Data Protection and Privacy Policy

Learn more about CEPI's overarching policy for data protection and privacy.

1. Introduction

1.1 This policy is the overarching policy for data protection and privacy for The Coalition for Epidemic Preparedness Innovations (“CEPI”).

2.    Objective

2.1.    This policy sets out how CEPI:
a)    complies with its data protection obligations under the General Data Protection Regulation (2016) and all other applicable national legislation; and
b)    seeks to protect the personal data of individuals.
2.2.    This policy is intended to ensure that staff understand and comply with the rules governing the collection, use, retention, and deletion of any personal data to which they may have access during their work.

3.     Scope

3.1.    This policy covers all personal data that CEPI might process during the course its activities, either in hard copy or digital copy, including special categories of data.
3.2.    This policy applies to all employees, consultants, and other persons that process personal data on behalf of CEPI. 
3.2.1.    Any individual or entity who processes personal data on behalf of CEPI must follow this policy in accordance with the relevant provisions of their contract of engagement.
3.3.    Individuals should refer to CEPI’s privacy notices and other relevant policies for specific information and guidance regarding the protection of personal information in specific contexts, such as:
a)    Data retention
b)    Employment
c)    Information security
d)    International data transfers
e)    Monitoring
f)    Special category data
g)    Use of the Internet, electronic communications, and social media


4.    Definitions

4.1.    For the purposes of this policy:
4.1.1.    CEPI means the Coalition for Epidemic Preparedness Innovations, the Coalition for Epidemic Preparedness Innovations UK Limited, and the Coalition for Epidemic Preparedness Innovations U.S.
4.1.2.    Data means information in many forms. Examples include, but are not limited to, paper documents, electronic documents (databases, emails, presentations, spreadsheets), or information contained in spoken conversations.
4.1.3.    Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
4.1.4.    Data subject means the identifiable natural person to whom specific personal information relates.
4.1.5.    Employee means any individual directly employed by CEPI or engaged on a consultancy basis, this includes individuals employed via Professional Employer Organisations.
4.1.6.    GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, or the “General Data Protection Regulation”.
4.1.7.    Identifiable natural person is a living individual who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4.1.8.    Personal data means any information that relates to an identified or identifiable natural person.
4.1.9.    Processing data means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying information, or using or doing anything with it.
4.1.10.    Special category data means sensitive personal data, as defined in Article 9 of the GDPR and includes personal data relating to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

5.    Policy statement

5.1.    CEPI statement of principles

5.1.1.    The overall purpose of data privacy regulations and policies is to protect the rights and freedoms of individuals and in particular the right to the protection of their personal data. As such: 
a)    CEPI, as a publicly funded organization that operates globally, considers the privacy of individuals and the protection of their personal information to be of the utmost importance. 
b)    CEPI will always process personal data in a way that ensures that the individual’s rights are safeguarded.
c)    CEPI is committed to processing personal data in accordance with the principles of the GDPR and all applicable national legislation.

5.2.    Data protection principles

5.2.1.    In practice, the statement in paragraph 5.1.1 means that CEPI will process personal data in accordance with the following principles regardless of what jurisdiction it is operating in:
a)    CEPI will process personal data lawfully, fairly, and in a transparent manner.
b)    CEPI will collect personal data for specified, explicit, and legitimate purposes only; and will not process it in a way that is incompatible with those legitimate purposes.
c)    CEPI will only process personal data that is adequate, relevant, and necessary for the relevant purposes.
d)    CEPI will keep accurate and up to date records and take reasonable steps to ensure that inaccurate personal data is corrected or deleted without undue delay. 
e)    CEPI will keep personal data for no longer than is necessary for the purposes for which the information was gathered and is processed.
f)    CEPI will take appropriate technical and organisational measures to ensure that personal data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction, or damage.
g)    CEPI will ensure that any third parties with whom it shares personal data will operate in a manner that is consistent with applicable data protection laws and regulations, as set out in CEPI’s Third Party Code of Conduct.

