Updated 8 December 2020
- Personal data is any information relating to an identifiable person who can be directly or indirectly identified such as name, etc.
- Sensitive personal data: also called ‘special category data’ such as ethnic origin, biometric data, and religious beliefs.
2. What information do we collect?
There are two main routes by which we will receive personal information about you.
2.1 Through our regulation of licenced UK fertility clinics, we have a legal duty to keep a register of information relating to treatment provided by fertility clinics and the people who receive that treatment. We therefore require clinics to report prescribed information to us; it is a legal requirement under the Human Fertilisation and Embryology Act 1990 (as amended) (‘the HFE Act’) that clinics report this information to us. The information that we receive includes details such as your name, date of birth, address, NHS number, and details of your treatment and outcome e.g. whether you had a birth. The full list of information we receive from clinics is listed in our Data Dictionary.
We may also collect some personal information for the purposes of fulfilling other functions and legal duties that we have under the HFE Act for example, during inspections of clinics, when investigating incidents that have occurred at clinics or when we are investigating complaints about a clinic.
2.2 When you contact us directly, such as with a complaint about the HFEA, freedom of information request, or when submitting an enquiry.
3. Do we have a legal basis to process your information?
We will only collect, use and keep your personal information according to the law and will not collect more information that we need to fulfil our stated purposes and will not retain it for longer than is necessary or required by law.
The HFEA has a statutory duty to keep personal information about people who have had treatment at a licenced UK fertility clinic on our Register. Section 31 of the Human Fertilisation and Embryology Act 1990 (‘the HFE Act’) requires the HFEA to keep a register and defines some of the personal information which must be collected and kept on the register. In line with this statutory duty, we collect, process and keep personal information about patients, their partners, donors and children born from fertility treatment.
We may also process your personal information for other purposes including when:
- we have your explicit consent (consent)
- if we have a legal obligation under other legislation such as the Freedom of Information (‘FOI’) Act 2000 (legal obligation)
- it is necessary for the performance of a public task for example, assisting the police in an investigation
- if it is necessary to protect someone’s life (vital interests)
- if it is necessary to fulfil our contractual obligations to you (contract)
- if we have a legitimate interest in using your personal data. This is where we use your personal information in a way you would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. This includes when responding to an email or telephone enquiry, FOI or subject access request.
4. How do we maintain the security of your information?
We take our duty to protect your personal information very seriously and we are committed to ensuring that we maintain your confidentiality. Any unauthorised disclosure, even inadvertent or indirect, of an individual’s information that’s contained on our Register is a criminal offence.
We process personal data securely by means of ‘appropriate technical and organisational measures’, which include:
- We undertake an analysis of the risks presented by our processing and use this to assess the appropriate level of security we need to put in place. We do this using Data Protection Impact Assessments, our Information Auditing process, and regular organisational review meetings via our strategic risk register.
- Clinics use a fully encrypted electronic data submission system to send personal information to us. We activate local encryption such that all information stored on the HFEA system is encrypted at all times. In addition, the system sits behind local firewalls and local username and password controls.
- We make sure that we regularly review our information security policies and measures and, where necessary, improve them.
- We have put in place basic technical controls such as those specified by established frameworks like ISO27001.
- We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal data we process.
- We use encryption where it is appropriate to do so.
- We understand the requirements of confidentiality, integrity and availability for the personal data we process, and have appointed both a Senior Information Risk Owner (SIRO), Caldicott Guardian and Data Protection Officer (DPO).
- We make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.
- We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
- We ensure that any data processor we use also implements appropriate technical and organisational measures, setting these out in data processing contracts, information sharing agreements and contractual terms.
5. How is your information used by the HFEA?
Your personal information is used by the HFEA to respond to your questions or concerns, develop our regulatory policy and effectively regulate licenced clinics in the UK to ensure that patients continue to receive high quality care and that improvements in scientific and public health research continue in line with approved ethical and legislative requirements.
We process information for reasons specified at the point of collection, which can include:
- Maintaining our Register
- Fulfilling requests for information which are made under the HFE Act e.g. providing information to people who have a statutory right to request information about their donor, genetically related siblings or someone they intend to marry and with whom they have an intimate relationship.
- Organisational information assurance e.g. auditing our records
- Information sharing for research, where strict legal and ethical criteria have been met
- Ensuring clinics are licensed and regulated effectively
- Maintaining and developing policy, regulatory tools (e.g. the Code of Practice) and guidance to improve the standard of care in clinics
- Investigating and responding to complaints about clinics and the HFEA
- Subject access requests (SARs) or other data subject requests
- Investigating incidents that have occurred at clinics and taking appropriate regulatory action in response to such incidents
- Carrying out surveys of patients, licensed clinics and the public
6. With who, and when, will we share your information?
6.1 Sharing personal information without your consent.
Ordinarily, we will not disclose your personal information without your consent. However, there are circumstances in which we will need to share your personal information with other organisations, and we will do so without seeking your consent. These circumstances are limited to when we have a legal obligation, legitimate interest or if the disclosure is necessary to protect the vital interests of the person.
Organisations we may share personal information include:
- Licenced clinics
- Police, regulators and other public bodies
- Organisations working for us or on our behalf for example our lawyers or IT contractors working on our systems
- Department of Health and Social Care and other central or local government departments
- Research establishments
- The National Health Service
6.2. Sharing information with your consent for research purposes.
We may share your personal information if you have given consent for your information to be used in research. Researchers are allowed to request identifying information from us. They can only use information that would identify you with your consent. Research using your data is incredibly valuable and could, for example, be used to investigate the safety and efficacy of fertility treatments, develop new treatment and storage techniques and study the effect of national policies, such as the HFEA multiple births policy. It can also be used to link fertility treatment data with other healthcare records for example, to see whether IVF affects the health of women or their children.
