At the National Institute for Biological Standards and Control (NIBSC) we are committed to protecting and respecting your privacy.
This privacy notice describes how we collect and use your personal data, in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) 2016/679.
This privacy notice applies to anyone (except staff) whose personal data we might process, for example, members of the public, manufacturers, wholesalers, and other authorities.
If you work at NIBSC, please refer to our intranet for details of how we process your personal data – ex-members of staff should contact: firstname.lastname@example.org.
NIBSC complies with the national data opt-out, for more information please see: https://www.nhs.uk/your-nhs-data-matters/
NIBSC is one of the Medicines and Healthcare products Regulatory Agency’s (the Agency) three centres. The Agency is an executive agency of the Department of Health and Social Care (DHSC). DHSC and its executive agencies are a single legal entity (or controller) for data protection purposes.
You will find further information about DHSC, the Agency and its three centres on www.gov.uk and their related privacy notices are here: DHSC, the Agency, CPRD.
If you have queries about how the Agency or NIBSC protect and use your personal data, please contact email@example.com in the first instance. You may also contact the DHSC Data Protection Officer, at firstname.lastname@example.org. Alternatively, you can contact us in writing:
Data Protection Officer
Medicines and Healthcare products Regulatory Agency
10 South Colonnade
1st Floor North
39 Victoria Street
Whenever we process personal data we will ensure that we comply with the data protection principles, so that your personal data is:
We will also:
We process personal information about:
We need your personal data to fulfil our regulatory functions in assuring the quality of biological medicines through developing standards and reference materials, product control testing, and carrying out applied research; to answer your queries and continue to monitor and improve our services.
We collect your personal data when you use the NIBSC website or contact us through other channels.
We may use your information to:
If you visit our premises, we capture your image on a visitor’s pass or on CCTV for crime prevention and detection purposes and to ensure the health and safety of our staff and visitors.
We also use Google Analytics which captures information about your use of our website. This enables us to tailor our communications accordingly and present information in the most effective way for you. For details of this please refer to our cookie information.
Personal data refers to any information relating to an identified, or identifiable, living individual.
We process the following categories of personal data:
We sometimes also process more sensitive types of personal information (also known as ‘special category data’):
Article 6 of the GDPR sets out the six legal bases for processing that might apply, depending on the context. These are:
We use the following lawful grounds for processing personal information to support our work:
When we carry out processing in pursuit of our statutory functions laid out in Section 57 of the Health and Social Care Act 2012, our lawful basis for processing your personal information falls under public task. This is where the processing is necessary for us to perform a task in the public interest and the task or function has a clear basis in law.
Our statutory functions relate to the standardisation and control of biological medicines to ensure their safety and efficacy. Depending upon the relationship you have with us, we have outlined the purposes for which we might process your personal data.
We rely on a contractual obligation to process your data when you purchase products or contact us with an enquiry. Without it we would be unable to respond appropriately.
We may rely on your consent for some communications such as direct marketing purposes. Where this is the case, you have the right to withdraw your consent, by contacting the Agency’s Data Protection Officer (see below).
Sometimes we have a legal obligation to disclose personal information to a third party, for example, to the police for crime prevention or detection purposes.
Data Protection law gives you certain rights when we process your personal data. Some of these are restricted – how they apply depends upon the Agency’s legal basis in processing your data, and the context. The rights are to:
If you would like to find out more about your rights, please contact our Data Protection Officer at email@example.com.
The UK GDPR gives you the right to obtain a copy of your personal data, as well as other supplementary information. This is known as a subject access request (SAR).
To find out if we hold your personal data, or to access it please email: firstname.lastname@example.org.
We will need evidence of your identity before searching our records and will respond within one month of receiving this. If we need extra time, we will inform you within the month.
We sometimes need to share the personal data we control (and our data processors may also share information) with other organisations. Where this is necessary, we are required to comply with all aspects of data protection legislation. What follows is a description of the types of organisations we may need to share personal data we process for one or more reasons. Where necessary, required and within the law, we may share data with:
We keep your personal data for no longer than necessary to fulfil our purpose in processing it for business requirements, legal obligation, statutory or regulatory obligations and transactional purposes, in line with our Retention and Disposal Schedule.
We will update this privacy notice when applicable. If any change would result in us processing your personal data for a new purpose, we would inform you before we start using it in the new way.
For independent advice about data protection, privacy and data sharing issues you can contact the Information Commissioner’s Office at: https://ico.org.uk/global/contact-us/