5.3.    Rights of the Data Subject

5.3.1.    CEPI will always uphold the following rights of the data subject:
a)    The right to be informed
b)    The right of access
c)    The right to rectification
d)    The right to erasure
e)    The right to restrict processing
f)    The right to data portability
g)    The right to object
h)    Rights in relation to automated decision making and profiling.

5.4.    Organisational measures

5.4.1.    CEPI will establish and maintain policies and procedures to ensure compliance with the principles and protection of the rights mentioned above. 
5.4.2.    CEPI will establish a data protection and privacy procedure, which will detail how employees are to comply with this policy and the data protection principles in practice.
5.4.3.    Compliance with this policy will be monitored through the Internal Audit and Assurance group activities in accordance with the Annual Internal Audit and Assurance Plan, as agreed with CEPI Senior Management. Compliance by third parties engaged or funded by CEPI will be monitored through CEPI’s risk-based Partner Assurance programme.  
5.4.4.    CEPI will conduct periodic risk assessments and update its policies and procedures accordingly to ensure continued compliance with this policy and all other legal requirements. 
5.4.5.    CEPI employees, and other relevant individuals, shall receive appropriate training on this policy and associated procedures, as appropriate to their role.  

6.    Data protection principles

6.1.    Accuracy

6.1.1.    CEPI shall take all reasonable steps to ensure the personal data it processes are accurate. 
6.1.2.    Where it is necessary for the lawful basis upon which data are processed, steps shall be put in place to ensure that personal data are kept up to date.
6.2.    Adequate, relevant, and limited to what is necessary
6.2.1.    CEPI shall ensure that any personal data it processes are adequate, relevant, and limited to what is necessary for the purposes for which they are processed. 

6.3.    Breach reporting

6.3.1.    In the event of a data breach as defined in paragraph 4.1.3 above, CEPI shall, without undue delay:
a)    assess the risk to individuals’ rights and freedoms; 
b)    where appropriate, notify the relevant supervisory authority; and
c)    where appropriate, notify the data subject.

6.4.    International data transfers

6.4.1.    CEPI may transfer personal data to internal or third-party recipients located in another country.
6.4.2.     CEPI will only transfer data to a country that is recognised as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects. 
6.4.3.    Where transfers need to be made to countries lacking an adequate level of legal protection (“third countries”), they must be made in compliance with an approved transfer mechanism as detailed in the data protection and privacy procedure.

6.5.    Lawful, fair, and transparent processing 

6.5.1.    Individuals have the right to access their personal data and any such requests shall be dealt with in a timely manner (see paragraph 9 below).
6.5.2.    To ensure that processing of personal data is lawful, fair, and transparent, CEPI will maintain a Record of Processing Activities and a Register of Systems.
6.5.3.    The Record of Processing Activities and the Register of Systems shall be regularly reviewed and at least once annually. 

6.6.    Lawful purposes

6.6.1.    All personal data will be processed by CEPI on one of the following legal bases:
a)    Consent
b)    Legal obligation
c)    Vital interests
d)    Public task
e)    Legitimate interest of CEPI
6.6.2.    CEPI shall log the appropriate basis for each category of personal data in the Record of Processing Activities. 
6.6.3.    Where consent is relied upon as a lawful basis for processing data, evidence of an individual’s opt-in consent shall be stored with the personal data. 
6.7.    Security
6.7.1.    CEPI shall ensure that personal data are stored securely and shall implement technical and organisation measures to ensure a level of security that is appropriate to the risk in processing. 
6.7.2.    Access to personal data shall be limited to the personnel who need access and appropriate security measures shall be put in place to avoid the unauthorised sharing of personal data. 
6.7.3.    When personal data is deleted, this shall be done securely and in such a way that the data are irrecoverable. 
6.7.4.    CEPI shall ensure that appropriate back-up and disaster recover solutions are in place. 

