Privacy Policy
This privacy policy sets out how DNA Legal uses and protects any information that you give us when you use this website.
DNA Legal is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.
DNA Legal may change this policy from time to time by updating this page.
DNA Legal Statement 16 January 2019
Part A
Introduction
We are DNA Worldwide Group Limited. We provide testing services in our own name, and through our specialist division, DNA Legal. This statement applies to the activities of both businesses.
Very simply, our aim in this statement is to explain what personal information we hold when we carry out our testing services, why we hold it, what we do with it, and how we protect it. By personal information we mean information from which a living person can be identified.
We may also provide you with supplemental information about our use of your personal information in particular circumstances or in connection with specific services.
This statement does not include details of:
- Information we hold about who people represent our business or non-individual customers (such as local authorities or solicitors) /our marketing activities with our non-individual customers. By way of example, it does not set out what information we record when someone books a CPD training course through us. We will release separate information about this aspect of our activities.
- Information which we collect purely through someone using our website.
We are entrusted with people’s sensitive personal information. We see ourselves as having a responsibility to respect and to take great care of all personal information that we hold for others, including our clients.
Regulatory background: GDPR
The EU General Data Protection Regulations (which are known as GDPR) apply to us when we collect or use personal information. The regulations were introduced to protect people's’ data. It applies where we process personal information. Processing includes collecting information, storing it, disclosing it, using it and destroying it.
The regulations say that information should only be processed in one or more specified circumstances, which are known as ‘lawful bases’. The lawful bases on which we may process your personal information include:
- Where you have given your consent. We have shortened this to ‘consent’ in the statement)
- Where necessary to carry out the terms of a contract, for example the contract for us to provide testing services. We have shortened this to ‘perform contract’.
- Where necessary to comply with a legal obligation. We have shortened this to ‘comply with law’
- Where we or someone else has a legitimate interest, which is not overridden by your interests.
We must always balance your interests and rights with our interests if we are to process your information on this basis. We have shortened this to ‘legitimate interest’.
In this statement we have grouped the types of personal information that we may hold into broad categories.
The categories are:
- General information including contact information
- Information obtained in order to provide a quote/arrange our testing services
- Information obtained through the process of providing our testing services
- Payment and transactional information
- Marketing information
We also collect, use and share aggregated information such as statistical data. Aggregated information could be derived from personal data, including your test results but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate information to report on our performance, particularly when tendering for business, to identify trends within our business, and to improve our services, and their accuracy.
Other examples of how we use aggregated data are for business management, planning and tracking purposes.
Part B
What personal information we hold, and how we use it
General contact information/communication records
This may include your name, address, phone number, email address, communications consent and other information that you may provide to us during routine communications such as when you ask us to respond to a query.
When we obtain this information
This may include your name, address, phone number, email address, communications consent and other information that you may provide to us during routine communications such as when you ask us to respond to a query. When we obtain this information we collect some or all of this information, depending on the circumstances, when you (or someone such as your solicitor, or a local authority) asks us a query, whether by phone, or email, using the contact from on our website, by letter or in person.
We retain copies of all communications, and so will have any personal information which is provided in communications with us. We may record telephone calls. If you or someone else provides us with your name, contact details and other personal information during a telephone call, these may be recorded.
| How we use this general information | Our lawful basis(s) | What is our legitimate interest? |
|---|---|---|
| To communicate with you, and to investigate and respond to your queries | Legitimate interest / Perform contract (where an order has been placed for our services) | To provide information requested by or on behalf of our customers, and to respond to queries. |
| We record telephone calls with our customer services team for monitoring, training, supervision, and verification purposes. We may need to refer to these recordings if there is any dispute between us and may use them by way of evidence. | Legitimate interest / Perform contract (where an order has been placed for our services) / Comply with law | To maintain high standards on our calls, and to be able to evidence what occurred during a call. |
| Records of any consents that you give. | Comply with law / Legitimate interest | To maintain accurate records of what consents we have to perform our business activities. |
| To deliver a sampling kit for a DNA test, and to record that we have done so. | Perform contract | To improve our services. |
| To send you surveys and other requests for information in relation to our services. | Legitimate interest |
Further Information We Obtain When We Provide a Quote for Our Services
When we provide a quote for our services, we require certain information. In this table we provide further information on what information we obtain, and why.
