Privacy Policy
CF AMR Syndicate – Privacy Notice
1. Scope
This notice (“Notice”) relates to all individuals whose personal data is processed in line with the requirements of the Regulation (EU) of 27 April 2016 (the General Data Protection Regulation), “GDPR”,) the retained version of the GDPR as it applies in the UK from time to time “UK GDPR” and the UK Data Protection Act 2018. For purposes of this Notice, such individuals are called “Data Subjects”. Under the GDPR personal data is defined as:
“any information relating to an identified or identifiable natural person (the ‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
2. Who we are
The CF AMR Syndicate (“Syndicate”) is a partnership between Medicines Discovery Catapult (“MDC”), LifeArc and the Cystic Fibrosis Trust (“the Trust”) that brings industry leaders and people affected by CF together with academics with expertise in CF and pulmonary infection. The collective, cross-sector expertise of the CF AMR Syndicate enables new efforts in the discovery of CF antimicrobials and diagnostics, to accelerate translation to the clinic and to ultimately bring better treatment options to people affected by CF, faster.
To facilitate collaboration and knowledge exchange, we have launched the CF AMR Network (“Network”), which will consist of a regular newsletter to its members, as well as a signposting role in which individuals or organisations (“Third Parties”) will approach the Syndicate to be connected with Network members to engage on collaboration opportunities leading to access to and exchange of knowledge and expertise on collaborative projects.
In addition, we have launched the UK CF Infection Biorepository (“Biorepository”), which brings together a group of university, hospital and public health laboratories (“Biorepository Partners”) from across the UK with clinical samples, data and expert knowledge needed by medicines developers. MDC as the coordinating centre will manage enquiries to the Biorepository by conducting initial requirements gathering from Third Parties that approach the Biorepository and then sharing these details with Biorepository Partners to identify the most appropriate connection to make.
Finally, the Syndicate seeks to support innovative research projects which aim to develop novel CF antimicrobials and diagnostics. The Syndicate will work collaboratively with the successful applicant/s to develop and deliver the projects in a timely manner. This will be achieved by providing access to drugdiscovery expertise and capabilities, project management resources and project funding.
2.1. MDC, LifeArc and the Trust are bound to specific obligations in relation to data protection under a 2022 collaboration agreement, for the duration of the relevant data processing as joint data controllers.
2.2. MDC, the Trust and the UK CF Infection Biorepository Partners have entered into a Data Sharing Agreement.
2.3. MDC, LifeArc and the Trust work to high standards when it comes to processing personal data. MDC, LifeArc and the Trust will comply with applicable legislation, including the GDPR, the UK GDPR and the UK Data Protection Act 2018. You can contact the MDC, LifeArc and CF Trust’s Data Protection Representative via phone, email, and post:
MDC Data Protection Representative
Phone number: 01625 238734
Compliance email address: compliance@md.catapult.org.uk
Postal address: Medicines Discovery Catapult, Block 35, Mereside, Alderley Park, Alderley Edge, SK10 4ZF
CFT Trust Data Protection Officer
Phone number: 0203 795 1518
Email Address: dataprotectionofficer@cysticfibrosis.org.uk
Postal address: Data Protection Officer, Cystic Fibrosis Trust, One Aldgate, Second Floor, London, EC3N 1RE
LifeArc Data Privacy Manager: General Counsel & Company Secretary
Email address: dataprivacy@lifearc.org
Postal address: LifeArc, Lynton House, 7-12 Tavistock Square, London, WC1H 9LT
ICO registration number: Z6907935
Telephone number: +44 (0) 2073912700
2.4. Please note that for the purpose of maintaining this Notice, the MDC Data Protection Representative is the owner of this document.
3. What we do with your data
This Notice tells you how we, MDC, LifeArc and the Trust, will collect and use your personal data for the purpose of introductions to Third Parties, Network members or Biorepository Partners, and supporting the project management for collaborative projects initiated through the Syndicate.
3.1. In order for us to provide this service we need to collect personal data for correspondence purposes, understanding the scope of a project to make relevant introductions, for the purpose of funding and application assessments and reviews and other related administrative tasks. In any event, we are committed to ensuring that the information we collect, and use is appropriate for this purpose and does not constitute an invasion of your privacy.
3.2. Only anonymised information will be shared with Network members. If a Network member wishes to engage with the Third Party, MDC, LifeArc and the Trust will let the Third Party know and facilitate an introduction between the Third Party and the relevant Network member(s).
3.3. If you have submitted a Biorepository sample request, your personal data will be shared with the Biorepository Partners.
3.4. Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised processing, retention, access or disclosure.
