RANDOX GROUP – COVID-19 TESTING PRIVACY POLICY

As updated April 2020.

Any references to we, us, our and Randox within this privacy policy are used as collective terms to include all companies with the “Randox” groups of companies, including Randox Laboratories Limited and Randox Health Checks (NI) Ltd, and their subsidiary and holding companies. Randox Laboratories Limited (Randox Labs) is a company registered in Northern Ireland (registered number NI015738). Randox Health Checks (NI) Ltd (Randox Health) is a company registered in Northern Ireland (registered number NI610940).

Who We Are
Who We Are

Any references to we, us, our and Randox within this privacy policy are used as collective terms to include all companies with the “Randox” groups of companies, including Randox Laboratories Limited and Randox Health Checks (NI) Ltd, and their subsidiary and holding companies. Randox Laboratories Limited (Randox Labs) is a company registered in Northern Ireland (registered number NI015738). Randox Health Checks (NI) Ltd (Randox Health) is a company registered in Northern Ireland (registered number NI610940).

Randox Labs is registered with the Information Commissioner’s Office (ICO) under registration number Z7894954 and Randox Health is registered with the ICO under registration number ZA056454.

As a user of Randox’s services, we will collect what is known as personal data about you. Personal data is information from which you, as an individual, can be identified. This policy outlines how the relevant Randox company you interact with will use, store and protect any personal data that you provide or that we otherwise hold about you when using Randox’s COVID-19 testing services.

A separate privacy policy applies in respect of other personal data which Randox Health may collect or otherwise hold about you in connection with other goods and services we provide or receive, and where you are a Randox Health customer for anything other than COVID-19 testing, which is available here: https://www.randoxhealth.com/privacy-policy/.

Where you are an NHS worker, or have otherwise obtained your COVID-19 test through the NHS, the relevant Randox company collecting your personal data and providing the testing services is Randox Labs. Randox Labs acts as what is called a processor of personal data on behalf of the UK Department of Health and Social Care (the DOH). This means that the DOH is the organisation that decides the purposes for which your personal data is used and the way in which it is processed, and Randox Labs acts on its behalf, and in accordance with its instructions, as a service provider. The relevant DOH privacy policy is available here: https://www.gov.uk/government/organisations/department-of-health-and-social-care/about/personalinformation-charter.

Where you have obtained your COVID-19 test privately, then the relevant controller of personal data (i.e. the organisation that decides the purposes for which and the way in which your personal data is dealt with) will be Randox Health.

Unless indicated otherwise, this policy sets out how Randox will use, store and protect any personal data we collect or generate about you for both private tests and public tests.

This version two of this policy was last updated on 3 April 2020. Historic versions of this policy can be obtained by contacting us.

What Personal Data Do We Collect or Hold About You
What Personal Data Do We Collect or Hold About You

We will collect personal data as part of our online testing kit registration process. Registration is essential for all testing and reporting of results to proceed, and it is essential that you complete these details, and confirm your acceptance of this policy, personally.

The information we collect during registration includes:

  • The unique registration number (URN) on your test kit (it is very important that this is recorded correctly to ensure that your sample is correctly matched to your online registration);
  • Your name;
  • Your date of birth;
  • Your gender;
  • Your email address (it is very important that this is recorded correctly so that your results are sent to the right email address);
  • Your country / nationality;
  • Your telephone number;
  • The date your sample was collected;
  • Your full home address (including postcode);
  • Your national insurance number (optional); and
  • Your NHS / employee number (if applicable).

We will not collect any information which we, or relevant third parties, do not need.

Once your swab sample has been returned to us, and it has been tested for COVID-19, our systems will automatically generate a report which shows our findings (the Report). This Report will include some of the personal details that you have provided to us about yourself. We will also hold this information in a centralised database.

Please note that there are limitations inherent in the sample collection and testing process, which are explained in our terms and conditions here: https://www.randoxhealth.com/screening-request-terms-and-conditions/, and in the test instructions that were provided to you when you received your test kit.

It is important that the personal data we hold about you is accurate and current, and we cannot be held responsible for incorrect data that is provided by you. Please keep us informed if your personal data changes during your relationship with us.

If you fail to properly provide all requested data or provide incorrect data we may be unable to provide the testing services or notify you of your results. There is also a risk that third parties could be inadvertently provided with your data if, for example, you have not correctly entered your email address, or your email servers are compromised.

 

How Do We Use That Information?
How Do We Use That Information?

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data on one or more of the following grounds:

  • Where we need to perform the contract for testing services that we have entered into with you (in the case of Randox Health in respect of private tests).
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal obligation (including the terms of our contract with the DOH, in the case of Randox Labs in respect of NHS tests).

We do not rely on consent as a basis for processing your personal data, unless you have requested a private COVID-19 test from Randox Health, in which case you may withdraw your consent to processing at any time by contacting us using the details below. Any payments made for testing services are non-refundable, as explained in our terms and conditions here: https://www.randoxhealth.com/screening-request-terms-and-conditions/.