| What Information | How we use this information | Our lawful bases | What is our legitimate interest? |
|---|---|---|---|
| Contact information (i.e., name, address, and email address of person requesting the quote, and other people who have a proper interest in the matter) | To identify the person requesting the quote in our records, including records of services ordered, delivered, and consents provided. | Perform contract / Comply with law (in certain instances) / Legitimate interest | We have a business interest in maintaining accurate records of the business that we conduct. |
| Contact information of people who have a proper interest in the case (e.g., solicitor acting for a party, or any party to whom results are to be provided) | To identify people who have a proper interest in the case. | Perform contract / Comply with law / Legitimate interest | We have a business interest in recording details of people who have a proper interest and are likely to have expectations of us regarding the testing. |
| Shipping address | To deliver our service in accordance with our Terms, including arranging for samples to be taken from persons being tested. | Perform contract | - |
| Billing address | For arranging payment for services. | Perform contract / Comply with law | - |
| Email address | For day-to-day communications, including sending invoices, receipts, and delivering test results. | Perform contract / Legitimate interest | We have a business interest in responding to communications. |
| Name of person being tested | For identification purposes. | Perform contract / Comply with law | - |
| Address of person being tested | For making arrangements for the sample to be taken. | Perform contract | - |
| Date of Birth of person being tested | To identify whether a sample is being taken from a minor and for identification purposes. | Comply with law / Perform contract / Legitimate interest | - |
| Relevant court orders (including interim care orders - final and draft) | We use these where appropriate to help ensure that we provide the correct services and supply information as legally directed. | Comply with law / Perform contract | - |
| Sex of person being tested | To assist with or as part of the quoting process. | Perform contract / Legitimate interest | We have a legitimate interest in making sure that our quotes are accurate and in maintaining records of information provided to us. |
| Familial relationships of the person being tested (for DNA tests only) | To advise on the type of test needed and perform the relevant test. | Perform contract | - |
| Name and contact details of the person with parental responsibility of a child to be tested | To obtain consent and liaise regarding the child being tested. | Comply with law / Perform contract | - |
Information we hold when we carry out a test
We will (depending on the specific test) collect and retain information in relation to the person being tested.
Because our results are used in court cases, or for other purposes which have significant importance for people involved, we follow strict ‘chain of custody protocols’. This enables those people who rely on our tests to be confident beyond reasonable doubt that the results are from the named individual. Because of this, we take careful steps to identify the person being tested, and to record how we have identified them. We are also required to have consent prior to taking biological samples, and hence need to identify the person who is providing the consent, and to keep records of their identity and the consent provided.
Depending on the test, we also collect information which helps with the accuracy and completeness of our results. ensure the accuracy of our results. The testing process will also produce personal information, such as the test results. We will also hold test results, and correspondence and communications related to the tests and results. Where an expert report is to be provided, we will hold correspondence with the expert, and a copy of the expert’s report.