6.8.    Special category data

6.8.1.    If CEPI processes any sensitive personal data or criminal records data, it will keep written records of:
a)    the relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for the purpose;
b)     the lawful basis for processing; and
c)    whether CEPI retains and erases the personal information and, if not, the reasons for not doing this.
6.8.2.    Employees shall follow the process laid out in the data protection and privacy procedure when handling special category or criminal records data. 

6.9.    Storage/deletion

6.9.1.    To ensure that personal data are kept for no longer than is necessary, CEPI shall put in place a storage and retention policy and this process shall be reviewed annually. 
6.9.2.    The storage and retention policy shall consider what data should be retained, for how long, and why.


7.    Data protection by design and by default 

7.1.    CEPI will ensure appropriate technical and organisational measures are in place to effectively uphold the principles outlined in paragraph 5.2.1 and safeguard the individual rights outlined in paragraph 5.3.1. This will include:
a)    integrating the necessary safeguards into any new data processing activity to meet regulatory requirements and to protect individuals’ rights;
b)    considering the nature, scope, purpose, and contents of any processing; and
c)    considering the risks to the rights and freedoms of individual posed by the processing.
7.2.    CEPI shall uphold the principles of data protection by design and by default from the beginning of any new data processing activity, in addition to the planning and implementation of any new data process. 
7.2.1.    This will include, where appropriate, carrying out a data protection impact assessment. 
7.3.    All existing data processing shall be recorded in CEPI’s Record of Processing Activities.
7.4.    By adhering to the principles in paragraph 5.2.1 as its default position, CEPI ensures that individuals are protected against privacy risks.

8.    Rights of the data subject

8.1.    The data subject will, among other rights, always have the following rights in relation to their personal data:
a)    The purposes of the processing.
b)    The categories of personal data concerned.
c)    The recipients or categories of recipient to whom the personal data have been, or will be, disclosed, particularly recipients in third countries or international organisations.
d)    Where possible, the expected period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
e)    The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
f)    The right to lodge a complaint with a relevant supervisory authority.
g)    Where the personal data are not collected from the data subject, any available information as to their source.
h)    The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
8.2.    Any inquiries regarding the rights of an individual data subject, including the wish to exercise such rights, should be sent to [email protected].

9.    Responsibilities

9.1.    The Director of Governance, Risk and Compliance is responsible for the overall data protection framework. 
9.1.1.    CEPI has appointed a Senior Data Protection Manager, who is responsible for the day-to-day management of data protection activities within CEPI and ensuring that these activities comply with this policy.
9.2.    Individuals are responsible for helping CEPI keep the personal data it holds up to date. 
9.2.1.    Employees and other individuals engaged by CEPI should let HR know if the information they have provided to the organisation changes, for example through moving house or changing name. 
9.2.2.    In the case of employees, this information can be updated on a secure basis using the My HR platform within Salesforce.
9.3.    Employees might have access to the personal data of other members of staff, consultants, suppliers, and other third parties in the course of their employment or engagement. 
9.3.1.    If so, CEPI expects employees to assist in meeting its data protection obligations in relation to those individuals. 
9.3.2.    Further details on what is expected of employees and how they are to comply with this policy in practice can be found in CEPI’s data protection and privacy procedure.

10.    Failure to comply

10.1.    CEPI takes compliance with this policy seriously. Failure to comply with this policy and associated procedures:
a)    puts data subjects at risk;
b)    carries the risk of substantial civil and criminal sanctions for the individual and CEPI; and
c)    may, in certain circumstances, amount to a criminal offence by the individual. 
10.2.    Due to the importance of this policy and the severity of the potential consequences of any breach, an employee’s failure to comply with any requirement of this policy may lead to disciplinary action under CEPI’s procedures. Such action may lead to dismissal for gross misconduct, or termination of the individual contract.