Your personal information will only be made available to researchers linked to a recognised UK research institution and any research project also need to have received approval from a research ethics committee. We only allow researchers to use identifying information in cases where their research couldn’t be conducted without it. Where researchers publish their research findings it won’t be possible to identify you.
Prior to October 2009, consent to research was not collected for patients who were undergoing treatment at a licensed fertility clinic. Since 1 October 2009, under new legislation the Human Fertilisation and Embryology (Disclosure of Information for Research Purposes) Regulations 2010, researchers have been able to apply to access identifying information for patients involved in treatment between August 1991 and September 2009 (and any children born as a result of treatment) without getting their consent. If you’ve had treatment during this time and you’d prefer that your information was not shared, please contact us (see section 10). There are certain circumstances or criteria that means information cannot be legally disclosed. This will be judged on a need to know and case by case basis.
When we authorise a research study to use our data, we put in place strict security requirements and retention and deletion schedules that must be followed. Any unauthorised disclosure, even inadvertent or indirect, of an individual’s information that’s contained on our Register is a criminal offence.
6.3. Sharing information with a third-party processor.
Occasionally we may rely on another organisation (a third-party processor) to carry out processing of your personal information on our behalf e.g. NHS Digital who may help us link your data for research purposes. Where that is the case, we are committed to looking after your personal information in a secure and responsible way and ensuring that the third-party processor does too. Therefore, any Data Processor we engage will have signed a Data Processing Contract, which sets out their legal obligations and responsibilities regarding your personal information. These are legally binding agreements for limited periods only and considered on a case by case basis.
7. How long do we store your information?
Personal information which is held on the HFEA Register will be held in perpetuity i.e. for ever, in order to ensure that the HFEA is able to continue fulfilling its statutory duties for which the Register data is necessary.
All other personal information will only be retained for as long as is necessary. All records are destroyed confidentially once their retention period has been met and the HFEA has made the decision that the records are no longer required. All records are destroyed in accordance with the HFEA Records Retention and Deletion (‘RRD’) Schedule, which sets out the appropriate length of time for which each record type is retained.
To determine appropriate retention periods for different types of data, we consult relevant laws and best practice guidance (e.g. National Archives).
8. What rights do you have?
Under current data protection laws, individuals have the following rights:
- The right to be informed about the collection and use of your personal information.
- The right to access a copy of your personal information and supplementary information and the right to be made aware of and verify the lawfulness of the processing of your personal information.
- The right to have inaccurate personal information rectified or completed if it is incomplete.
- The right to have your personal information erased. However, this right is not absolute and only applies in certain circumstances.
- The right to request the restriction or suppression of your personal information. However, this right is not absolute and only applies in certain circumstances.
- The right to data portability which allows you to obtain and reuse your personal information for your own purposes across different services.
- The right to object to processing based on legitimate interests or performance of a task in the public interest/exercise of official authority in certain circumstances; direct marketing; and scientific/historical research and statistics in certain circumstances.
- Rights in relation to automated decision making and profiling including the right to information about the automated processing, and the right to request human intervention or to challenge an automated decision.
9. How can you exercise your rights?
You can exercise your rights by contacting the HFEA by phone (telephone: 020 7291 8200) or in writing (email: email@example.com). If you would like to access a copy of your records, the request must be made in writing or via email.
When making a request about the way we use your data it is helpful, but not necessary, if you are able to state which of the rights listed in section 8 you want to exercise. Please provide as much detail as possible in your request.
We may need to get back in touch with you to clarify your request or to request additional information (such as your full name, address, date of birth, NHS number, etc.) if we need to verify your identity and locate your records.
We will always try to deal with your request within one month; however, we may need to extend the deadline by an additional two months if it is a complicated request.
Information will be provided free of charge except where requests are unfounded or excessive, such as repeated requests, in which case the HFEA may either charge a reasonable fee or refuse to act on the request. We will fulfil your request by sending your copy electronically, unless the request expressly specifies a different method.
If you need more information on how to exercise your rights, please contact the enquiries team at firstname.lastname@example.org.
10. Data Controller.
A data controller is a person, organisation or corporate body who (either alone, jointly or in common with other persons) determines the purposes and the manner in which any personal data are processed. The HFEA is the data controller for the personal information we hold about you. Our details are:
The Human Fertilisation and Embryology Authority
2nd floor, 2 Redman Place
Telephone No: 020 7291 8200
11. Who should you contact with any concerns?
If you have any concerns about how we handle your information you have a right to complain by following our complaints policy.
If you are not satisfied with how we have handled your complaint, you have a right to complain to the Information Commissioners Office (‘ICO’) about it.
The Information Commissioner can be contacted at:
Information Commissioner’s Office Wycliffe House,
Water Lane Wilmslow,
Telephone: 08456 306060
11.1. Senior Information Risk Owner
The Senior Information Risk Owner’s (SIRO) responsibilities are to lead a culture of good information management, own the overall information risk policy and procedures and advise the Accounting Officer on information risk.
Our SIRO contact:
General: 020 7291 8272
11.2. Data Protection Officer
A data protection officer (DPO) is a role required by current data protection laws for public bodies. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with UK GDPR requirements.
Our DPO contact:
General: 020 7269 1900
11.3. Caldicott Guardian
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly.
Our Caldicott Guardian contact:
General: 020 7291 8268
Publication date: 8 December 2020
Review date: 8 December 2022