Further information is set out in the table below:
| What Information | Why We Collect This Information / How We Use It | Our Lawful Bases | What is Our Legitimate Interest? |
|---|---|---|---|
| Name/other name(s) known by | To identify in our records the person being tested, to obtain consent to testing, and in communications with laboratories and experts. | Comply with law / Perform contract / Legitimate interest | Verifying the true identity of the person tested and maintaining accurate records. |
| Date of birth | Part of our formal identification processes. | Comply with law / Perform contract / Legitimate interest | As above. |
| Photograph of the person being tested | For formal identification processes and verification. | Comply with law / Perform contract / Legitimate interest | As above. |
| Sex | To help ensure the accuracy of the tests. | Perform contract | - |
| Copy of ID document & ID document number and information | For identification and verification that we have sighted ID. | Comply with law / Perform contract / Legitimate interest | As above. |
| Familial relationship information (DNA tests only) | To help provide accurate test results. | Perform contract | - |
| Medication use/history (for drug and alcohol testing only) | To help provide accurate test results. | Consent | - |
| History of drug/alcohol abuse (for drug and alcohol testing only) | To help provide accurate test results. | Consent | - |
| Details of the nail/hair sample with comments (for nail/hair testing only) | Used to improve accuracy of reports. | Perform contract / Consent | - |
| Consent form | To collect necessary information and obtain consent for testing. | Comply with law / Perform contract | - |
| Kit bar code | To identify the sample being tested, which links back to the person. | Perform contract / Legitimate interest | Effective identification and tracking of samples. |
| Court orders | To conduct tests related to court proceedings, which may include personal information. | Perform contract / Comply with law | - |
| Physical sample | This is the sample tested and linked back via barcode. | Perform contract / Consent | - |
| Test results and report (other than DNA tests) | To provide agreed-upon test results and reports. | Perform contract | - |
| Test results/reports, DNA sample, and genetic data (for DNA tests only) | Extraction of DNA and derivation of genetic data to produce agreed test results. | Consent | - |
| Expert reports | To deliver expert reporting services as agreed. | Perform contract | - |
Payment information and financial records
When payments are made by card online, the payer’s details are processed by a third-party payment provider; we do not receive any details other than the last 4 numbers of the card used (in some cases) and the billing address (in some cases). If card payment is made by phone or in person, we will receive card information, but will process it through a third-party payment provider, and will retain only the information that we would receive if the payment were made online (see above).
Where possible we process refunds in the same manner as payments, otherwise we make the payment by bank transfer. We generally pay refunds using the same method as payment. If paying a refund by bank transfer, we receive account name, and payment details. This will be recorded on our bank statement.
We create and retain records of the transactions which customers enter into with us, including details of payments owing and made.
Other Use of Information
We may also use personal information which we hold to enforce our rights under our Terms and to handle any complaints or disputes that may arise, to defend any proceedings which may be brought against us or to participate in any proceedings to which we are joined, and to comply with law or any applicable regulations. Where we do so, our lawful basis will be that we have a legitimate interest or are complying with law.
Changes in why we use your information
We will only use personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use personal information for an unrelated purpose, we will notify you (where appropriate through your solicitor or other third party) and we will explain the legal basis which allows us to do so.
Please note that we may process personal information without your knowledge or consent, but only where this in compliance with the above rules, where this is required or permitted by law.
Part C
How we collect your information
1.Direct interactions
You may give us your personal information by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal information you provide when you:
- Order our services
- Subscribe to one of our publications or mailing lists
- Request marketing to be sent to you
- Enter a competition, promotion or survey
- Give us feedback or contact us
2.Through an intermediary or third party
Examples of where intermediaries provide personal information include:
- A solicitor appointed to represent someone provides information on their behalf;
- The lead party in a court case (meaning the party who provides instructions in relation to the testing of various parties involved in the case);
- A local authority or governmental department who conduct and pay for testing;
- Companies who ask us to carry out testing of their staff.
A third party may also request a quote for testing and provide information even where they are not acting on behalf of the person whose information they provide.
3.Automated technologies or interactions
We may automatically collect information about equipment, browsing actions and patterns of visitors to our website. Please see our Cookie Policy for further details.
4.Third parties or publicly available sources
We may receive personal information about you from various third parties and public sources including:
- Analytics providers such as Google
- Advertising networks
- Search information providers
- Providers of technical, payment, and delivery services.
Part D
Sharing your information
In this section we provide information on who we share your information with, and why.
Our policy on disclosing test results
For adults:
- If an adult is tested, we will always provide the results to them.
- If the person ordering the test wishes the results to be provided to people other than the
- person being tested, including to themselves, we will seek the consent of the person being tested before the sample is taken. If the person being tested does not consent to this, we will not take the sample.
- We will only carry out a test which has been ordered by a court where the person being tested consents to the results being shared in accordance with the court order.
Children:
- We will share test results with any person who can show that they have parental control in respect of a child being tested, even if they do not place the order.
- The exception to this is where a court order forbids us from providing results to that person.
Service providers
We use a range of service providers and consultants in order to help run our businesses and to provide our services. We require all third-party service providers to respect the security of the personal information we hold and to treat it in accordance with the law. We do not allow our third-party service providers to use our client’s personal information for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.
These service providers include:
Sample Collectors
We use the services of professional third parties to collect samples for testing. We will need to disclose personal information to the person collecting the sample in order for them to make arrangements for the sample to be collected, and also to ensure that the sample is collected correctly.
