DNA Legal is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.
DNA Legal may change this policy from time to time by updating this page.
DNA Legal Statement 22nd August 2018
Part A: Introduction
We are DNA Worldwide Group Limited. We provide testing services in our own name, and through our specialist division, DNA Legal. This statement applies to the activities of both businesses.
Very simply, our aim in this statement is to explain what personal information we hold when we carry out our testing services , why we hold it, what we do with it, and how we protect it. By personal information we mean information from which a living person can be identified.
We may also provide you with supplemental information about our use of your personal information in particular circumstances or in connection with specific services.
This statement does not include details of:
- Information we hold about who people represent our business or non individual customers (such as local authorities or solicitors) /our marketing activities with our non individual customers. By way of example, it does not set out what information we record when someone books a CPD training course through us. We will release separate information about this aspect of our activities.
- Information which we collect purely through someone using our website.
We are entrusted with people’s sensitive personal information. We see ourselves as having a responsibility to respect and to take great care of all personal information that we hold for others, including our clients.
Regulatory background: GDPR
The EU General Data Protection Regulations (which are known as GDPR) apply to us when we collect or use personal information. The regulations were introduced to protect peoples’ data. It applies where we process personal information. Processing includes collecting information, storing it, disclosing it, using it and destroying it.
The regulations say that information should only be processed in one or more specified circumstances, which are known as ‘lawful bases’. The lawful bases on which we may process your personal information include:
- Where you have given your consent. We have shortened this to ‘consent’ in the statement)
- Where necessary to carry out the terms of a contract, for example the contract for us to provide testing services. We have shortened this to ‘perform contract’.
- Where necessary to comply with a legal obligation. We have shortened this to ‘comply with law’
- Where we or someone else has a legitimate interest which is not overridden by your interests. We must always balance your interests and rights with our interests if we are to process your information on this basis. We have shortened this to ‘legitimate interest’.
In this statement we have grouped the types of personal information that we may hold into broad categories. The categories are:
- General information including contact information
- Information obtained in order to provide a quote/arrange our testing services
- Information obtained through the process of providing our testing services
- Payment and transactional information
- Marketing information
We also collect, use and share aggregated information such as statistical data. Aggregated information could be derived from personal data, including your test results but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate information to report on our performance, particularly when tendering for business, to identify trends within our business, and to improve our services, and their accuracy.
Other examples of how we use aggregated data are for business management, planning and tracking purposes.
Part B: What personal information we hold, and how we use it
General contact information/communication records
This may include your name, address, phone number, email address, communications consent and other information that you may provide to us during routine communications such as when you ask us to respond to a query.
1. When we obtain this information
We collect some or all of this information, depending on the circumstances, when you (or someone such as your solicitor, or a local authority) asks us a query, whether by phone, or email, using the contact from on our website, by letter or in person. We retain copies of all communications, and so will have any personal information which is provided in communications with us.
We may record telephone calls. If you or someone else provides us with your name, contact details and other personal information during a telephone call, these may be recorded.
We provide further information about what information we obtain, and why in this table:
When we provide a quote for our services, we require certain information. In this table we provide further information on what information we obtain, and why.2. Further Information we obtain when we provide a quote for our services
|What Information||How we use this information||Our lawful basis(s)||What is our legitimate interest?|
Contact information i.e. name, address and email address of person requesting the quote, and other people who have a proper interest in the matter
|We use this contact information:||
to identify the person requesting the quote in our records including records of services ordered, and delivered and consents provided
Comply with law (in certain instances)
We have a business interest in maintaining accurate records of the business that we conduct.
|to identify people who have a proper interest in the case, including any solicitor acting for a party, or any party to whom results are to be provided||
Comply with law
|We have a business interest in recording details of people who have a proper interest in a matter, and who are likely to have expectations of us in connection with the testing.|
to deliver our service in accordance with our Terms including arranging for samples to be taken from persons being tested
|to exercise and if necessary to enforce our rights under our Terms and to handle any complaints or disputes that may arise||
|To responsibly manage our business by enforcing our rights under our Terms, including defending any claims that may be brought against us.|
|Shipping address||Test results may be sent to this address||Perform contract|
|Billing address||For the purposes of arranging payment for services||
|Email address||We use this address for day to day communications including sending sending invoices and receipts, and for the purpose of delivering test results.||
|We have a business interest in responding to communications|
|Name of person being tested||We use this for identification purposes||
Comply with law
|Address of person being tested||We use this when making arrangements for the sample to be taken.|
DOB of person being
|We use this to identify whether a sample is being taken from a minor and for identification purposes||
Comply with Law
|Relevant court orders, including interim care orders (final and draft) are sometimes provided to us when a quote is requested, or at a later date and these generally contain personal information in relation to the person being tested, and other parties.||We use these where appropriate to help ensure that we provide the correct services and supply information as legally directed.||
Comply with law
|Sex of person being tested||We sometimes receive or ask for the sex of the person being tested to assist with, or as part of the quoting process||
|We have a legitimate interest in making sure that our quotes are accurate, and in maintaining records of information that persons seeking quotes provide to us|
|Familial relationships of person being tested (for DNA tests only)||We identify and record the familial relationships between the persons being tested in order to advise on the type of test needed and person the relevant test.||Perform contract|
|Name and contact details of person with parental responsibility of a child to be tested||Where we test a child we need the consent of the person who has parental responsibility, and to be able to liaise with that person as needed|
3. Information we hold when we carry out a test
We will (depending on the specific test) collect and retain information in relation to the person being tested.