3.5. Marketing. In terms of being contacted for marketing purposes, other than advising you of the Syndicate’s funding calls, workshops and events, where we do not already have a legitimate reason to do so, we would ensure we contact you appropriately for additional consent to do this.
3.6. Processing. The personal data we will collect from/process on you are:
|
Personal data type |
Source (where MDC, LifeArc and/or The Trust obtained the personal data from if it has not been collected directly from you, the Data Subject. Note: this |
|
may include personal data accessed from publicly accessible sources, such as published research, social media, or Companies House) |
|
|
Name (first name, surname) of representatives/employees of Third Parties engaging with the Syndicate including name of co-applicants or key project personnel listed or identified in project correspondence or contact at the host institution Technology transfer office |
Syndicate enquiry/Network sign up form, email signature or footer, industry body or public directory listings, published research, programme-related reports and other documentation, patent databases, university published directories or website listings, institution contact pages, Companies House |
|
Business address of representatives/employees of Third Parties engaging with the Syndicate including addresses of co-applicants or key project personnel listed or identified in project correspondence or contact at the host institution Technology transfer office |
Syndicate enquiry/Network sign up form, email signature or footer, industry body or public directory listings, published research, patent databases |
|
Qualifications, educational training details and status, membership of societies or organisations related to field of work or study, skills, professional expertise, career history, academic records, |
Syndicate enquiry/Network sign-up form, email signature or footer, industry body or public directory listings, published research, patent databases, university website |
|
Email address |
Syndicate enquiry/Network sign-up form, direct email correspondence, social media or industry body directory listings, published research |
|
Contact details (personal or business landline or mobile phone number or email addresses) for representatives/employees of Third Parties engaging with the Syndicate including contact details for co-applicants or key project personnel listed or identified in project correspondence or contact at the host institution Technology transfer office. |
Syndicate enquiry/Network sign-up form, direct email correspondence, social media or industry body directory listings, published research, programme-related reports and other documentation, patent databases, university published directories or website listings, institution contact pages, Companies House |
|
Special Category data: whether Third Parties have lived experience of Cystic Fibrosis |
Syndicate Network sign-up |
4. Types of processing and lawful bases
The personal data we collect will be used for the following purposes:
- to review enquiries from Third Parties and determine whether an enquiry is in scope for further engagement with the Network members or Biorepository Partners;
- to inform the Network Members or Biorepository Partners of an enquiry that may be of interest;
- to fulfil our obligations, as Managing Partners, around assessing enquiries and facilitating introductions with Network members and Biorepository Partners, in accordance with the aims of the Syndicate;
- to fulfil our obligations around assessing application and engaging reviewers, in accordance with relevant terms and conditions;
- to communicate with all relevant parties involved within a funded project under the wider programme in all available formats;
- to fulfil legal, financial, tax and regulatory reporting and record keeping requirements and obligations that apply to MDC, LifeArc and The Trust;
- to inform SMT regarding all funding applications, and support decision making processes, provide project collaboration and support and fulfil Syndicate role as the liaison hub;
Our legal basis for processing for processing some or all of the personal data is:
- Contract: processing is necessary for the performance of a contract to which the data subject(s) will be party, or in order to take steps at the request of the data subject prior to entering into a contract;
- Legitimate Interests: processing may be necessary for the purpose of the legitimate interests pursued by MDC, the Trust or Syndicate, or by a relevant third party, and with the assurance that such interests will not override the fundamental rights and freedoms of the data subject(s) concerned;
4.1. Data Protection Law recognises that certain categories of personal information are more sensitive. This is known as ‘special category data’ and covers health information. When third parties request to join the network we will ask whether you have lived experience of cystic fibrosis. You do not have to provide this information if you do not wish to do so. We hold this information on our database so that we can evaluate how we are engaging with the different elements of our community, to help connect network members with news, events and collaboration opportunities that may be relevant to you. We would only collect this information with your specific consent.
5. Data sharing and disclosure
5.1. We will pass your personal data on to LifeArc and the Trust, in the course of dealing with you for your enquiry.
5.2. We will only pass your personal data on to the relevant Network member(s), in the course of dealing with you for your enquiry, if you give us permission to do so.