Telephone answering services
We use a third-party service provider to answer telephone calls when we are unable to do so ourselves, including when our help centre is closed.
Our laboratories & biological storage facilities
We use fully accredited professional laboratories to:
- Receive samples.
- Carry out testing.
Expert Reports / Expert Witness Services
Where we are retained to provide an expert report or expert witness services:
- We may use the service of expert third parties.
- Where we do, we will share personal information with the expert third parties as necessary to enable them to perform their services.
‘Cloud’ based service providers
We use ‘cloud’ based storage providers to securely maintain the information held within our databases, including sensitive personal information.
(Please see the section ‘Security of your information’ below for further information on the security aspects of our cloud storage arrangements.)
We also use service providers who assist us with:
- Our ‘cloud’ based infrastructure.
- ‘Cloud’ client support tools.
Professional advisers
We may share information with our professional advisers including lawyers, accountants and insurance advisers. We do not routinely share genetic, or health or drug or alcohol related information with our professional advisers, but it would be possible that this could happen, for example if court proceedings relating to our test results were to be brought against us.
Other specialist consultants and service providers
These include IT consultants and service providers, and service providers that assist us with marketing, analytics, and cyber security/fraud prevention.
We may also in limited circumstances share personal information with our insurer.
Payment service providers
We use the services of payment processing companies to facilitate you making payment. These providers will use contact and billing information including credit card details to process payments. When payment is made on line, banking details are provided to that payment processing company, and not to us.
The Legal Process
There are circumstances in which we may be legally required to disclose information. Examples of this include where a we are subject to:
- A binding court order
- A subpoena
- A legally binding direction by a regulator
- A requirement to share information with HM Revenue and Customs
We reserve the right to share personal information where we reasonably believe that we are legally required to do so. We may also share information where this is necessary for us to exercise or enforce our rights under our Terms or otherwise at law, or where we reasonably and in good faith consider that it necessary or appropriate to do so in order to protect the security of our site, customers or employees.
Change in Control
We may share information with third parties to whom we may to sell, transfer or merge parts of our business or our assets or alternatively where we, buy or merge with other businesses. If a change happens to our business, then the new owners may only use your personal information in the same way as set out in this privacy statement.
Part E
How long we keep your personal data
In this section we provide guidance on how long we are likely to retain your personal information. This generally depends on how and why the information is collected. Please also be aware that it takes up to a further 6 months from the dates specified in this section for information that is no longer required to be fully removed from our systems because we retain backup and archive files.
We may also retain limited personal information for a longer period than specified including in the event of a complaint or if we reasonably believe there is a prospect of litigation relating to our relationship with you, or that the information may be needed to exercise or enforce our rights under our terms, or to perform contractual obligations. We may also retain information for a longer period where we are legally required to do so, and for audit and compliance purposes or where the information we hold is required in connection with a legal process. Additionally, our laboratories may also need to retain information that they hold on our behalf for longer periods to comply with legal or regulatory requirements. We may also retain sufficient information to be able to evidence your account deletion request.
We retain information for the periods below:
General information including contact information and communications
- Call recordings:
Up to 6 months from the end of the month in which the call happened. - General contact information provided when we are asked to provide a quote, and our quotes and related communications, and communications with us including notes taken during from telephone calls:
- 12 months, unless the quote is accepted
- If a quote is accepted, we retain all information relating to the quote and the test for 7 years after the date on which the results are provided.
Payment Information and financial records
By law we have to retain financial records. We retain the name and contact details of each person who pays for a test, any payment details we have, and transactional information for up to seven years after we receive payment for our services.
Information relating to services:
We retain samples for 7 years unless we are requested to delete the sample by or on behalf of the person whose sample it is. We may retain the sample for a longer period of time were lawfully required to do so. We retain our internal records in connection with our services, test results and our expert reports for 7 years from the date on which we provide our results/reports, or for so long as we are aware that legal proceedings to which the test/report relates is ongoing.
Part F
Security
We are committed to being a secure and trusted partner for your personal information, including sensitive information such as test results.
How do we do this?
At the heart of how we protect your information is our commitment to International Standards set by ISO.