Because our results are used in court cases, or for other purposes which have significant importance for people involved, we follow strict ‘chain of custody protocols’. This enables those people who rely on our tests to be confident beyond reasonable doubt that the results are from the named individual. Because of this, we take careful steps to identify the person being tested, and to record how we have identified them.
We are also required to have consent prior to taking biological samples, and hence need to identify the person who is providing the consent, and to keep records of their identity and the consent provided.
Depending on the test, we also collect information which helps with the accuracy and completeness of our results. ensure the accuracy of our results.
The testing process will also produce personal information, such as the test results.
We will also hold test results, and correspondence and communications related to the tests and results. Where an expert report is to be provided we will hold correspondence with the expert, and a copy of the expert’s report.
Further information is set out in the table below:
|How we use this information||Our lawful basis(s)||What is our legitimate interest?|
|Name/other name(s) known by||We use this to identify in our records the person being tested or in respect of whom a report, to obtain consent to testing, and in our communications with laboratories who perform services for us and experts if an expert report is being provided.||
Comply with law
|We have a business interest in verifying the true identity of the person being tested, in maintaining accurate records of who we test, and being able to evidence that we have checked the participant’s identity.|
|Date of birth||We use this as part of our formal identification processes.||
Comply with law
|A photograph of the person being tested||We use this as part of our formal identification processes, and to enable us to verify that we have taken the sample from the person whose ID we have verified||
Comply with law
|Sex||We use this to help ensure the accuracy of the tests that we carry out||Perform contract|
|Copy ID document & ID document number and information from ID||We use this for identification purposes, and to verify that we have sighted ID||
Comply with law
|Familial relationship information||For DNA tests only – used to help provide accurate test results||Perform contract|
|Medication use/history||For drug and alcohol testing only- used to help us provide accurate test results||Consent|
|History of drug/alcohol abuse||For drug and alcohol testing only- used to help us provide accurate test results||Consent|
|Details of the nail/hair sample (as appropriate) with comments/ details of hair products and treatments used on hair to be tested||
For nail/hair testing only,
we use information about the hair/nail and hair products used by the participant to improve the accuracy of our reports
|Consent form||We use this form to collect information we need to conduct the test, and to obtain consent for testing||
Comply with law
|Kit bar code||We use a barcode to identify the sample being tested, which in turn can identify a person in our records||
|We have a business interest in having effective means of identifying and tracking samples and within our systems and in our labs|
|Court orders||Where a test is being carried out in relation to court proceedings, we may be provided with relevant court order which contain personal information about the person being tested and other parties.||
Comply with law
|Physical sample||This is the sample that is being tested. We use a barcode to identify the sample, and to link that sample back to the person who provided it.||
|Test results and report (other than DNA tests)||We provide test results/reports as agreed at the time the order is placed||Perform contract|
|Test results/reports/ DNA sample, and genetic data ( for DNA tests only)||Our testing process involves extracting a person’s DNA sample and deriving their genetic data. This is used to genetic produce test results/reports agreed at the time the order was placed.||Consent|
4. Payment information and financial records
When payments are made by card online, the payer’s details are processed by a third party payment provider; we do not receive any details other than the last 4 numbers of the card used (in some cases) and the billing address (in some cases) .
If card payment is made by phone or in person, we will receive card information, but will process it through a third party payment provider, and will retain only the information that we would receive if the payment were made online (see above).
Where possible we process refunds in the same manner as payments, otherwise we make the payment by bank transfer.
We generally pay refunds using the same method as payment. If paying a refund by bank transfer, we receive account name, and payment details. This will be recorded on our bank statement.
We create and retain records of the transactions which customers enter into with us, including details of payments owing and made.
