Privacy Policy

This privacy policy sets out how DNA Legal uses and protects any information that you give us when you use this website.

DNA Legal is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

DNA Legal may change this policy from time to time by updating this page.

DNA Legal Statement 16 January 2019
Part A
Introduction

We are DNA Worldwide Group Limited. We provide testing services in our own name, and through our specialist division, DNA Legal. This statement applies to the activities of both businesses.

Very simply, our aim in this statement is to explain what personal information we hold when we carry out our testing services, why we hold it, what we do with it, and how we protect it. By personal information we mean information from which a living person can be identified.

We may also provide you with supplemental information about our use of your personal information in particular circumstances or in connection with specific services.

This statement does not include details of:

●  Information we hold about who people represent our business or non-individual customers (such as local authorities or solicitors) /our marketing activities with our non-individual customers. By way of example, it does not set out what information we record when someone books a CPD training course through us. We will release separate information about this aspect of our activities.

●  Information which we collect purely through someone using our website.
We are entrusted with people’s sensitive personal information. We see ourselves as having a responsibility to respect and to take great care of all personal information that we hold for others, including our clients.

Regulatory background: GDPR

The EU General Data Protection Regulations (which are known as GDPR) apply to us when we collect or use personal information. The regulations were introduced to protect people's’ data. It applies where we process personal information​.​ ​​Processing includes collecting information, storing it, disclosing it, using it and destroying it.
The regulations say that information should only be processed in one or more specified circumstances, which are known as ‘lawful bases’. The lawful bases on which we may process your personal information include:

●  Where you have given your consent. We have shortened this to ‘​​consent​’ in the statement)

●  Where necessary to carry out the terms of a contract, for example the contract for us to provide testing services. We have shortened this to ‘​​​perform contract​’​.

●  Where necessary to comply with a legal obligation. We have shortened this to ​‘​comply with law​​’

●  Where we or someone else has a legitimate interest, which is not overridden by your interests.

We must always balance your interests and rights with our interests if we are to process your information on this basis. We have shortened this to ‘​legitimate​ ​interest​​’.
In this statement we have grouped the types of personal information that we may hold into broad categories.

The categories are:

General information including contact information

Information obtained in order to provide a quote/arrange our testing services

Information obtained through the process of providing our testing services

Payment and transactional information

Marketing information

We also collect, use and share aggregated information such as statistical data. Aggregated information could be derived from personal data, including your test results but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate information to report on our performance, particularly when tendering for business, to identify trends within our business, and to improve our services, and their accuracy.

Other examples of how we use aggregated data are for business management, planning and tracking purposes.

Part B
What personal information we hold, and how we use it

General contact information/communication records
This may include your name, address, phone number, email address, communications consent and other information that you may provide to us during routine communications such as when you ask us to respond to a query.
When we obtain this information
We collect some or all of this information, depending on the circumstances, when you (or someone such as your solicitor, or a local authority) asks us a query, whether by phone, or email, using the contact from on our website, by letter or in person. We retain copies of all communications, and so will have any personal information which is provided in communications with us.
We may record telephone calls. If you or someone else provides us with your name, contact details and other personal information during a telephone call, these may be recorded.

We provide further information about what information we obtain, and why in this table:

How we use this general Our lawful What is our legitimate information basis(s) interest?

To communicate with you, and to investigate and respond to your queries

Legitimate interest

Perform contract (where an order has been placed for our services)

To provide information requested by or on behalf of our customers, and to respond to queries.

We record telephone calls with our customer services team for monitoring, training, supervision and for verification purposes. We may need to refer to these recordings if there is any dispute between us and may use them for by way of evidence.

Legitimate interest.

Perform contract (where an order has been placed for our services)

To maintain high standards on our calls, and to be able to evidence what occurred during a call.

Comply with law

Records of any consents that you give.

Comply with law Legitimate interest

To maintain accurate records of what consents we have to perform our business activities

To deliver a sampling kit for a DNA test, and to record that we have done so

Perform contract

To send you surveys and other requests for information in relation to our services

Legitimate interest

To improve our services

Further​ ​Information we obtain when we provide a quote for our services
When we provide a quote for our services, we require certain information. In this table we provide further information on what information we obtain, and why.

What Information How we use this Our lawful What is our legitimate information bases interest?

