@theathorn would you mind please reviewing the below "draft" privacy statement for LungMAP?
The HCA privacy statement has some "HCA" / "Human Cell Atlas Data Portal" specific wording that I have converted over to "LungMAP" and "LungMAP Data Portal" e.g. The Human Cell Atlas Data Portal is an unincorporated collaboration of the University of California, Santa Cruz and the Broad Institute without separate legal personality (the “HCA Data Portal”). This service is operated by the University of California, Santa Cruz and the Broad Institute..
I have adjusted the title to: Privacy Notice for LungMAP Data Portal Public Website to mirror the HCA privacy statement. The current LungMAP privacy title is Privacy Notice for LungMAP Data Browser Public Website <-- note the Data Browser reference. Please let me know if this is ok?
And lastly, what is the best contact email for LungMAP?
Many thanks, Fran.
Privacy Notice for LungMAP Data ~Portal~Browser Public Website
The LungMAP Data ~Portal~Browser is an unincorporated collaboration of the University of California, Santa Cruz and the Broad Institute without separate legal personality (the “LungMAP Data ~Portal~Browser”). This service is operated by the University of California, Santa Cruz and the Broad Institute.
This Privacy Notice explains what personal data is collected by the specific service you are requesting, for what purposes, how it is processed, and how we keep it secure. Note that this service collects personal data directly provided by the user, and also collects personal data from users that is provided by other organizations.
This statement is applicable to individuals using LungMAP Data ~Portal~Browser Services who are located in the European Economic Area (“EEA”).
1. Your Personal Data We Use
Information you provide directly: LungMAP Data ~Portal~Browser collects personal information about you called Personal Data. We collect the following data from users of the service, some of which may be personal data:
IP address
Client operating system
Browser version
Date and time of a visit to the service website
Statistics on web pages visited
Referrer header
If support (without logging in) is requested by users of the service we also collect:
Name
Email address
Organization
Organizational affiliation
Date and time when a support request is sent
If users login to the service we also collect:
Name
Email address
Organization
Organizational affiliation
Website avatar
Authorization refresh and access tokens
We also collect more sensitive information about you, with your explicit consent, where the processing is necessary to meet a legal or regulatory obligation, the processing is in connection with LungMAP establishing, exercising or defending legal claims, or is otherwise expressly permitted by GDPR. This sensitive information includes Aggregated transcriptomic and metadata, as well as individual-level transcriptomic and metadata [donor age, biological sex, disease, and sampled organ].
Log, Cookie and Device Data: We also collect log data, which is information collected whenever you visit a website. This log data includes your Internet Protocol address, device type, operating system, browser type and some settings, unique device identifiers, crash data, the date and time of your request, and information about how you used the Service.
Depending on how you are accessing the Services, we may also use “cookies” (small text files stored by your computer when you visit our website) or similar technologies. We use Google Analytics. Google Analytics uses cookies to help track the users visit to the site. In addition to log and cookie data, we also collect information about the device you’re using to access the Services, including what type of device it is, what operating system you are using, device settings, unique device identifiers and crash data.
Whether we collect some or all of this information often depends on what type of device you are using and its settings. For example, different types of information are available depending on whether you are using a Mac or a PC, or an iPhone or Android phone. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.
Information from Other Sources: We do not obtain information about you from other sources and we do not combine that information with information we collect from you directly.
We also obtain more sensitive information about you, with your explicit consent, where the processing is necessary to meet a legal or regulatory obligation, the processing is in connection with LungMAP establishing, exercising or defending legal claims, or is otherwise expressly permitted by GDPR.
2. How We Use Your Personal Data and the Lawful Basis for Such Processing
LungMAP Data ~Portal~Browser processes your Personal Data for the following purposes and bases:
To provide you with access to the service.
To develop, test and improve the service.
To communicate with you regarding support requests.
Processing and dealing with any complaints or inquiries made by you or legally on your behalf. We do this because it is in our legitimate interest as part of the services offered to you.
