Project Screen by Prenetics is a COVID-19 testing initiative offering a WHO-recommended solution to get diagnosed for COVID-19 in the United Kingdom. Project Screen by Prenetics is provided by Prenetics EMEA Limited, with company registration No. 08834823 and registered office at Unit 2 Orpington Business Park, Faraday Way, Orpington, Kent, England, BR5 3QW together with Prenetics Group Companies (“Prenetics”, ”we”, “us”, “our”).
This privacy notice applies to any individual (“you”, “yours”) who interacts with us about our products or services in any way for example through our website or application (the “Website”), (together the “Services”). By clicking the “I have read and agree” box at a point of registration and each time you make a payment, submitting your personal information to us, and using the Website you are accepting the practices described in this privacy notice.
This notice provides you with the key information on how we process and manage your personal information when undergoing the COVID-19 (2019-nCoV) RT-PCR laboratory test (“RT-PCR test”) so that you feel you can trust us and have confidence in the way we handle your personal information. We are committed to treat your personal information with the importance it deserves by handling it responsibly and securely. We only process your personal information for the legitimate purposes disclosed below. All COVID-19 results and any personal information are maintained under a strict policy of confidentiality.
We will be transparent with what personal information we hold, collect and process, and, to the extent possible, we will also give you control of the personal information you provide us. We will collect your personal information through your contract with us whether written or by phone, email, through our Website or our applications.
Depending on the type of Services, Prenetics can be acting as a data controller or as a data processor. We will be acting on behalf of a third party who will themselves be the data controllers for example companies such as your employers, or service providers or healthcare providers (“Company”). When acting as a data processor, Prenetics will be required to act on the instructions of the data controller. If you provide us with information about other people you must make sure that they have seen a copy of this privacy notice and are conformable with you giving us their information.
When you create your Prenetics Account on the Website:
We will use your personal information to create and maintain your Prenetics Account record once you have registered;
to notify you about any changes to our Services and to send you service emails; when you make a purchase or attempt to make a purchase through the Website , we collect certain information from you and any other profile created against your account, including your name, gender, date of birth, email, phone number, ethnicity, passport / ID number, permanent address, delivery / self-isolation address (if applicable), and payment information (including credit card numbers ).
When conducting On-site Testing (We receive your personal information from your Company if they have commissioned the testing or directly from you if have purchased the test independently through our Services):
On arrival to confirm your booking for the test you will be required to provide your name identification for verification in order to register your test in our collection system.
If you have done the test independently Home-collection Testing:
Test-Kit through Self Collection: You will be required to provide your address for us to deliver the test kit for self-testing at home. You will complete a sample collection at home and return the sample to us by a Prenetics arranged courier collection or, by arrangement at one of our collection sites or by mail.
Test-Kit through Prenetics Collection: You will have to provide your address for our sample collection staff to arrive at your home to take your test.
To receive test results (depending on the Service you choose):
Tests done via your Company:
Your test results will be sent back to you via our secure online platform. Your account will be created by formal request of your Company’s designated administrator. The first time you log-in to the Application you will be asked to use your email address (as shared by your Company’s designated administrator) and set a password. Your initial log-in will require authentication via a one-time password (OTP) sent to your email.
If you are not using the online platform, you will receive results via email address or via your Company’s designated advisor.
Your results will be available to you via our secure online platform. You will log-in to your account and view all of the results available for your account and the linked profiles.
We have statutory duties of reporting notifiable diseases as per the Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010. The regulations state that all COVID-19 RT-PCR test positive, indeterminate, negative and void results from point of care testing (POCT) are mandated by law to be reported to Public Health England (PHE). In which case, we will also ask you for additional information required by the healthcare regulators for laboratory reporting purposes. To support the reporting of the required infectious diseases, PHE developed the Second-Generation Surveillance System (SGSS). This is the national surveillance system that holds all test results. To enable to receipt of the reports, your following information will be required:
Your first name, surname, date of birth, gender, postcode, contact telephone number (preferably mobile), GP practice, contact email, ethnicity, your test result (such as COVID-19 +ve/-ve), test date and time.
Further, to manage our contractual relationship with you we will process the following categories of personal information about you:
Standard personal information: Your name; Your email address; Your mobile number; Your date of birth; Your contact details including address and postcode; Your photo (if you use the Health Passport).