Contact information i.e. name, address and email address of person requesting the quote, and other people who have a proper interest in the matter

To identify the person requesting the quote in our records including records of services ordered, and delivered and consents provided

Perform contract

Comply with law (in certain instances)

Legitimate interest

We have a business interest in maintaining accurate records of the business that we conduct.

To identify people who have a proper interest in the case, including any solicitor acting for a party, or any party to whom results are to be provided

Perform contract

Comply with law

Legitimate interest

We have a business interest in recording details of people who have a proper interest in a matter, and who are likely to have expectations of us in connection with the testing.

To deliver our service in accordance with our Terms including arranging for samples to be taken from persons being tested

Perform contract

To exercise and if necessary, to enforce our rights under our Terms and to handle any complaints or disputes that may arise

Perform contract

Legitimate interest

To responsibly manage our business by enforcing our rights under our Terms, including defending any claims that may be brought against us.

Shipping address

Test results may be sent to this address

Perform contract

Billing address

For the purposes of arranging payment for services

Perform Contract

Comply with Law

Email address

We use this address for day to day communications including sending invoices and receipts, and for the purpose of delivering test results.

Perform contract

Legitimate interest

We have a business interest in responding to communications

Name of person being tested

We use this for identification purposes

Perform contract

Comply with law

Address of person being tested

We use this when making arrangements for the sample to be taken.

Perform contract

DOB of person being tested

We use this to identify whether a sample is being taken from a minor and for identification purposes

Comply with Law

Perform contract

Legitimate Interest

Relevant court orders, including interim care orders (final and draft) are sometimes provided to us when a quote is requested, or at a later date and these generally contain personal information in relation to the person being tested, and other parties.

We use these where appropriate to help ensure that we provide the correct services and supply information as legally directed.

Comply with law

Perform contract

Sex of person being tested

We sometimes receive or ask for the sex of the person being tested to assist with, or as part of the quoting process

Perform contract

Legitimate interest

We have a legitimate interest in making sure that our quotes are accurate, and in maintaining records of information that persons seeking quotes provide to us

Familial relationships of person being tested (for DNA tests only)

We identify and record the familial relationships between the persons being tested in order to advise on the type of test needed and person the relevant test.

Perform contract

Name and contact details of person with parental responsibility of a child to be tested

Where we test a child, we need the consent of the person who has parental responsibility, and to be able to liaise with that person as needed

Comply with law

Perform contract

Information we hold when we carry out a test

We will (depending on the specific test) collect and retain information in relation to the person being tested.

Because our results are used in court cases, or for other purposes which have significant importance for people involved, we follow strict ‘chain of custody protocols’. This enables those people who rely on our tests to be confident beyond reasonable doubt that the results are from the named individual. Because of this, we take careful steps to identify the person being tested, and to record how we have identified them.

We are also required to have consent prior to taking biological samples, and hence need to identify the person who is providing the consent, and to keep records of their identity and the consent provided.

Depending on the test, we also collect information which helps with the accuracy and completeness of our results. ensure the accuracy of our results. The testing process will also produce personal information, such as the test results.

We will also hold test results, and correspondence and communications related to the tests and results. Where an expert report is to be provided, we will hold correspondence with the expert, and a copy of the expert’s report.

Further information is set out in the table below:

What Why we collect this Our lawful bases Information information/ how we use it

What is our legitimate interest?

Name/other name(s) known by

We use this to identify in our records the person being tested or in respect of whom a report, to obtain consent to testing, and in our communications with laboratories who perform services for us and experts if an expert report is being provided.

Comply with law Perform contract Legitimate interest

We have a business interest in verifying the true identity of the person being tested, in maintaining accurate records of who we test, and being able to evidence that we have checked the participant’s identity.

Date of birth

We use this as part of our formal identification processes.