We may also be required to disclose your Personal Data to authorities who can request this information by applicable law.
In certain instances, we may be required to obtain your consent to collect and process your Personal Data for a specific purpose. This depends on the specific category of data collected and the intended use of the data. In these instances, the LungMAP Data ~Portal~Browser will inform you of the specific category of Personal Data that will be collected and the intended purpose of the collection, and will request that you affirmatively indicate that you consent to the intended collection of your Personal Data for that purpose, prior to collecting the data.
In these instances, if you do not consent to the collection and intended processing purpose, we will refrain from collecting and processing your Personal Data.
3. Recipients of Your Personal Data
LungMAP Data ~Portal~Browser may share your Personal Data with the following recipients:
Service Providers: Vendors that need access to your Personal Data in order to provide LungMAP Data ~Portal~Browser Services. AWS CloudWatch may collect Personal data for the purposes of logging and monitoring.
LungMAP Data ~Portal~Browser Partners and Collaborators: When permitted by law, LungMAP Data ~Portal~Browser may share Personal Data with ~EMBL-EBI~Cincinnati Children's Hospital Medical Center (CCHMC) in order to support the operation of the LungMAP Data ~Portal~Browser.
Public and Governmental Authorities: Entities that regulate or have jurisdiction over LungMAP Data ~Portal~Browser such as regulatory authorities, law enforcement, public bodies, and judicial bodies.
If your Personal Data is shared with a third party, we will require that the third party use appropriate measures to protect the confidentiality and security of your Personal Data.
We may also need to share your Personal Data as required to respond to lawful requests and legal process; to protect our rights and property and those of our agents, customers and others, including to enforce our agreements and policies; and in an emergency, to protect our institutions and the safety of our students, faculty and staff or any third party.
4. Security
The LungMAP Data ~Portal~Browser takes appropriate physical, administrative, and technical measures to protect Personal Data that are consistent with applicable privacy and data security laws and regulations.
5. Retaining and Deleting Your Personal Data
The LungMAP Data ~Portal~Browser will only retain your Personal Data for the duration necessary for the data collection purposes identified above unless there is a legal requirement to maintain it for a longer period. Logs are Retained at a minimum for a year to support on-demand audit review, reporting requirements, and after-the-fact security investigation.
6. International Transfer of Your Personal Data
In order to fulfill the intended processing purposes described above, your Personal Data will be transferred outside of the European Economic Area (EEA), specifically to the United States, which does not protect Personal Data in the same way that it is protected in the EEA. Your Personal Data will also be transferred to the ~EMBL-EBI, United Kingdom~Cincinnati Children's Hospital Medical Center (CCHMC).
We will undertake appropriate measures to ensure adequate protection of Personal Data, including utilizing appropriate physical, administrative, and technical safeguards to protect Personal Data, as well as executing standard contractual clauses approved by the European Commission or a supervisory authority under GDPR, or obtaining your consent, where appropriate.
7. Your Rights
As required by the General Data Protection Regulation and applicable EU Member State and EEA state law, if you are located in the European Economic Area, you have a right to:
Access your Personal Data, as well as information relating to the recipients of your Personal Data, the purposes of processing your Personal Data, the duration for which the Personal Data will be stored, and the source of Personal Data that has not been provided by you;
Rectify or correct inaccurate or incomplete Personal Data concerning you, taking into account the purposes of the processing, and the right to have incomplete Personal Data completed;
Move your Personal Data to another controller or processor. The LungMAP Data ~Portal~Browser will facilitate the lawful transfer of your data to the extent possible;
Have your Personal Data erased in certain circumstances;
Restrict the processing of your Personal Data in certain circumstances;
Object to the processing of Personal Data in certain circumstances;
Withdraw your consent to the processing of your Personal Data, should we ask for your consent for the processing of your Personal Data. The withdrawal does not affect the lawfulness of processing based on your consent before its withdrawal.
