services. We require all third-party service providers to respect the security of the personal information we hold and to treat it in accordance with the law.
- We do not allow our third-party service providers to use our client’s personal information for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.
These service providers include:
We sometimes use the services of professional third parties to collect samples for DNA testing. We will need to disclose personal information for collecting the sample in order to plan for sample collection, and also to ensure that sample are collected correctly.
Telephone Answering Services
We may use a third party service provider to answer telephone calls when we are unable to do so ourselves, including when our Help Centre is closed.
Laboratories & Biological Storage Facilities
We use fully accredited professional laboratories to receive samples and to carry out testing.
Expert Reports/ Expert Witness Services
Where we are retained to provide expert report or expert witness services, we may use the service of expert third parties, and where we do, we will share personal information with the expert third parties as necessary to enable them to perform their services.
Cloud-Based Service Providers
We use cloud-based storage providers to securely maintain the information held within our databases, and this will include sensitive personal information.
Please see ‘Security of your information’ below [ link] for further information on security aspects of our cloud storage arrangements.
We also use service providers who assist us with our ‘cloud’ based infrastructure, and ‘cloud’ client support tools.
We may share information with our professional advisers including lawyers, accountants and insurance advisers. We do not routinely share molecular diagnostics and DNA testing information with our professional advisers, but it would be possible that this could happen, for example if court proceedings relating to our test results were to be brought against us.
Other Specialist Consultants and Service Providers
These include IT consultants and service providers, and service providers that assist us with marketing, analytics, and cyber security/fraud prevention. We may also in limited circumstances share personal information with our insurer.
Payment Service Providers
We use the services of payment processing companies to facilitate customer payments. These providers will use contact and billing information including debit/credit card and bank information details to process payments. When payment is made online, financial details are provided to that payment processing company, and not to us.
The Legal Process
There are circumstances in which we may be legally required to disclose information. Examples of this include when we are subject to a binding court order, subpoena, or a legally binding direction by a regulator, and where we are required to share information with the Government. We reserve the right to share personal information where we reasonably believe that we are legally required to do so. We may also share information where this is necessary for us to exercise or enforce our rights under our terms or otherwise at law, or where we reasonably and in good faith consider that it necessary or appropriate to do so in order to protect the security of our site, customers or employees.
Change in Control
Part E: How long we keep your personal data
In this section we provide guidance on how long we are likely to retain your personal information. This generally depends on how and why the information is collected. Please also be aware that it takes up to a further 6 months from the dates specified in this section for information that is no longer required to be fully removed from our systems because we retain backup and archive files.
We may also retain limited personal information for a longer period than specified including in the event of a complaint or if we reasonably believe there is a prospect of litigation relating to our relationship with you, or that the information may be needed to exercise or enforce our rights under our terms, or to perform contractual obligations. We may also retain information for a longer period where we are legally required to do so, and for audit and compliance purposes or where the information we hold is required in connection with a legal process. Additionally, our laboratories may also need to retain information that they hold on our behalf for longer periods to comply with legal or regulatory requirements. We may also retain enough information to be able to evidence your account deletion request.
We retain information for the periods below:
- General Information including contact information and communications:
- Call recordings: up to 6 months from the end of the month in which the call happened.
- General contact information provided when we are asked to provide a quote, and our quotes and related communications, and communications with us including notes taken during from telephone calls: 12 months, unless the quote is accepted. If a quote is accepted, we retain all information relating to the quote and the test for 7 years after the date on which the results are provided.
- Payment Information and financial records:
By law we must retain financial records. We retain the name and contact details of each person who pays for a test, any payment details we have, and transactional information for up to seven years after we receive payment for our services.
- Information relating to services:
We retain samples for 6 months unless we are requested to delete the sample by or on behalf of the person whose sample it is. We may retain the sample for a longer period were lawfully required to do so. We retain our internal records in connection with our services, test results and our expert reports for 7 years from the date on which we provide our results/reports, or for so long as we are aware that legal proceedings to which the test/report relates is ongoing.
Part F: Security
We are committed to be a secure and trusted partner for your personal information, including sensitive information such as test results.
How do we do this?
At the heart of how we protect your information is our commitment to International Standards set by ISO. Our partners are certified to ISO:9001 for quality controls and ISO:27001 for information security. As part of the ISO accreditation, audits and reviews are conducted of all relevant third party service providers to check that they meet our strict requirements. We use a combination of technical, physical and organizational measures to protect the security of your information.
Physical and organizational measures help protect against social engineering attacks whereby an unauthorized person gains access to restricted information or physical location through psychological manipulation of authorized individuals. These measures include security clearances, extensive training and physical security measures and are subjected to rigorous external audits throughout the year.
Technical measures implemented to protect your information include:
- Security by design
- Separation of Concerns & Pseudonymization
- Monitoring and Alerting
- Proactive Vulnerability and Penetration Testing
What is security by design?
Software has been designed and implemented with a security first process with the expectation that malicious third parties will attempt to exploit the system. This includes minimizing permissions and access to data for internal secure systems.
What is encryption?
Data is scrambled so it is unreadable by humans or computers without a unique decryption key which is kept separate and secure. Encryption of data occurs as it flows through our system to yourselves (HTTPS) and while it is stored by ourselves (Encrypt at Rest). This significantly increases the difficulty of accessing data in the event of unauthorized access to our systems.
What is monitoring and alerting?
We actively monitor our systems and all communication with the outside world, collecting and analyzing the available data for indicators of potential threats and breaches. These are automatically triaged and alerted to our security team for appropriate action.
What is proactive vulnerability and penetration testing?
We periodically employ the services of third party specialists to act as malicious parties and attempt to breach our security in a controlled and safe way. This enables us to identify and assess potential attack vectors before they are identified by monitoring and alerting tools and to address and harden appropriately.
Part G: General
If we hold your personal information, in certain circumstances, you have rights under data protection laws. These rights include:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
If you wish to exercise any of the rights above, please contact us.
No fee: You will not have to pay a fee to access your personal data or to exercise any of the rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond: We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
African Biosciences Ltd
1A Akin Osiyemi Street
Off Allen Avenue
If you have any queries about the privacy of your information, or about the information in this statement, or if you think the information is in any way incomplete, please contact us at:
firstname.lastname@example.org or call our customer services team on 0700 DNA TEST (362 8378)
We keep this statement under regular review. It is important that the personal information we hold about you is accurate and current. Please let us your personal data changes during your relationship with us.
You have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios:
- If you want us to establish the accuracy of the information.
- Where our use of the information is unlawful, but you do not want us to erase it.
- Where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your information, but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.