Privacy Notice - OpenGWAS

The University of Bristol (“The University”, “We”) is committed to protecting your personal data and for keeping you informed about how information about you is used.

This notice outlines how we collect and process your personal data in relation to the OpenGWAS database, and how we adhere to the requirements of UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (2018).

This notice should be read in conjunction with the University’s top level privacy notices.

OpenGWAS is a cloud-based data aggregation and delivery service that aggregates genome-wide association study datasets and makes these accessible through an application programming interface (API).

Types of personal data processed

The following is a non-exhaustive list of the types of personal data that we may process about you when you use the OpenGWAS database.

Name
Email address
Affiliation / organisation
Role in organisation

We do not need to process any special or sensitive categories.

How we collect your data and how we use it

The information we process about you is collected from the following sources including

Sign up form on the website
Information provided from authentication services such as Microsoft or GitHub as part of the account authentication process

The above information will be processed to create and authenticate users accounts to access the Open GWAS database and to provide appropriate support which includes contacting you about critical updates that may affect your work, or to manage your account in accordance with the end user licence agreement. This information will also be used to confirm the service is being used with a commercial license when used by or on behalf of a commercial organisation.

We will not use your personal information for marketing.

We will not use your personal data for automated decision making about you or for profiling purposes.

The lawful basis for us to process your personal data is Article 6(1)(b) processing is necessary to provide a service that the customer has contracted for.

Sharing your personal data

Your personal data will be collected and processed primarily by the University.

We may need to share your personal data with internal parties in aggregate form (i.e. non-identifiable information) to evidence usage of the platform which is important for the sustainability of the resource.

The OpenGWAS technical team within University of Bristol acts for this activity in its capacity as the service provider. They have full access to the personal data described above. The data will also be hosted on Oracle Cloud Services and collected using Microsoft (forms), both parties are processing data on behalf of the University under a contract. Where the University is using a third-party service, it will ensure appropriate contracts are in place to ensure this is handled securely and in accordance with our instructions.

For further information on how Oracle Cloud Services process personal data please see https://www.oracle.com/uk/legal/privacy/services-privacy-policy/.

Please note that we may need to share your personal information with a regulator or to otherwise comply with the law, and the list above is not necessarily exhaustive.

Storage and retention of personal data

The University has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost or used, accessed, altered or disclosed in any unauthorised way.

Access to your personal data is limited to those that have a lawful and legitimate need to access it.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Inactive accounts will be deleted following 3 years of inactive use. Users can request deletion of their account user information through the website, and this will be deleted immediately. Due to the nature of how log files are managed it may take up to 6 months for all activity logs to be removed entirely however activity logs will only contain pseudonymised user ID’s.

Your rights

Under certain circumstances, you may have the following rights in relation to the data we process:

Right to request access to your personal data;
Right to request correction of your personal data;
Right to request erasure of your personal data;
Right to object to processing of your personal data;
Right to request restriction of the processing your personal data;
Right to request the transfer of your personal data;
Right to withdraw consent.

For more information on these rights please visit the University’s guidance here. To exercise any of the above rights please contact the Data Protection Officer via data-protection@bristol.ac.uk.

Questions, comments and complaints

If you have any questions or comments regarding this Privacy Notice, please contact: g.hemani@bristol.ac.uk.

You can also contact the University’s Data Protection Officer at: data-protection@bristol.ac.uk.