Privacy Policy

Research Consultancy and Health Limited (t/a RCANDH) (“our“, “us” or “we“) provides PCR antigen testing for COVID-19 from nasal swabs and saliva samples with same day results for business (the “Services“). This policy (together with our Terms of Service (the “Agreement“) and any other documents referred to in it), sets out the basis on which we process personal data (also referred to as “personal information” or “information“).

This policy is addressed to our Clients’ and our prospective Clients’ employees, contractors, agents and any other authorised representatives (“you” or “your“).

Different sections of this policy apply depending on your circumstances.

I. If your employer has arranged for you to get tested for COVID-19 (core service offering)

If your employer has arranged for you to get tested for COVID-19 with us we would get that done for you on their behalf. In such circumstances we act as the data processor for your employer who acts as the data controller. We will handle all information we receive in relation to your test in accordance with: (i) your employer’s instructions; (ii) our Agreement with them; and (iii) our legal obligations. We do not use this information in relation to any other purposes. This information is generally comprised of your names, dates of birth, gender, post code, phone number, email address, ethnicity, information linked to the biological sample for testing and your test result.

Please note that our Agreement with your employer includes an obligation for us to provide your test results to them. In addition, we contractually guarantee to your employer that we shall:

  • Keep personal data secure and protect its confidentiality, integrity and availability;
  • Treat personal data as confidential information;
  • Seek their approval before we subcontract personal data processing to any third parties;
  • Assist them them in fulfulling their own data protection obligations concerning data subject rights, security of processing, data breach notifications, data protection impact assessments, regulatory consulations and data protection audits.

At the end of our Agreement with your employer we undertake to return or destroy all information about you that we hold on their behalf and is capable of identifying you. The information about you that your employer receives from us during or after our engagement will be handled in accordance with their own privacy policy. You are entitled to see a copy of that policy, so please do ask for it.

Please note that our legal obligations include the obligation to notify Public Health England (“PHE”) of every positive COVID-19 test result, together with the following additional information about the affected individual: names, date of birth, gender, postcode, contact telephone number, email, ethnicity, and result date. Your information will be handled by PHE in accordance with their own notifiable diseases procedure and their own privacy policy.

If you have any questions regarding our data handling practices, please use the contact information at the end of this policy. If you wish to see our standard data processing agreement, please contact [email protected]

II. If you are using our web and app based services (supporting services)

We operate web based services that enable us to provide our core service offering in a structured, efficient and accessible manner. All of the above considerations apply when you use our web based services

In addition to these consideration and subject to your consent or on the basis of our legitimate interests where possible, we may process certain additional technical information generated in our web based services. We do this to ensure these services are safe and reliable and in order to improve these services. In such circumstances we act as the data controller in respect of the information you generate whilst you use these supporting services. Such information is not sold or used for advertising or direct marketing purposes. It may include: username, profile preferences, purchase order history, feedback received, information about how you use our website, internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device data such as the type of (mobile) device you use, a unique device identifier (for example, your device’s IMEI number, the MAC address of the device’s wireless network interface, or the mobile phone number used by the device), mobile network information, your mobile operating system, and other technology on the devices you use to access this website.

This information is generated with the help of “cookies” and other similar technologies. Please see the below table for additional information.

Name of technology Type of technology Party serving the technology Purpose of technology Retention Addition information
Google Analytics Cookie Google Inc Functionality, analytics, advertising Lifespan of the technology of users’ hardware session https://policies.google.com/privacy

III. If you are our Clients’ representative who is managing the commercial relationship with us

We offer Services to business only. In order to deliver, manage, improve and promote our Services, we need to process certain information about our Clients’ company representatives who are managing the commercial relationship with us. The rest of this privacy policy applies in these circumstances and in all other circumstances where we act as the data controller.

Information we need to deliver and manage our Services

We need some basic information so that we can set up Client accounts and so that we can let Clients use our Services. We will also ask for some contact information so that we can reach out to Clients if that is necessary in relation to our Services. This information includes personal data about our Clients representatives’ usernames and a passwords, name, (corporate) email address and phone number. We process such personal data as necessary for our legitimate interests that are to deliver our Services to our Clients.

Information we need to improve our Services

We need some information from our Clients in order to improve our Services. To that end we may ask Clients to give us feedback about our services. Such feedback may contain any information that the Client representative has decided to include. As such, the contents of such information which may include personal data are entirely determined by you. We process such personal data as necessary for our legitimate interests that are to improve our Services.

Information we need to promote and advertise our Services

We may approach Prospective Clients on social media, over email or over the phone to inquire whether they are interested in receiving our Services. We will use whatever public information we find to do that.

We would do this if we believe our Services or any promotional materials about our Services may be of interest to our Prospective Clients.

We will contact you if you fill in one of the web forms on our website. When we do that we will use the contact details you have decided to provide in the relevant form.

The information we need to promote and advertise our Services may include personal data. We process such data as necessary for our legitimate interests that are to grow our business.

