Why this notice is important
Please read this notice carefully. It sets out how we use your personal data and your rights as a data subject.
Please read this Privacy Notice together with any other privacy notice we may provide for specific circumstances when we process your personal data.
This Privacy Notice supplements those other notices; it does not replace them.
This notice applies to visitors to our website https://bmjsept2021.qcovid.org/.
Personal data is information about an identifiable individual; anonymous or anonymised data about an individual is not personal data.
This Privacy Notice applies when we control the purposes for which your personal data is collected and used; it does not apply when we process personal data on behalf of someone else who controls how your personal data is used.
Data Protection law obliges us to:
- Use your personal data lawfully, fairly and in a transparent way;
- Collect your personal data only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- Collect and hold personal data which is relevant to the purposes we have told you about and limited only to those purposes;
- Keep your personal data accurate and up to date;
- Keep your personal data only for as long as is necessary for the purposes we have told you about; and
- Keep your personal data securely.
https://bmjsept2021.qcovid.org/ is a website managed by Oxford University Innovation Limited.
Oxford University Innovation Limited is a company registered in England with company number 02199542. Our registered office is at University Offices, Wellington Square, Oxford, OX1 2JD. We are registered with the UK Information Commissioner's Office under registration number Z6557298.
The types of personal data we collect, how we use them and the legal basis for that use
We collect your IP address and information about your browsing patterns when you use our website.
We use your IP address and information about your browsing patterns in order to monitor site performance and improve the user experience. The legal basis for our doing this are our legitimate interests in managing our website.
If you contact us with an enquiry, complaint or to exercise your rights as a data subject, we collect any personal data you provide to us and use it only to deal with your enquiry, complaint or request to exercise your rights. The legal bases for our doing that are our legitimate interests in managing our website and making the QCovidRisk Calculator available and to comply with our legal obligations.
QCovid Risk Calculator: The QCovid calculator web form () captures information on personal and clinical risk factors for catching and going to hospital or catching and dying of Covid-19. It does this for the purpose of calculating the risk score for a hypothetical individual with the details you insert into the calculator.
When you use the qcovid risk calculator you must not input any information or parameters relating to an identified or identifiable individual, i.e. any personal data.
Users are reminded that the risk calculator may be used only for academic research and peer review, and it must not be used to inform clinical decisions. Full terms and conditions can be found here (https://bmjsept2021.qcovid.org/Home/Licence).
Change of purpose
We will use your personal data only for the purposes for which we collected it, unless:
- We reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose; or
- We anonymise your personal data and use it for research or statistical purposes.
For an explanation as to how use of your personal data for a new purpose is compatible with the original purpose, please email us at email@example.com with 'Personal Data Enquiry' in the subject line of your email.
If we intend to use your personal data for an unrelated purpose, we will contact you to explain the legal basis which allows us to use your personal data for that unrelated purpose.
If we use we use your personal data for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes and we impose the safeguards required by the law, those purposes are treated as being compatible with the original purpose.
We do not use your personal data collected through this website or which you provide to us when you contact us with an enquiry, compliant or to exercise your rights for marketing.
Automated decision making
We do not use information about you for the purposes of automated decision making.
Sharing your personal data
We may share your personal data with:
- A purchaser of OUI or of our business or any business assets – we may disclose your personal data to the prospective buyer(s) and its or their professional advisers and, if our business assets are sold, personal data will be one of the assets transferred;
- Any business with which we merge or merge part of our business;
- Any company or business which we acquire;
- Anyone we engage to process personal data for us, such as the provider of our IT systems. That person will be obliged to use your personal data only for our purposes, to process it only in accordance with our instructions and to have appropriate security measures in place to protect your personal data;
- If necessary to obtain advice, to our professional advisers who owe an obligation of confidence to us;
- To law enforcement agencies, if we know of think that you or your employer are/is engaged in any illegal activity;
- Anyone, if necessary to comply with any law or regulation; and
- Anyone, if necessary to enforce our rights or to protect our property or to protect the rights or property of anyone else.
Transfers of your personal data outside the UK and the EU
We may transfer your personal data outside United Kingdom but we will not do so unless:
- We transfer it to a member state of the European Union;
- We transfer it to a country which the European Commission or any competent supervisory authority competent supervisory authority has decided ensures an adequate level of protection for personal data or if the recipient has entered into the Standard Contractual Clauses published by the European Commission or any competent supervisory authority. If you wish to see a copy of the Standard Contractual Clauses we use, please email us at firstname.lastname@example.org with 'Personal Data Transfer' in the subject line of your email;
- You have given your explicit consent to the transfer of your personal data outside the UK and the EU. (If you have given that consent you may withdraw it at any time by emailing us at email@example.com with 'Data Consent' in the subject line of your email.
