Last updated on 08 Aug 2024

Privacy notice

Data protection laws

This Privacy Notice explains how the Human Tissue Authority (“HTA”) handles the personal data that it collects. This includes what we use it for and how you can exercise your rights under Data Protection laws (the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (“DPA”)). Together these Data Protection laws give you more rights as an individual and place greater obligations on those controlling and processing your personal data for any purpose.

Data protection principles

There are seven key principles at the heart of the DPA and these form the basis upon which we will process your personal data. The principles are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality(security)
  • Accountability

You can read more about the data protection principles on the Information Commissioner’s Office (“ICO”) website.

Your rights

The data we are collecting under this privacy notice is your personal information and you have considerable say over what happens to it. As such, you have the right:

  • To see what data we hold about you (this is known as a ‘Subject Access Request’)
  • To ask us to stop using your data, but keep it on record
  • To have some or all of your data deleted
  • To have some of your data corrected
  • To lodge a complaint with the ICO if you think we are not handling your data fairly or in accordance with the law.

Reasons and purposes for processing information

We need to handle personal information about you so that we can perform our regulatory functions. The types of personal data we process about you will depend on the relationship you have with us and more details about that follow.

National Data Opt-Out Policy

The National Data Opt-Out policy allows individuals to opt-out of having their confidential patient information shared for purposes beyond their direct care. The HTA must consider national data opt-outs when processing data for purposes beyond individual care in line with the wider policy. The National Data Opt-Out policy does not apply for disclosure of information relating to living organ donation decisions and serious adverse events and reactions notifications.

Licence contacts

The HTA’s legal framework creates a requirement for four primary roles to exist at the establishments that we license. Those roles are:

  • Designated Individuals (DI)
  • Named Contacts (in the Organ Donation and Transplantation sector only)
  • Persons Designated (PD)
  • Licence Holders and Licence Applicants (either an individual or the person acting on behalf of a corporate body)

For the people in these roles we process information including:

  • Contact details
  • Job title
  • Name and address of the establishment where you work
  • Gender
  • Previous names

In the case of DIs and Licence Holders, we additionally process information supporting your suitability for those roles. This information includes:

  • Educational or professional qualifications
  • Membership of relevant professional bodies
  • Details of your other relevant experience
  • Your own assessment of your suitability for the role

For all of the above, our legal basis for processing this information is the exercise of our official authority laid down by our legal framework.

Organ Donation and Transplantation

The HTA regulates the donation of organs in the UK from living people by making the decision on whether the donation can go ahead, based on criteria set out in law.

The HTA’s role is to provide an independent check to help protect the interests of living organ donors. They ensure each individual donor has an opportunity to speak freely to someone not connected with the transplant unit in order to confirm that:

  • the donor has the capacity to make an informed decision;
  • there has been no reward sought or offered for the organ donation;
  • their wish to donate is free from any pressure to act against their will;
  • they understand the nature of the procedure and risks of the surgery.

 

An Independent Assessor (IA) trained and accredited by HTA will carry this out. IAs undertake interviews with donors and recipients to explore whether the conditions set out above have been met.  IAs do not determine the medical suitability of the donor or recipient.

The HTA uses the report of the IA, and any other information gathered as part of its consideration of the case, to make the decision on whether or not to approve the proposed donation.

In order for this decision making process to work we will process the personal data of a number of different types of people.

For the clinicians and other professionals working in transplant teams we process information including:

  • Contact details
  • Job title
  • Name and address of the establishment where you work
  • Gender
  • Previous names

 

For Independent Assessors we process information including:

  • Contact details
  • Name and address
  • Gender
  • Previous names
  • Referee contact details
  • Any references provided
  • DBS certificate number

 

We will also process personal and sensitive personal data about donors and recipients of organs, including those adults who lack capacity and children who do not have competency to consent to the procedure. The precise data will differ on a case-by-case basis but will include:

  • Name
  • Date of birth
  • Address
  • NHS Number
  • Information which may identify your gender
  • Medical history which may include diagnoses
  • Your medical and clinical suitability to donate

 

The HTA also has a role in considering information reported by clinicians where they suspect that an organ donation and transplant-related offence may have been committed, or if they are made aware that a patient has received an organ transplant outside the UK.

 

Based on the information that clinicians are required to report, we will receive and process data about the reporting clinician. This includes their name, contact details, position and place of work. We will also receive and process personal and sensitive data about donors, potential donors, recipients, intended recipients and other person(s) who may have been involved in commissioning an organ donation and transplant-related offence. The data may include:

 

  • Information about the individuals involved (including their name, date of birth, age, gender and countries of legal citizenship or residency)
  • Medical history
  • Medical and clinical suitability to donate or receive an organ

 

Where we consider an organ donation and transplant-related offence may have been committed, we refer the reported information to the police.

 

For all of the above, our legal basis for processing personal and sensitive data is that:

 

  • it is in the public interest or exercise of official authority, and
  • it aids the prevention or detection of an unlawful act (for example, where an organ donation and transplant-related offence may have been committed).

 

Bone Marrow and Peripheral Blood Stem Cell (PBSC) donations

The HTA is only responsible for giving approval for bone marrow and PBSC donations in cases where the donors are unable to consent for themselves.

In order for this decision making process to work we will process the personal data of a number of different types of people.