5.3. The following third parties will receive your personal data for the following purpose(s) as part of usual processing activities:
|
Organisation |
Safeguards that we will have in place to protect your personal data before data is shared |
Retrieve a copy of the assured safeguards that are in place here: |
|
MDC and Medicines Discovery Catapult Limited |
Collaboration Agreement |
Details outlined in this Privacy Notice, also in MDC’s corporate Privacy policy |
|
Cystic Fibrosis Trust |
Collaboration Agreement |
Cystic Fibrosis Trust Privacy Policy |
|
Queen’s University Belfast |
Collaboration Agreement |
Queen’s University Belfast |
|
University of Liverpool |
Collaboration Agreement |
University of Liverpool Privacy Policy. |
|
Public Health Wales NHS Trust |
Collaboration Agreement |
Public Health Wales NHS Trust Privacy Policy. |
|
Cardiff University |
Collaboration Agreement |
Cardiff University Privacy Policy |
|
University of Exeter |
Collaboration Agreement |
University of Exeter Privacy Policy |
|
Nottingham University Hospitals NHS Trust |
Collaboration Agreement |
Nottingham University Hospitals NHS Trust Privacy Policy |
|
University of Cambridge |
Collaboration Agreement |
University of Cambridge Privacy Policy |
|
Imperial College London |
Collaboration Agreement |
Imperial College London Privacy Policy |
|
Microsoft Inc. Office 365 software is used widely within the Consortium (e.g. Word, Excel, Outlook etc.) |
A Software licence agreement for the applications is in place |
Microsoft’s Trust Center webpage has details of their approach to Privacy and the GDPR |
|
The Syndicate uses FreshWorks CRM as a database to process applicant accounts, invoices and financial transactions |
A Software licence agreement for the applications is in place |
Freshworks webpage has details of their approach to Privacy and GDPR |
|
The Syndicate uses Submittable as a system to process applications for funding calls |
A Software licence agreement for the applications is in place |
Submittable’s webpage has details of their approach to Privacy and GDPR |
|
LifeArc |
Collaboration Agreement |
LifeArc’s privacy policy |
6. Retention period
6.1. MDC, LifeArc and the Trust will process personal data for as long as required for the purpose of our role and function of Managing Partners of the Syndicate.
6.2. We are required to retain some personal information in accordance with the law, such as information needed for tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data will be held in addition to these periods depending on individual business needs and only where an appropriate lawful basis exists to do so.
6.3. Should you wish a copy of our ‘Retention Schedule’, please use the contact details in section 2.5 of this Privacy Notice. For the retention policies and schedules of the Syndicate Partners you should review their own individual privacy notices to understand how they will retain and delete your personal data.
7. Your rights as a Data Subject
7.1. At any point while we are in possession of, or processing, your personal data, you (the data subject) have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you (please see section 9 below for further details).
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – in some circumstances you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review – in the event that MDC refuses your request under ‘right of access’, we will provide you with a reason why we have refused some or all of your request. You have the right to complain as outlined in clause 3.6 below.
7.2 Any or all of the above requests that we receive will be forwarded on to the Trust and LifeArc, if they are involved (as stated in 3.5 above) in the processing of your personal data.
8. Complaints
In the event that you wish to make a complaint about how your personal data is being processed by MDC, LifeArc and the Trust (or third parties as described in section 5 above), or how a complaint you have made to us in relation to this processing has been handled, you have the right to lodge a complaint directly with the supervisory authority and where applicable, MDC’s, LifeArc’s and the Trust’s Data Protection Representatives as outlined in 2.5 above.
The details for the relevant supervisory authority are:
Information Commissioner’s Office
Wycliffe House Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number Fax: 01625 524 510
Website: ico.org.uk
9. Subject Access Requests
At your request, MDC, LifeArc and the Trust can confirm what information we hold about you and how it is processed. We treat our responsibilities for data privacy very seriously and will ensure we take all reasonable steps to correctly identify anyone submitting a subject access request to our business, per our Data Subject Access Request Procedure. Should you wish a copy of this Procedure please contact the Data Protection Representatives using the details in section 2.3 above.
10. Responsibilities
3.1 The Data Protection Representatives are responsible for ensuring that this Notice is made available to Data Subjects prior to MDC, LifeArc and the Trust collecting/processing their personal data.
3.2 All employees/staff of MDC, LifeArc and the Trust, acting as the managing partners of the Syndicate, who interact with Data Subjects are responsible for ensuring that this Notice is drawn to the Data Subject’s attention and, where applicable, their consent to the processing of their data is secured prior to any processing.
3.3 The Data Protection Representatives will ensure that all employees/staff of MDC, LifeArc and the Trust will receive adequate training to make them aware of appropriate data processing behaviours, to ensure compliance with the law and with this Notice.
3.4 MDC, LifeArc and the Trust expect any third parties engaging with the Syndicate to also abide by the law in regards to the personal data being shared in common across any projects initiated through the Syndicate.