Comply with law Perform contract Legitimate interest

As above

A photograph of the person being tested

We use this as part of our formal identification processes, and to enable us to verify that we have taken the sample from the person whose ID we have verified

Comply with law Perform contract Legitimate interest

As above

Sex

We use this to help ensure the accuracy of the tests that we carry out

Perform contract

Copy ID document & ID document number and information from ID

We use this for identification purposes, and to verify that we have sighted ID

Comply with law Perform contract Legitimate interest

As above

Familial relationship information

For DNA tests only – used to help provide accurate test results

Perform contract

Medication use/history

For drug and alcohol testing only- used to help us provide accurate test results

Consent

History of drug/alcohol abuse

For drug and alcohol testing only- used to help us provide accurate test results

Consent

Details of the nail/hair sample (as appropriate) with comments/

For nail/hair testing only, we use information about the hair/nail and hair products used by the

Perform contract

details of hair products and treatments used on hair to be tested

participant to improve the accuracy of our reports

Consent form

We use this form to collect information we need to conduct the test, and to obtain consent for testing

Comply with law Perform contract

Kit bar code

We use a ​​barcode​​ to identify the sample being tested, which in turn can identify a person in our records

Perform contract Legitimate interest

We have a business interest in having effective means of identifying and tracking samples and within our systems and in our labs

Court orders

Where a test is being carried out in relation to court proceedings, we may be provided with relevant court order which contain personal information about the person being tested and other parties.

Perform contract Comply with law

Physical sample

This is the sample that is being tested. We use a barcode to identify the sample, and to link that sample back to the person who provided it.

Perform contract Consent

Test results and report (other than DNA tests)

We provide test results/reports as agreed at the time the order is placed.

Perform contract

Test results/reports/ DNA sample,

Our testing process involves extracting a person’s DNA sample

Consent

and genetic data (for DNA tests only)

and deriving their genetic data. This is used to genetic produce test results/reports agreed at the time the order was placed.

Expert reports

Perform contract

Payment information and financial records

When payments are made by card online, the payer’s details are processed by a third-party payment provider; we do not receive any details other than the last 4 numbers of the card used (in some cases) and the billing address (in some cases).

If card payment is made by phone or in person, we will receive card information, but will process it through a third-party payment provider, and will retain only the information that we would receive if the payment were made online (see above).

Where possible we process refunds in the same manner as payments, otherwise we make the payment by bank transfer.

We generally pay refunds using the same method as payment. If paying a refund by bank transfer, we receive account name, and payment details. This will be recorded on our bank statement.

We create and retain records of the transactions which customers enter into with us, including details of payments owing and made.

How we use this information Our lawful bases What is our legitimate interest

We use the paying party’s name and address for financial record keeping purposes

Comply with law

To maintain accurate financial records

We use payment information to process payments and refunds

Perform contract Comply with law

To maintain accurate financial records

We record details of our financial transactions which will include the paying party’s

Legitimate interest

To maintain accurate financial records

name, email, address and payments made or owing

Comply with law

Other Use of Information

We may also use personal information which we hold to enforce our rights under our Terms and to handle any complaints or disputes that may arise, to defend any proceedings which may be brought against us or to participate in any proceedings to which we are joined, and to comply with law or any applicable regulations. Where we do so, our lawful basis will be that we have a legitimate interest or are complying with law.
Changes in why we use your information
We will only use personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use personal information for an unrelated purpose, we will notify you (where appropriate through your solicitor or other third party) and we will explain the legal basis which allows us to do so.

Please note that we may process personal information without your knowledge or consent, but only where this in compliance with the above rules, where this is required or permitted by law.

Part C
How we collect your information

We use different methods to collect personal information including:

●  Direct interactions. You may give us your personal information by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal information you provide when you

●  order our services;

●  subscribe to one of our publications or mailing lists;

●  request marketing to be sent to you;

●  enter a competition, promotion or survey; or

●  give us feedback or contact us.

●  Through an intermediary or third party. Examples of where intermediaries provide personal

information include where a solicitor appointed to represent someone provides information on their behalf, the lead party in a court case (meaning the party who provides instructions in relation to the testing of various parties involved in the case), or a local authority or governmental department who conduct and pay for testing, and companies who ask us to carry out testing of their staff. A third party may also request a quote for testing and provide information even where they are not acting on behalf of the person whose information they provide.

●  Automated technologies or interactions. We may automatically collect information about equipment, browsing actions and patterns of visitors to our website. Please see our ​Cookie Policy​ for further details.

●  Third parties or publicly available sources. We may receive personal information about you from various third parties and public sources including:

● Information from: analytics providers such as Google

advertising networks; and

search information providers

●  providers of technical, payment and delivery services

Part D
Sharing your information
In this section we provide information on who we share your information with, and why.