For the clinicians and other professionals working in transplant teams we process information including:

  • Contact details
  • Job title
  • Name and address of the establishment where you work
  • Gender
  • Previous names

 

For Accredited Assessors we process information including:

  • Contact details
  • Job title
  • Name and address of the establishment where you work
  • Gender
  • Previous names

 

We will also process personal and sensitive personal data about donors and recipients of bone marrow or PBSC where they are an adult who lacks capacity or a child who does not have competency to consent to the procedure and the person consenting to the donation on the donor’s behalf. The precise data will differ on a case-by-case basis but will include:

  • Name
  • Date of birth
  • Address
  • NHS Number
  • Information which may identify your gender
  • Medical history which may include diagnoses
  • Your medical and clinical suitability to donate

 

For all of the above, our legal basis for processing this information is in the exercise of our official authority laid down by our legal framework.

Our legal basis for processing your sensitive personal data is that the processing is necessary for the provision of health care or treatment.

Job Applicants

Employee data is stored on an internal HR system and the HTA have a separate privacy notice for employees.

The HTA use multiple channels for recruitment purposes and we encourage you to read the privacy notices wherever you encounter a HTA job advertised.

The HTA will receive a copy of the personal data and sensitive personal data for job applicants, including unsuccessful applicants. This data will include:

  • CV and personal statements
  • Contact details
  • Qualifications, licences and professional memberships
  • Employment history
  • Ethnicity, diversity and inclusion information
  • Sexual Orientation
  • Criminal Convictions
  • Disability details

Our legal bases for processing this information are:

  • it is necessary for the performance of a contract to which you are a party - an employment contract
  • it is necessary in order to take steps at your request prior to entering into a contract for employment
  • it is necessary to comply with a legal obligation placed on us as the data controller - we are required to report on equality of opportunity; and on boarding processes have specific requirements

Our legal bases for processing your sensitive personal data is that we are required to do this by employment law relating to assessing your capacity to work, to monitor that equality law is being met through the recruitment process and to comply with any safeguarding laws relating to the role you are applying for.

Newsletter subscribers

When you subscribe to our newsletter, you provide your consent to receive this form of communication under the Privacy and Electronic Communications Regulations. It is our legitimate interest to process the personal data you provide in the subscription process. This data will not be processed for any other purpose than to send you our newsletter and you can unsubscribe at any time using the unsubscribe link included in every newsletter. When you unsubscribe your personal data will be automatically removed from the newsletter distribution system.

We use MailChimp to provide this service and they process your personal data on our behalf. You can read the MailChimp privacy notice here - https://mailchimp.com/legal/privacy/.

MailChimp operate in the United States, so your information is transferred to, stored and processed in the United States. MailChimp participate in and certify their compliance with the EU-US Privacy Shield framework and you can view their certification here - https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active

General enquiries

The HTA has a statutory obligation to provide information to the public and professionals working in the sectors that we regulate. One of the ways we do this is by responding to enquiries. When you make an enquiry we will process your name, contact details and the nature of the enquiry. The nature of the enquiry may contain personal data and sensitive personal data if you provide that information to us.

For all of the above, our legal basis for processing this information is in the exercise of our official authority laid down by our legal framework.

Our legal basis for processing your sensitive personal data is that the processing is necessary to meet the necessary obligation to provide you with information.

How we look after your personal data

The HTA values the personal information entrusted to us and we make sure that we abide by the law when we process it. We also:

  • Make sure that only those people who have a need to do so process personal data;
  • Encrypt data using a number of encryption algorithms including: FIPS 140-2; Common Criteria EAL2+; and Intel Advanced Encryption Standard-New Instructions (AES-NI);
  • Consider security and privacy at the outset of any new project where we are planning to hold or use personal information in new ways, and continue to review existing systems to ensure they comply with new laws; and
  • Train our staff in how to handle personal information, maintain proper oversight of our information assets and respond appropriately if information is not used or protected properly.

Sharing your information with others

We sometimes need to share the personal data we control with other organisations. Where this is necessary, we are required to comply with all aspects of Data Protection legislation. What follows is a description of the types of organisations we may need to share personal information we process for one or more reasons. Where necessary, required and within the law, we may share information with:

  • Employment and recruitment agencies
  • Current, past and prospective employers
  • Other Government Departments
  • Suppliers and service providers
  • Small Claims Court for Debt collection
  • Financial organisations
  • Devolved Government departments
  • Health and care organisations
  • Trade, employer associations and professional bodies
  • Other statutory law enforcement agencies and investigative bodies
  • Health, social and welfare advisers or practitioners
  • Survey and research organisations
  • Police forces and other law enforcement organisations
  • The Government Internal Audit Agency and other auditors as required 
  • Regulators i.e. the ICO

Data retention

Outside of specific exemptions under the legislation, your personal data will only be retained for as long as is necessary.  All records are destroyed confidentially once their retention period has been met and the HTA has made the decision that the records are no longer required.  

To determine appropriate retention periods for different types of data, we consult relevant laws and best practice guidance (e.g. National Archives). 

Subject Access Requests

Data protection law allows you to find out the personal information we hold about you. We do not charge a fee for this service although in some circumstances we are permitted to. This is long standing legislation (although the timescales in which we should respond have been reduced to 1 month rather than the previous 40 days). In the event that we are unable to meet this timescale (for example due to a large volume of information to be assessed), we will keep you informed of progress towards fulfilling your request.

To request access to personal data we hold about you, please write to:

Human Tissue Authority
2nd floor, 2 Redman Place
Stratford, London
E20 1JQ

Contact details of our Data Protection Officer

A data protection officer (DPO) is a role required by current data protection laws for public bodies. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with DPA requirements.

For enquiries about data protection please email dataprotectionofficer@hta.gov.uk

Contacting the Information Commissioner’s Office

For independent advice about data protection, privacy and data sharing issues you can contact the independent Information Commissioner’s Office at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113
Website: www.ico.org.uk