- We cannot perform a contract with you without making that transfer;
- We cannot take steps you have requested us to take without making that transfer;
- We cannot enter into or perform a contract with someone else and which is in your interests without making that transfer;
- The transfer is necessary for important reasons of public interest; or
- The transfer is necessary for the establishment, exercise or defence of legal claims.
Your personal data may be accessed by our staff when they are outside the EU, but the same safeguards will apply as though our staff were accessing your personal data from within the EU.
We have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will process your personal data on only on our instructions and they are subject to a duty of confidentiality.
We have procedures to deal with any suspected personal data breach and will tell the Information Commissioner's Office and you of a breach of security involving your personal data if the law obliges us to do so.
How long we keep your personal data
We will keep your personal data about you only for so long as is necessary to achieve the purpose for which we have collected that data, or as required by law, or as required for in order to meet any legal, accounting, or reporting requirements.
When deciding what is the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from any unauthorised use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are set out in our data retention policy. You can request a copy of that by emailing us at firstname.lastname@example.org with 'Privacy Notice Question' in the subject line of your email.
In some circumstances you can ask us to delete your personal data. Please see Your Rights.
If we anonymise your personal data, it will no longer be personal data and we may use it indefinitely.
In certain circumstances you have the right to:
Request access to your personal data: You have the right to receive confirmation of whether or not we are holding or using your personal data and, if we are, to obtain a copy of your personal data.
Request the correction of your personal data: You have the right to have any incomplete or inaccurate personal data we hold about you corrected. We may need to verify the accuracy of any new data you provide.
Request the erasure of your personal data (the right to be forgotten): You have the right to ask us to delete or remove personal data where we have no good reason to continue using it.
You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to our using it (see below), where we may have used your personal data unlawfully or where we are required to erase your personal data to comply with the law. We may not always be able to comply with your request for erasure for legal reasons which we will inform you about if you request erasure.
Request a restriction on the processing of your personal data: You have the right to ask us to suspend the processing of your personal data in the following circumstances:
- If you want us to establish the data's accuracy;
- Where our use of your personal data is unlawful but you do not want us to erase it;
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- You have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
Object to the processing of your personal data: You have the right to object, where we are relying on our legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data and that those grounds override your rights and freedoms.
Object to the use of your personal data for direct marketing purposes: You have the right to object where we are processing your personal data for direct marketing purposes.
Withdraw consent: Where you have given consent to our using your personal data for a specific purpose, you have the right to withdraw that consent at any time. Your withdrawal of consent will not affect the lawfulness of any use of your personal data based on your consent before you withdraw consent.
Request the transfer of your personal data (data portability): You have the right, where you provided your personal data to us, you gave consent to our using your personal data or we used that personal data to perform a contract with you and we have processed that data by automated means, to receive the personal data you have provided to us and to have us transmit that data to another person, if it is feasible to do so.
If you want to exercise any of the above rights please email us at email@example.com with 'Personal Data Request' in the subject line of your email.
We try to respond to all legitimate requests within a month. It may take us longer than a month if your request is complicated or you have made a number of requests. In this case, we will notify you and keep you updated.
Normally you will not have to pay a fee to access your personal data or to exercise any other right, but, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in those circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any other right. This is to ensure that personal data is not disclosed to a person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.
You are not obliged to provide us with any personal data
You may decide not to give us any personal data, but
- If you do not provide data which is necessary for us to provide a service or to verify your identity we may not be able to provide and you may not be able to use that service; or
- We may not be able to comply with any request to exercise your rights if we are unsure about your identity.
Links to other websites
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control those third-party websites and we are not responsible for their privacy policies or statements.
This Privacy Notice does not apply to any website operated by a third party. If you visit a third party website, please read its Privacy Notice or privacy statement to find out how it uses your personal data.
Complaints and enquiries
We take any complaints we receive very seriously. Please bring it to our attention if you think that our collection or use of your personal data is unfair, misleading or inappropriate.
We also welcome any suggestions for improving our procedures.
This Privacy Notice was drafted with brevity and clarity in mind. It does not provide exhaustive details of our collection and use of personal data, but please feel free to contact us if you want any additional information or further explanation.
You have the right to make a complaint about the way we have used your personal data to the UK Information Commissioner's Office (the ICO) at The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or www.ico.org.uk, but please give us a chance to address your concerns before you contact the ICO.
How to contact us
If you want to ask us about this Privacy Notice, please email us at firstname.lastname@example.org with 'Privacy Notice Question' in the subject line of your email.
Changes to this privacy notice and your personal data
We keep this Privacy Notice under review. It was last updated on 21st October 2020.
It is important that your personal data is accurate and up to date. Please let us know if your personal data changes.