We are certified to:
- ISO:9001 for quality controls
- ISO:27001 for information security
As part of our ISO accreditation, audits and reviews are conducted of all relevant third-party service providers to check that they meet our strict requirements.
We use a combination of technical, physical and organisational measures to protect the security of your information.
Physical and organisational measures
Physical and organisational measures help protect against social engineering attacks whereby an unauthorized person gains access to restricted information or physical location through psychological manipulation of authorised individuals.
These measures include:
- Security clearances
- Extensive training
- Physical security measures
All of these are subjected to rigorous external audits throughout the year.
Technical Measures
Technical measures implemented to protect your information include:
- Security by design
- Encryption
- Separation of Concerns & Pseudonymization
- Monitoring and Alerting
- Proactive Vulnerability and Penetration Testing
What is security by design?
Software has been designed and implemented with a security first process with the expectation that malicious third parties will attempt to exploit the system. This includes minimising permissions and access to data for internal secure systems.
What is encryption?
Data is scrambled so it is unreadable by humans or computers without a unique decryption key which is kept separate and secure. Encryption of data occurs as it flows through our system to yourselves (HTTPS) and while it is stored by ourselves (Encrypt at Rest). This significantly increases the difficulty of accessing data in the event of unauthorised access to our systems. What is monitoring and alerting?
We actively monitor our systems and all communication with the outside world, collecting and analysing the available data for indicators of potential threats and breaches. These are automatically triaged and alerted to our security team for appropriate action.
What is proactive vulnerability and penetration testing?
We periodically employ the services of third-party specialists to act as malicious parties and attempt to breach our security in a controlled and safe way. This enables us to identify and assess potential attack vectors before they are identified by monitoring and alerting tools and to address and harden appropriately.
Part G: General
Your rights
If we hold your personal information, in certain circumstances, you have rights under data protection laws. Please click on the links below to find out more about these rights:
- If we hold your personal information, in certain circumstances, you have rights under data protection laws. Please click on the links below to find out more about these rights:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
- If you wish to exercise any of the rights above, please contact us.
No fee
You will not have to pay a fee to access your personal data or to exercise any of the rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Contact Details
We are DNA Legal Limited, of
K10 The Courtyard, Jenson Avenue, Commerce Park, Frome, Somerset, United Kingdom, BA11 2FG.
If you have any queries about the privacy of your information, or about the information in this statement, or if you think the information is in any way incomplete, please contact us at:
- Email: info@dnalegal.com
- Phone: +44 203 424 3470
We also have a Data Protection Manager who can be contacted at:
- Email: privacy@dnalegal.com
Complaints
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to this statement, and your duty to tell us of changes
We keep this statement under regular review. This version was last published on 16 January 2019. Historic versions can be obtained by contacting us. It is important that the personal information we hold about you is accurate and current.
Please let us your personal data changes during your relationship with us.
Appendix
You have the right to:
Request Access
Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request Correction
Request correction of the personal information that we hold about you.
This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request Erasure
Request erasure of your personal information.
This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
You also have the right to ask us to delete or remove your personal information where you have:
- Successfully exercised your right to object to processing (see below)
- Where we may have processed your information unlawfully
- Where we are required to erase your personal information to comply with local law
Note: We may not always be able to comply with your request for erasure for specific legal reasons. These will be notified to you, if applicable, at the time of your request.
Object to Processing
Object to processing of your personal information where:
- We are relying on a legitimate interest (or those of a third party)
- There is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms
You also have the right to object where we are processing your personal information for direct marketing purposes.
Note: In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request Restriction of Processing
Request restriction of processing of your personal information.
This enables you to ask us to suspend the processing of your personal information in the following scenarios:
- If you want us to establish the accuracy of the information.
- Where our use of the information is unlawful, but you do not want us to erase it.
- Where you need us to hold the information even if we no longer require it, as you need it to establish, exercise, or defend legal claims.
- You have objected to our use of your information, but we need to verify whether we have overriding legitimate grounds to use it.
Request the Transfer
Request the transfer of your personal information to you or to a third party.
We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format.
Note: This right only applies to automated information which you initially provided consent for us to use, or where we used the information to perform a contract with you.
Withdraw Consent
Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