How we use this information
|Our lawful basis(s)||What is our legitimate interest?|
|We use the paying party’s name and address for financial record keeping purposes||Comply with law|
|We use payment information to process payments and refunds||
Comply with law
|We record details of our financial transactions which will include the paying party’s name, email, address and payments made or owing||
Comply with law
|To maintain accurate financial records|
Other Use of Information
We may also use personal information which we hold to enforce our rights under our Terms and to handle any complaints or disputes that may arise, to defend any proceedings which may be brought against us or to participate in any proceedings to which we are joined, and to comply with law or any applicable regulations. Where we do so, our lawful basis will be that we have a legitimate interest, or are complying with law.
Changes in why we use your information
We will only use personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use personal information for an unrelated purpose, we will notify you (where appropriate through your solicitor or other third party) and we will explain the legal basis which allows us to do so.
Please note that we may process personal information without your knowledge or consent, but only where this in compliance with the above rules, where this is required or permitted by law.
Part C: How we collect your information
We use different methods to collect personal information including:
- Direct interactions. You may give us your personal information by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal information you provide when you
- order our services;
- subscribe to one of our publications or mailing lists;
- request marketing to be sent to you;
- enter a competition, promotion or survey; or
- give us feedback or contact us
- Through an intermediary or third party. Examples of where intermediaries provide personal information include where a solicitor appointed to represent someone provides information on their behalf, the lead party in a court case (meaning the party who provides instructions in relation to the testing of various parties involved in the case), or a local authority or governmental department who conduct and pay for testing, and companies who ask us to carry out testing of their staff. A third party may also request a quote for testing, and provide information even where they are not acting on behalf of the person whose information they provide.
- Third parties or publicly available sources. We may receive personal information about you from various third parties and public sources including:
- Information from:
- analytics providers such as Google
- advertising networks
- search information providers
- providers of technical, payment and delivery services
Part D: Sharing your information
In this section we provide information on who we share your information with, and why.
Our policy on disclosing test results
- If an adult is tested, we will always provide the results to them.
- If the person ordering the test wishes the results to be provided to people other than the person being tested, including to themselves, we will seek the consent of the person being tested before the sample is taken. If the person being tested does not consent to this, we will not take the sample.
- We will only carry out a test which has been ordered by a court where the person being tested consents to the results being shared in accordance with the court order.
- We will share test results with any person who can show that they have parental control in respect of a child being tested, even if they do not place the order. The exception to this is where a court order forbids us from providing results to that person.
We use a range of service providers and consultants in order to help run our businesses and to provide our services. We require all third-party service providers to respect the security of the personal information we hold and to treat it in accordance with the law. We do not allow our third-party service providers to use our client’s personal information for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.
These service providers include:
We use the services of professional third parties to collect samples for testing. We will need to disclose personal information to the person collecting the sample in order for them to make arrangements for the sample to be collected, and also to ensure that the sample is collected correctly.
Telephone answering services
We use a third party service provider to answer telephone calls when we are unable to do so ourselves, including when our help centre is closed.
Our laboratories & biological storage facilities
We use fully accredited professional laboratories to receive samples and to carry out testing.
Expert Reports/ Expert Witness Services
Where we are retained to provide an expert report, or expert witness services we may use the service of expert third parties, and where we do, we will share personal information with the expert third parties as necessary to enable them to perform their services.
‘Cloud’ based service providers
We use ‘cloud’ based storage providers to securely maintain the information held within our databases, and this will include sensitive personal information.
Please see ‘Security of your information’ below [ link] for further information on security aspects of our cloud storage arrangements.
We also use service providers who assist us with our ‘cloud’ based infrastructure, and ‘cloud’ client support tools.
We may share information with our professional advisers including lawyers, accountants and insurance advisers. We do not routinely genetic, or health or drug or alcohol related information with our professional advisers, but it would be possible that this could happen, for example if court proceedings relating to our test results were to be brought against us.
Other specialist consultants and service providers
These include IT consultants and service providers, and service providers that assist us with marketing, analytics, and cyber security/fraud prevention. We may also in limited circumstances share personal information with our insurer.
Payment service providers
We use the services of payment processing companies to facilitate you making payment. These providers will use contact and billing information including credit card details to process payments. When payment is made on line, banking details are provided to that payment processing company, and not to us.
The Legal Process
There are circumstances in which we may be legally required to disclose information. Examples of this include where a we are subject to a binding court order, subpoena, or a legally binding direction by a regulator, and where we are required to share information with HM Revenue and Customs. We reserve the right to share personal information where we reasonably believe that we are legally required to do so. We may also share information where this is necessary for us to exercise or enforce our rights under our Terms or otherwise at law, or where we reasonably and in good faith consider that it necessary or appropriate to do so in order to protect the security of our site, customers or employees.
Change in Control
We may share information with third parties to whom we may to sell, transfer or merge parts of our business or our assets or alternatively where we, buy or merge with other businesses. If a change happens to our business, then the new owners may only use your personal information in the same way as set out in this privacy statement.