Our policy on disclosing test results

For adults:

●  If an adult is tested, we will always provide the results to them.

●  If the person ordering the test wishes the results to be provided to people other than the

person being tested, including to themselves, we will seek the consent of the person being tested before the sample is taken. If the person being tested does not consent to this, we will not take the sample.

●  We will only carry out a test which has been ordered by a court where the person being tested consents to the results being shared in accordance with the court order.
Children

●  We will share test results with any person who can show that they have parental control in respect of a child being tested, even if they do not place the order. The exception to this is where a court order forbids us from providing results to that person.
Service providers

We use a range of service providers and consultants in order to help run our businesses and to provide our services. We require all third-party service providers to respect the security of the personal information we hold and to treat it in accordance with the law. We do not allow our third-party service providers to use our client’s personal information for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.

These service providers include:

Sample Collectors

We use the services of professional third parties to collect samples for testing. We will need to disclose personal information to the person collecting the sample in order for them to make arrangements for the sample to be collected, and also to ensure that the sample is collected correctly.

Telephone answering services

We use a third-party service provider to answer telephone calls when we are unable to do so ourselves, including when our help centre is closed.
Our laboratories & biological storage facilities
We use fully accredited professional laboratories to receive samples and to carry out testing. Expert Reports/ Expert Witness Services

Where we are retained to provide an expert report, or expert witness services we may use the service of expert third parties, and where we do, we will share personal information with the expert third parties as necessary to enable them to perform their services.
‘Cloud’ based service providers

We use ‘cloud’ based storage providers to securely maintain the information held within our databases, and this will include sensitive personal information.
Please see ‘Security of your information’ below for further information on security aspects of our cloud storage arrangements.

We also use service providers who assist us with our ‘cloud’ based infrastructure, and ‘cloud’ client support tools.

Professional advisers

We may share information with our professional advisers including lawyers, accountants and insurance advisers. We do not routinely share genetic, or health or drug or alcohol related information with our professional advisers, but it would be possible that this could happen, for example if court proceedings relating to our test results were to be brought against us.

Other specialist consultants and service providers

These include IT consultants and service providers, and service providers that assist us with marketing, analytics, and cyber security/fraud prevention. We may also in limited circumstances share personal information with our insurer.
Payment service providers

We use the services of payment processing companies to facilitate you making payment. These providers will use contact and billing information including credit card details to process payments. When payment is made on line, banking details are provided to that payment processing company, and not to us.

The Legal Process

There are circumstances in which we may be legally required to disclose information. Examples of this include where a we are subject to a binding court order, subpoena, or a legally binding direction by a regulator, and where we are required to share information with HM Revenue and Customs. We reserve the right to share personal information where we reasonably believe that we are legally required to do so. We may also share information where this is necessary for us to exercise or enforce our rights under our Terms or otherwise at law, or where we reasonably and in good faith consider that it necessary or appropriate to do so in order to protect the security of our site, customers or employees.
Change in Control
We may share information with third parties to whom we may to sell, transfer or merge parts of our business or our assets or alternatively where we, buy or merge with other businesses. If a change happens to our business, then the new owners may only use your personal information in the same way as set out in this privacy statement.

Part E
How long we keep your personal data

In this section we provide guidance on how long we are likely to retain your personal information. This generally depends on how and why the information is collected. Please also be aware that it takes up to a further 6 months from the dates specified in this section for information that is no longer required to be fully removed from our systems because we retain backup and archive files.

We may also retain limited personal information for a longer period than specified including in the event of a complaint or if we reasonably believe there is a prospect of litigation relating to our relationship with you, or that the information may be needed to exercise or enforce our rights under our terms, or to perform contractual obligations. We may also retain information for a longer period where we are legally required to do so, and for audit and compliance purposes or where the information we hold is required in connection with a legal process. Additionally, our laboratories may also need to retain information that they hold on our behalf for longer periods to comply with legal or regulatory requirements. We may also retain sufficient information to be able to evidence your account deletion request.

We retain information for the periods below:

●  General information including contact information and communications

●  Call recordings: up to 6 months from the end of the month in which the call happened.