Know whether your Personal Data is being used for automated decision-making, including profiling. In those cases, we will give you meaningful information about the logic involved, the significance and the envisaged consequences of such processing for your data, and the right to request human intervention; and
Lodge a complaint with a supervisory authority.
We may be obligated to retain your Personal Data as required by U.S. federal or state law.
If you wish to exercise your rights, you can contact the LungMAP Data ~Portal~Browser contact identified below.
You may choose not to visit or use or participate in LungMAP Data ~Portal~Browser Services. If you choose not to share your Personal Data with us or LungMAP Data ~Portal~Browser third parties for LungMAP Data ~Portal~Browser Services your site usage will not be tracked and you will not be able to login to view controlled-access data. You will still be able to view and access open-access data. You may choose to set your web browser to refuse cookies or to alert you when cookies are being sent. If cookies are turned off the portal and browser will continue to function; however Google Analytics tracking will not function.
8. Questions and Complaints
If you have questions or complaints about our treatment of your Personal Data, or have a request to delete your data, please feel free to contact privacy@ucsc.edu.
Effective Date: This statement is effective as of June 13, 2022.
@theathorn would you mind please reviewing the below "draft" privacy statement for LungMAP?
The HCA privacy statement has some "HCA" / "Human Cell Atlas Data Portal" specific wording that I have converted over to "LungMAP" and "LungMAP Data Portal" e.g.
The Human Cell Atlas Data Portal is an unincorporated collaboration of the University of California, Santa Cruz and the Broad Institute without separate legal personality (the “HCA Data Portal”). This service is operated by the University of California, Santa Cruz and the Broad Institute..I have adjusted the title to:
Privacy Notice for LungMAP Data Portal Public Websiteto mirror the HCA privacy statement. The current LungMAP privacy title isPrivacy Notice for LungMAP Data Browser Public Website<-- note theData Browserreference. Please let me know if this is ok?And lastly, what is the best contact email for LungMAP?
Many thanks, Fran.
Privacy Notice for LungMAP Data ~Portal~Browser Public Website
The LungMAP Data ~Portal~Browser is an unincorporated collaboration of the University of California, Santa Cruz and the Broad Institute without separate legal personality (the “LungMAP Data ~Portal~Browser”). This service is operated by the University of California, Santa Cruz and the Broad Institute.
This Privacy Notice explains what personal data is collected by the specific service you are requesting, for what purposes, how it is processed, and how we keep it secure. Note that this service collects personal data directly provided by the user, and also collects personal data from users that is provided by other organizations.
This statement is applicable to individuals using LungMAP Data ~Portal~Browser Services who are located in the European Economic Area (“EEA”).
1. Your Personal Data We Use
Information you provide directly: LungMAP Data ~Portal~Browser collects personal information about you called Personal Data. We collect the following data from users of the service, some of which may be personal data:
If support (without logging in) is requested by users of the service we also collect:
If users login to the service we also collect:
We also collect more sensitive information about you, with your explicit consent, where the processing is necessary to meet a legal or regulatory obligation, the processing is in connection with LungMAP establishing, exercising or defending legal claims, or is otherwise expressly permitted by GDPR. This sensitive information includes Aggregated transcriptomic and metadata, as well as individual-level transcriptomic and metadata [donor age, biological sex, disease, and sampled organ].
Log, Cookie and Device Data: We also collect log data, which is information collected whenever you visit a website. This log data includes your Internet Protocol address, device type, operating system, browser type and some settings, unique device identifiers, crash data, the date and time of your request, and information about how you used the Service. Depending on how you are accessing the Services, we may also use “cookies” (small text files stored by your computer when you visit our website) or similar technologies. We use Google Analytics. Google Analytics uses cookies to help track the users visit to the site. In addition to log and cookie data, we also collect information about the device you’re using to access the Services, including what type of device it is, what operating system you are using, device settings, unique device identifiers and crash data.