Disclosure of your information

We treat personal data as confidential information and so do our vendors do. We use various technological solutions providers in order to deliver our Services. They are prohibited from using your information for any purpose other than the delivery of their services to us. Nevertheless, depending on the type of vendor, they may have access to your information. These providers include our cloud storage providers, customer relationship management systems providers, email services providers, social media companies, analytics providers and others who assist us in promoting, delivering and improving our Services, our website and our app.

In addition, we may also disclose your personal information to third parties in the following circumstances:

  • If we sell or buy any business or assets, we may disclose personal data to the prospective seller or buyer of such business or assets (legitimate interests – to allow the prospective investors to properly evaluate our business).
  • If Research Consultancy and Health Limited or substantially all of its assets are acquired by a third party, personal data will be one of the transferred assets (legitimate interests – to allow the prospective buyers to provide you the Services).
  • If we are under a duty to disclose or share personal data in order to comply with any legal obligation or to protect the rights, property, or safety of Research Consultancy and Health Limited, our Clients, or others (legal obligation).
  • We may disclose personal data to third parties, the court service and/or regulators or law enforcement agencies in connection with proceedings or investigations anywhere in the world where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime (legal obligation or legitimate interests – to safeguard our business).

Security over the internet

No data transmission over the internet or website can be guaranteed to be completely secure from intrusion. However, we maintain commercially reasonable physical, electronic and procedural safeguards to protect personal data in accordance with data protection legislative requirements.

We use hosted servers (such as Hostinger) to deliver our Services. Our suppliers employ industry-leading standards in information security and contractually guarantee to keep personal data secure.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Services, you are responsible for keeping this password confidential and for complying with any other security procedures that we notify you of. We ask you not to share your password with anyone.

Exports outside the EEA

We store personal data electronically on computer systems located in the United Kingdom and managed by our staff and our vendors. In certain circumstances personal data may be accessed by staff, stored with or transferred by our vendors in, a destination outside the United Kingdom (UK) or the European Economic Area (EEA) in which data protection laws may be of a lower standard than in the UK or the EEA. In such circumstances will impose data protection safeguards similar to those that we deploy inside the UK and the EEA. Where required by applicable law, we will transfer personal data subject to European Commission approved contractual clauses that impose equivalent data protection obligations directly on the recipient.

Please contact us if you would like further details of the specific safeguards applied to the export of your personal data.

How long we retain your personal data

We will hold personal data for as long as is necessary in order to conduct the processing detailed above, deal with any specific issues that may raise, or otherwise as is required by law or any relevant regulatory body. Once a Client account is terminated or deactivated, we shall delete the personal data relating to the account within 12 months. Some personal data may need to be retained for longer than this to ensure Research Consultancy and Health Limited can comply with applicable laws and internal compliance procedures. Such personal data may be retained for up to 6 years.

We restrict access to personal data to those persons who need to use it for the relevant purpose(s). Our retention periods are based on business needs and personal data that is no longer needed is either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the personal risk or harm from unauthorised use or disclosure, the purpose for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

How long we retain your personal data

We will hold personal data for as long as is necessary in order to conduct the processing detailed above, deal with any specific issues that may raise, or otherwise as is required by law or any relevant regulatory body. Once a Client account is terminated or deactivated, we shall delete the personal data relating to the account within 12 months. Some personal data may need to be retained for longer than this to ensure Research Consultancy and Health Limited can comply with applicable laws and internal compliance procedures. Such personal data may be retained for up to 6 years.

We restrict access to personal data to those persons who need to use it for the relevant purpose(s). Our retention periods are based on business needs and personal data that is no longer needed is either irreversibly anonymised (and the anonymised information may be retained) or securely destroyed. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the personal risk or harm from unauthorised use or disclosure, the purpose for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

 

Your rights

Under the General Data Protection Regulation (EU) 2016/679, you have various rights in relation to your personal data. All of these rights can be exercised by contacting us at info@rcandh.com

You have the right:

  • to be informed;
  • to access (such information);
  • to rectification (of inaccurate information);
  • to erasure;
  • to restrict processing (in certain cases);
  • to object to profiling;
  • to data portability (in certain cases);
  • to complain to the Information Commissioner’s Office;
  • to withdraw consent (if we have collected your personal information on this basis).

 

Detailed information on the full content of your rights (and any conditions that may apply) is provided by the United Kingdom’s Information Commissioner’s Office and is available on their website: https://ico.org.uk/your-data-matters/.

Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use Research Consultancy and Health Limited’ Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services.

While will not sell your personal data (or any other data you provide us with) to third-parties, we reserve the right to share any data which has been anonymised. You acknowledge and accept that we own all right, title and interest in and to any derived data or aggregated and/or anonymised data collected or created by us.

Changes to this policy

Any changes we make to our privacy policy in the future will be posted on this page. We therefore encourage you to review it from time to time to stay informed of how we are processing your information.

 

Contact

Questions, comments and requests regarding this privacy policy are welcome and should be addressed to [email protected]

For the purpose of the relevant data protection legislation, the controller is Research consultincy and health Limited (RCANDH), with registered address 17b Waldram Park Road, London, England, SE23 2PW.

 

Date of last amendment: 30 June 2021