Part E: How long we keep your personal data
In this section we provide guidance on how long we are likely to retain your personal information. This generally depends on how and why the information is collected. Please also be aware that it takes up to a further 6 months from the dates specified in this section for information that is no longer required to be fully removed from our systems because we retain backup and archive files.
We may also retain limited personal information for a longer period than specified including to in the event of a complaint or if we reasonably believe there is a prospect of litigation relating to our relationship with you, or that the information may be needed to exercise or enforce our rights under our terms, or to perform contractual obligations. We may also retain information for a longer period where we are legally required to do so, and for audit and compliance purposes or where the information we hold is required in connection with a legal process. Additionally, our laboratories may also need to retain information that they hold on our behalf for longer periods to comply with legal or regulatory requirements. We may also retain sufficient information to be able to evidence your account deletion request.
We retain information for the periods below:
1. General Information including contact information and communications:
- Call recordings: up to 6 months from the end of the month in which the call happened.
- General contact information provided when we are asked to provide a quote, and our quotes and related communications, and communications with us including notes taken during from telephone calls: 12 months, unless the quote is accepted. If a quote is accepted we retain all information relating to the quote and the test for 7 years after the date on which the results are provided.
2. Payment Information and financial records:
By law we have to retain financial records. We retain the name and contact details of each person who pays for a test, any payment details we have, and transactional information for up to seven years after we receive payment for our services.
3. Information relating to services:
We retain samples for 7 years unless we are requested to delete the sample by or on behalf of the person whose sample it is. We may retain the sample for a longer period of time were lawfully required to do so.
We retain our internal records in connection with our services, test results and our expert reports for 7 years from the date on which we provide our results/reports, or for so long as we are aware that legal proceedings to which the test/report relates is ongoing.
Part F: Security
We are committed to being a secure and trusted partner for your personal information, including sensitive information such as test results.
How do we do this?
At the heart of how we protect your information is our commitment to International Standards set by ISO. We are certified to ISO:9001 for quality controls and ISO:27001 for information security. As part of our ISO accreditation, audits and reviews are conducted of all relevant third party service providers to check that they meet our strict requirements. We use a combination of technical, physical and organisational measures to protect the security of your information.
Physical and organisational measures help protect against social engineering attacks whereby an unauthorized person gains access to restricted information or physical location through psychological manipulation of authorised individuals. These measures include security clearances, extensive training and physical security measures and are subjected to rigorous external audits throughout the year.
Technical measures implemented to protect your information include:
- Security by design
- Separation of Concerns & Pseudonymization
- Monitoring and Alerting
- Proactive Vulnerability and Penetration testing
What is security by design?
Software has been designed and implemented with a security first process with the expectation that malicious third parties will attempt to exploit the system. This includes minimising permissions and access to data for internal secure systems.
What is encryption?
Data is scrambled so it is unreadable by humans or computers without a unique decryption key which is kept separate and secure. Encryption of data occurs as it flows through our system to yourselves (HTTPS) and while it is stored by ourselves (Encrypt at Rest). This significantly increases the difficulty of accessing data in the event of unauthorised access to our systems.
What is monitoring and alerting?
We actively monitor our systems and all communication with the outside world, collecting and analysing the available data for indicators of potential threats and breaches. These are automatically triaged and alerted to our security team for appropriate action.
What is proactive vulnerability and penetration testing?
We periodically employ the services of third party specialists to act as malicious parties and attempt to breach our security in a controlled and safe way. This enables us to identify and assess potential attack vectors before they are identified by monitoring and alerting tools and to address and harden appropriately.
Part G: General
If we hold your personal information, in certain circumstances, you have rights under data protection laws.
Please click on the links below to find out more about these rights:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
If you wish to exercise any of the rights above, please contact us.
No fee: You will not have to pay a fee to access your personal data or to exercise any of the rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond: We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We are DNA Legal Limited, of K10 The Courtyard Jenson Avenue, Commerce Park, Frome, Somerset, United Kingdom, BA11 2FG.
If you have any queries about the privacy of your information, or about the information in this statement, or if you think the information is in any way incomplete, please contact us at:
or call our customer services team on +44 203 424 3470
We also have a Data Protection Manager who can be contacted at: email@example.com
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to this statement, and your duty to tell us of changes
We keep this statement under regular review. This version was last published on 22nd August 2018. Historic versions can be obtained by contacting us.
It is important that the personal information we hold about you is accurate and current. Please let us your personal data changes during your relationship with us.
You have the right to:
Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- If you want us to establish the accuracy of the information.
- Where our use of the information is unlawful but you do not want us to erase it.
- Where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal information . However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.