Whether we collect some or all of this information often depends on what type of device you are using and its settings. For example, different types of information are available depending on whether you are using a Mac or a PC, or an iPhone or Android phone. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.
Information from Other Sources: We do not obtain information about you from other sources and we do not combine that information with information we collect from you directly. We also obtain more sensitive information about you, with your explicit consent, where the processing is necessary to meet a legal or regulatory obligation, the processing is in connection with LungMAP establishing, exercising or defending legal claims, or is otherwise expressly permitted by GDPR.
2. How We Use Your Personal Data and the Lawful Basis for Such Processing
LungMAP Data ~Portal~Browser processes your Personal Data for the following purposes and bases:
In certain instances, we may be required to obtain your consent to collect and process your Personal Data for a specific purpose. This depends on the specific category of data collected and the intended use of the data. In these instances, the LungMAP Data ~Portal~Browser will inform you of the specific category of Personal Data that will be collected and the intended purpose of the collection, and will request that you affirmatively indicate that you consent to the intended collection of your Personal Data for that purpose, prior to collecting the data.
In these instances, if you do not consent to the collection and intended processing purpose, we will refrain from collecting and processing your Personal Data.
3. Recipients of Your Personal Data
LungMAP Data ~Portal~Browser may share your Personal Data with the following recipients:
If your Personal Data is shared with a third party, we will require that the third party use appropriate measures to protect the confidentiality and security of your Personal Data.
We may also need to share your Personal Data as required to respond to lawful requests and legal process; to protect our rights and property and those of our agents, customers and others, including to enforce our agreements and policies; and in an emergency, to protect our institutions and the safety of our students, faculty and staff or any third party.
4. Security
The LungMAP Data ~Portal~Browser takes appropriate physical, administrative, and technical measures to protect Personal Data that are consistent with applicable privacy and data security laws and regulations.
5. Retaining and Deleting Your Personal Data
The LungMAP Data ~Portal~Browser will only retain your Personal Data for the duration necessary for the data collection purposes identified above unless there is a legal requirement to maintain it for a longer period. Logs are Retained at a minimum for a year to support on-demand audit review, reporting requirements, and after-the-fact security investigation.
6. International Transfer of Your Personal Data
In order to fulfill the intended processing purposes described above, your Personal Data will be transferred outside of the European Economic Area (EEA), specifically to the United States, which does not protect Personal Data in the same way that it is protected in the EEA. Your Personal Data will also be transferred to the ~EMBL-EBI, United Kingdom~Cincinnati Children's Hospital Medical Center (CCHMC).
We will undertake appropriate measures to ensure adequate protection of Personal Data, including utilizing appropriate physical, administrative, and technical safeguards to protect Personal Data, as well as executing standard contractual clauses approved by the European Commission or a supervisory authority under GDPR, or obtaining your consent, where appropriate.
7. Your Rights
As required by the General Data Protection Regulation and applicable EU Member State and EEA state law, if you are located in the European Economic Area, you have a right to:
We may be obligated to retain your Personal Data as required by U.S. federal or state law.
If you wish to exercise your rights, you can contact the LungMAP Data ~Portal~Browser contact identified below.
You may choose not to visit or use or participate in LungMAP Data ~Portal~Browser Services. If you choose not to share your Personal Data with us or LungMAP Data ~Portal~Browser third parties for LungMAP Data ~Portal~Browser Services your site usage will not be tracked and you will not be able to login to view controlled-access data. You will still be able to view and access open-access data. You may choose to set your web browser to refuse cookies or to alert you when cookies are being sent. If cookies are turned off the portal and browser will continue to function; however Google Analytics tracking will not function.
8. Questions and Complaints
If you have questions or complaints about our treatment of your Personal Data, or have a request to delete your data, please feel free to contact privacy@ucsc.edu. Effective Date: This statement is effective as of June 13, 2022.