Privacy notice

The Human Tissue Authority (HTA) is the regulator of human tissues and organs. We are a non-departmental public body of the Department of Health and Social Care. The HTA regulate licensed establishments via an Independent Assessor (IA). 

The HTA is a ‘Data Controller’ under the Data Protection Act (DPA) 2018. This means the HTA is responsible and is held accountable for processing your personal data in line with data protection legislation. 

• We obtain your valid consent to disclose further
• If the information is required by law or ordered by a court
• There is an overriding public interest to disclose.

There are seven key principles at the heart of the Data Protection Act 2018 and these form the basis upon which we will process your personal data. The principles are:

• Lawfulness, fairness and transparency

• Purpose limitation

• Data minimisation

• Accuracy

• Storage limitation

• Integrity and confidentiality(security)

• Accountability

You can read more about the data protection principles on the Information Commissioner’s Office (ICO) website. A guide to the data protection principles | ICO

The legislation listed below along with the HTA’s Codes of Practice and standards forms the basis of our regulation: 

The Human Tissue Act 2004 and associated Regulations

The Human Tissue (Quality and Safety for Human Application) Regulations 2007 (as amended)

The Quality and Safety of Organs Intended for Transplantation Regulations 2012 (as amended)

Human Transplantation (Wales) Act 2013

Human Tissue (Scotland) Act 2006 In accordance with the powers in Section 54, under the Human Organ and Tissue Live Transplants (Scotland) Regulations 2006, the HTA make decisions on all living organ donation transplants taking place in Scotland on behalf of Scottish Ministers.

These laws ensure human tissue is used safely, ethically and with valid consent. Consent is a fundamental principle of the legislation. 

Paragraph 7 of Chapter 2, within Part 2, to the Data Protection Act 2018 says that, as a government body, the HTA may process personal data as necessary for the effective performance of a task carried out in the public interest.

We will always identify the lawful basis on which your personal information is processed as defined by Article 6 and 9 of the UK GDPR. Please see the individual sections for the purposes of processing personal data throughout this privacy notice which identity the legal basis for processing.

'The HTA's legal framework’ section provides the list of legislation and Codes of practice to which we comply. 

Under data protection legislation you have a number of rights regarding how your personal data is processed:

The right to be informed: With regards to the collection and use of your personal data you have the right to request what information the HTA holds about you.

The right of access: More commonly known as a Subject Access Request (SAR), you have the right to have access to your personal data and to request a copy including supplementary information.

The right to rectification: If the personal data we hold about you is inaccurate or incomplete you are entitled to have it rectified under reasonable circumstances.

The right to erasure: This is not an absolute right and only applies in certain circumstances.  

The right to restrict processing: We can continue to store your personal data but not process it any further. This will only apply in certain circumstances.

The right to data portability: This allows us to move, copy, transfer personal data easily in a safe and secure way and without hinderance. 

The right to object: Allows you to object to the processing of your personal data, exceptions and limitations apply.  

The right to withdraw consent: If you have provided consent for the HTA to process your personal data.

Rights in relation to automated decision making and profiling: The HTA does not use automated decision-making as standard practice. 

Under the DPA 2018 The HTA has a calendar month to respond to your request. If you wish to exercise your rights, please contact the HTA either by

Email: dataprotectionofficer@hta.gov.uk or

Post: Human Tissue Authority 
2nd floor, 2 Redman Place 
Stratford, London 
E20 1JQ

In addition to the above individual information rights, you also have the right to contact the Information Commissioners Office (ICO) if you feel your personal data has not been processed fairly or within the confines of data protection legislation. 

Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF

Tel: 0303 123 1113

Website: www.ico.org.uk 

The National Data Opt-Out policy allows individuals to opt-out of having their confidential patient information shared for purposes beyond their direct care. The HTA must consider national data opt-outs when processing data for purposes beyond individual care in line with the wider policy. The National Data Opt-Out policy does not apply for disclosure of information relating to living organ donation decisions and serious adverse events and reactions notifications. For further information see National Data Opt-Out - NHS England Digital 

We need to process personal information about you so that we can perform our regulatory functions. 

Please see the individual sections within this privacy notice which provide the HTA’s purposes of processing personal data, the data processed and the legal basis which allows us to process this information. 

• Licence contacts
• Organ Donation and Transplantation
• The Duty to Report
• Bone Marrow and Peripheral Blood Stem Cell (PBSC) donations
• Job applicants
• Newsletter subscribers
• General enquiries

The HTA regulates the donation of organs in the UK from living people by making the decision on whether the donation can go ahead, based on criteria set out in law. 

The HTA’s role is to provide an independent check to help protect the interests of living organ donors. They ensure each individual donor has an opportunity to speak freely to someone not connected with the transplant unit in order to confirm that: 

a. If they have a reasonable suspicion that an organ donation and transplantation-related offence may have been committed or

b. If they are made aware that a patient has received an organ transplant outside the UK.

Based on the information that clinicians are required to report, we will receive and process data about the reporting clinician. This includes their name, contact details, position and place of work. We will also receive and process personal and sensitive data about donors, potential donors, recipients, intended recipients and other person(s) who may have been involved in commissioning an organ donation and transplant-related offence. The data may include:

• Information about the individuals involved (including their name, date of birth, age, gender and countries of legal citizenship or residency)

• Medical history

• Medical and clinical suitability to donate or receive an organ.  

Our legal basis for processing this personal information is: 

When you subscribe to our newsletter, you provide your consent to receive this form of communication under the Privacy and Electronic Communications Regulations. It is our legitimate interest to process the personal data you provide in the subscription process. This data will not be processed for any other purpose than to send you our newsletter and you can unsubscribe at any time using the unsubscribe link included in every newsletter. When you unsubscribe, your personal data will be automatically removed from the newsletter distribution system. 

We use MailChimp who are owned by Intuit, to provide this service and they process your personal data on our behalf. You can read the Intuit privacy notice here Global Privacy Statement | Intuit. 

Intuit operate in the United States, so your information is transferred to, stored and processed in the United States. Intuit participate in and certify their compliance with the UK Extension to the EU-US Data Privacy Framework and you can view their certification here: - Data Privacy Framework. 

The HTA has a statutory obligation to provide information to the public and professionals working in the sectors that we regulate. One of the ways we do this is by responding to enquiries. When you make an enquiry we will process your name, contact details and the nature of the enquiry. The nature of the enquiry may contain personal data and special category data if you provide that information to us. 

The HTA values the personal information entrusted to us and we make sure that we abide by the law when we process it. We also:

• Make sure that only those people who have a need to do so process personal data.

• Encrypt data using a number of encryption algorithms including: FIPS 140-2; Common Criteria EAL2+; and Intel Advanced Encryption Standard-New Instructions (AES-NI)

• Consider security and privacy at the outset of any new project where we are planning to hold or use personal information in new ways and continue to review existing systems to ensure they comply with new laws.

• Train our staff in how to handle personal information, maintain proper oversight of our information assets and respond appropriately if information is not used or protected properly. 

Outside of specific exemptions under data protection legislation, your personal data will only be retained for as long as is necessary to meet the purpose it was collected. We will not destroy records which may be relevant to ongoing inquiries.

All records are destroyed confidentially once their retention period has been met and the HTA has made the decision that the records are no longer required. To determine appropriate retention periods for different types of data, we consult relevant laws and best practice guidance (e.g. National Archives) 

A Data Protection Officer (DPO) is a role required by current data protection laws for public bodies. DPO’s are responsible for overseeing data protection strategy and implementation to ensure compliance with data protection obligations. 

For enquiries about data protection please email: dataprotectionofficer@hta.gov.uk