Special Category Data to provide you with test results: Your test sample; Your COVID-19 test results; Your information from the Health Survey (only required for Health Survey users).
To process your personal information lawfully we need to rely on one or more valid legal grounds. All processing must be carried out in accordance with the Data Protection Act 2018, the GDPR and any associated codes of practice issued by the Information Commissioner's Office.
The grounds we may rely upon for the processing of your personal information include:
In order for us to provide our Services to you, we will share your personal information within the Prenetics Group companies that are based in and outside of the UK and the EEA. We will take appropriate steps to ensure that transfers of personal information are in accordance with applicable law, are carefully managed to protect your privacy rights and interests and limited to countries which are recognized as providing an adequate level of legal protection or where alternative adequate arrangements are in place to protect your privacy rights.
We will share your personal information with your Company; relevant health regulatory authorities such as Public Health England and Department for Health; our laboratories for analysing your test (when we send your sample to our laboratory, who adhere to strict clinical and industry standards for the analysis and processing of your results); healthcare practitioners;
We will also engage service providers such as logistics providers for the transporting of your sample to our laboratory and our database storage provider to securely store your information. Any Processors or other third-party service providers will be required to contractually comply with the principles and objectives of any Prenetics policies, information security, data protection and regulatory requirements to confirm that information will not be collected, used, shared, stored or otherwise for any purpose other than those instructed by Prenetics.
Prenetics is certified to ISO/IEC 27001:2013 Information Security Management System Standard and frequently reviews and implements physical, technical, and administrative measures to prevent information security incidents and to maintain the confidentiality, integrity and availability of information;
All Prenetics group entities are subject to a high standard of security and data protection protocols aligned to ISO 27001;
Network traffic to our application servers is TLS encrypted and access is controlled, restricted and password protected;
Samples will be securely transferred to our laboratory, which adheres to approved clinical and industry standards: ISO 15189 and ISO 27001 where it will undergo the relevant processing. A number of steps and protocols are administered to ensure that your sample is processed accurately, remains safe and as soon as your analysis is complete, is securely destroyed;
The data store is segregated and encrypted in transit and at rest;
People with access to your information will only see those parts relevant to their purpose;
Access to the web platform for test results and Health Passport status are secured by unique login, strong password and one-time password;
Your information will not be shared with anyone other than the intended recipient;
Anyone that processes information on our behalf will always be required by agreement to follow strict security protocols and maintain confidentiality and integrity.
When you place an order through the Website, we will maintain your personal information for our records unless and until you ask us to delete this information. Your information is held and securely stored on our database provided on Amazon Web Services platform within the EU and Singapore.
We will retain your information for no longer than required in order to fulfil our contractual and legal obligations.
You may have the following rights in respect of your personal information being processed, however we note these rights may not be absolute:
The right to be informed: You have the right to be provided with clear and easy-to-understand information about how we use your personal information. This is why we are providing you this Notice and we may provide other forms of notice, as appropriate or required by law, in the Services.
The right of access: You have the right to access and receive a copy of personal information we hold about you.
The right to rectification: You have the right to correct or update your personal information if it is outdated, incorrect or incomplete.
The right to erasure: You can ask for the data we hold about you to be erased from our records.
The right to restrict processing: You can ask for us to restrict the way we process your data.
The right to data portability: You have the right to have the data we hold about you transferred to another organisation.
The right to object to processing: You may object to processing of personal information that is based on legitimate interest. You may withdraw consent for processing that is based on consent (this includes the right to opt out of direct marketing).
The rights in relation to automated decision making and profiling.
To exercise any of these rights, or to ask a question about these rights or any other provision of this statement, or about our processing of your personal information, please contact firstname.lastname@example.org.
If you would like to lodge a complaint about our service, please contact email@example.com.
You have the right to lodge a complaint about how we handle your Information with your relevant regulatory authority in terms of the applicable law that applies to you.
The European Commission
Online complaint procedure: https://ec.europa.eu/info/about-european-commission/contact/problems-and-complaints
Address: European Commission, Secretary-General
B-1049 Brussels, BELGIUM
The independent Data Protection Authority per member state
Website listing all DPA's per member state: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
The Information Commissioner's Office
Tel: 0303 123 1113
We may update this notice from time to time. You should check this page occasionally to ensure you are happy with any changes to this notice. We may notify you of significant changes to this notice by email or through the relevant notification platform.