Where we are using your personal data that identifies your health data, we are doing that either on the basis of your explicit consent, your vital interests, for public interest, medical diagnostic reasons or preventative or occupational health reasons.

Generally, Randox will use the data you provide to test your swab samples for COVID-19 and notify the results to you as the registered user of the kit via the Report. A copy of the Report will be sent by email to the email address you provided to us when you signed up through our registration portal.

After your sample has been posted to us, please make sure to regularly check your emails (including any junk or spam folder) for any email attaching the Report. Please note that we are not responsible for the security of any domains in respect of email addresses you have given us. If you believe you have received a Report in error, please contact us at covid19@randoxhealth.com immediately.

Additional information, including home address, is necessary for notifying the relevant public health or other Government authorities of the results of your test, if we are requested to do so.

Personal data required for COVID-19 testing (including test results) is held on controlled computer systems. Currently, our registration portal is securely maintained on Microsoft Azure via Microsoft’s UK-based servers in accordance with their standard terms and privacy policy, which are available at: https://www.microsoft.com/enie/trust-center/product-overview.

As a controller or processor of personal data, Randox and its affiliated companies must process your information fairly and lawfully. We will also process your data in accordance with the instructions of the DOH and the terms of our contract, in the case of Randox Labs.

We also collect, use and share Aggregated Data for any purpose. Aggregated Data could be derived from your data but is not considered personal data as this it will not directly or indirectly reveal your identity.

We will not use any personal data that we collect for marketing purposes unless you have separately signed up to receive marketing communications from us.

Who Do We Share It With?
Who Do We Share It With?

Randox will not generally share personal data about you with other organisations or people, unless permitted or required by law, you have provided consent, or a third party is required to provide our testing services to you (in such circumstances, the third party will be bound by similar data protection requirements). Nor do we transfer your personal data outside of the UK.

That said, please note that your data (including your test results) may be available to other companies within the Randox groups of companies, to Microsoft (who host our registration platform, as noted above) and to relevant health or other governmental authorities for the purposes of, among other things, contact tracing and infection control.

We may also share your data with third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

Where possible, we require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and we only permit them to process your personal data for specified purposes and in accordance with our instructions.

In respect of NHS testing results, please note Randox Labs acts as a processor on behalf of the DOH, so has no control over what the DOH chooses to do with your personal data or who it is shared with by DOH.

How Long Do We Keep Personal Data?
How Long Do We Keep Personal Data?

We must keep all personal data safe and hold it for no longer than is necessary in line with our legal obligations.

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Where your test was provided through the NHS, Randox Labs will hold your information for the duration of its contract with the DOH, and for a period of three months thereafter (unless otherwise instructed by the DOH).

Where you are a private patient, Randox Health will hold your data for a minimum of six years for liability purposes. We review the personal data we hold on a regular basis.

Your Rights
Your Rights

We have set out an explanation of your rights regarding the data we hold below. Please note that these only apply where you have paid Randox Health for your test.

Where you are an NHS key worker, or have otherwise obtained your test through the NHS, you must contact the DOH to exercise any of your rights. Your rights will be different in this context, and are explained in the relevant DOH privacy documentation.

  • Access & Portability: You have the right to ask us for copies of your personal data to be sent to you and for personal data to be sent to a third party. There are some exemptions, which means you may not always receive all the information we process. For information to be shared to someone on your behalf, usually consent must be provided by you.
  • Rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. If at any point your personal data changes, it is up to you to update us.
  • Erasure: You have the right to ask us to erase your personal data in certain circumstances, which means your personal data being removed from our databases.
  • Restriction of Processing: You have the right to ask us to restrict the processing of your personal data in certain circumstances, for example, whilst a complaint about its accuracy is being resolved.
  • Object to Processing: You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests although Randox can override this objection where we have legal grounds to do so.
    You should be aware that taking some of the above steps will impact on the ability of Randox to complete the service you have agreed. Failure to register key personal details and (if relevant) provide consent will prohibit Randox from testing your sample and no results will be provided to you. As noted above, no refunds will be made where you have paid Randox Health for private testing in such circumstances.
Contacting Randox about your COVID-19 Personal Data
Contacting Randox about your COVID-19 Personal Data

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this policy. Please contact DPO@Randoxhealth.com in the first instance, if you wish to:

  • Withdraw your consent to processing;
  • See your personal data or to exercise any of the rights mentioned above; or
  • Make a complaint about how we have handled your personal data.

Please contact the DOH if you have a query regarding processing by the DOH, where you are an NHS worker or have received your test through the NHS.

 

Contacting the ICO
Contacting the ICO

If you are not satisfied with our response to any query you raise with us, or you believe we are processing your personal data in a way which is inconsistent with the law, you can complain to the ICO office helpline: 0303 123 1113. We would appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Please do not contact the ICO regarding processing by Randox if your complaint relates to the processing of your data by the DOH (in respect of NHS tests).