●  General contact information provided when we are asked to provide a quote, and our quotes and related communications, and communications with us including notes taken during from telephone calls: 12 months, unless the quote is accepted. If a quote is accepted, we retain all information relating to the quote and the test for 7 years after the date on which the results are provided.

Payment Information and financial records​:
By law we have to retain financial records. We retain the name and contact details of each person who pays for a test, any payment details we have, and transactional information for up to seven years after we receive payment for our services.

Information relating to services​:
We retain samples for 7 years unless we are requested to delete the sample by or on behalf of the person whose sample it is. We may retain the sample for a longer period of time were lawfully required to do so.
We retain our internal records in connection with our services, test results and our expert reports for 7 years from the date on which we provide our results/reports, or for so long as we are aware that legal proceedings to which the test/report relates is ongoing.

Part F
Security

We are committed to being a secure and trusted partner for your personal information, including sensitive information such as test results.

How do we do this?

At the heart of how we protect your information is our commitment to International Standards set by ISO. We are certified to ISO:9001 for quality controls and ISO:27001 for information security. As part of our ISO accreditation, audits and reviews are conducted of all relevant third-party service providers to check that they meet our strict requirements.

We use a combination of technical, physical and organisational measures to protect the security of your information.

Physical and organisational measures help protect against social engineering attacks whereby an unauthorized person gains access to restricted information or physical location through psychological manipulation of authorised individuals. These measures include security clearances, extensive training and physical security measures and are subjected to rigorous external audits throughout the year.

Technical measures implemented to protect your information include:

●  Security by design

●  Encryption

●  Separation of Concerns & Pseudonymization

●  Monitoring and Alerting

●  Proactive Vulnerability and Penetration testing

What is security by design?

Software has been designed and implemented with a security first process with the expectation that malicious third parties will attempt to exploit the system. This includes minimising permissions and access to data for internal secure systems.

What is encryption?
Data is scrambled so it is unreadable by humans or computers without a unique decryption key which is kept separate and secure. Encryption of data occurs as it flows through our system to yourselves (HTTPS) and while it is stored by ourselves (Encrypt at Rest). This significantly increases the difficulty of accessing data in the event of unauthorised access to our systems. What is monitoring and alerting?

We actively monitor our systems and all communication with the outside world, collecting and analysing the available data for indicators of potential threats and breaches. These are automatically triaged and alerted to our security team for appropriate action.
What is proactive vulnerability and penetration testing?

We periodically employ the services of third-party specialists to act as malicious parties and attempt to breach our security in a controlled and safe way. This enables us to identify and assess potential attack vectors before they are identified by monitoring and alerting tools and to address and harden appropriately.

Part G: General
Your rights
If we hold your personal information, in certain circumstances, you have rights under data protection laws. Please click on the links below to find out more about these rights:

●  Request access to your personal data.

●  Request correction of your personal data.

●  Request erasure of your personal data.

●  Object to processing of your personal data.

●  Request restriction of processing your personal data.

●  Request transfer of your personal data.

●  Right to withdraw consent.

If you wish to exercise any of the rights above, please contact us.

No fee: You will not have to pay a fee to access your personal data or to exercise any of the rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you​:​ We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond​:​ We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. Contact Details
We are DNA Legal Limited, of K10 The Courtyard Jenson Avenue, Commerce Park, Frome, Somerset, United Kingdom, BA11 2FG.

If you have any queries about the privacy of your information, or about the information in this statement, or if you think the information is in any way incomplete, please contact us at: info@dnalegal.com
or call our customer services team on +44 203 424 3470

We also have a Data Protection Manager who can be contacted at: ​privacy@dnalegal.com

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (​www.ico.org.uk​). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this statement, and your duty to tell us of changes

We keep this statement under regular review. This version was last published on 16 January 2019. Historic versions can be obtained by contacting us.

It is important that the personal information we hold about you is accurate and current. Please let us your personal data changes during your relationship with us.

Appendix

You have the right to:

Request access​ to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction​ of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure​ of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing​ of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction​ of processing of your personal information.

This enables you to ask us to suspend the processing of your personal information in the following scenarios:

●  If you want us to establish the accuracy of the information.

●  Where our use of the information is unlawful, but you do not want us to erase it.

●  Where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims.

●  You have objected to our use of your information, but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer​ of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent​ at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.