Introduction

The MPS Society supports children and adults with MPS, Fabry and related conditions. MPS Commercial (trading as Rare Disease Research Partners - RDRP) is a wholly owned, not for profit subsidiary of the MPS Society. RDRP’s social objectives are to reinvest any surplus to support the mission of the MPS Society to transform the lives of patients through specialist knowledge, support, advocacy and research.

Our success is dependent on the quality of our reputation and the trust that all those involved or working for the MPS Society and RDRP have in the way we conduct ourselves. We are committed to do our very best to ensure the security of our respective websites and the confidentiality of all the personal records we hold.

The MPS Society and RDRP appreciate the importance of demonstrating our adherence to the Data Protection Legislation. We aim to meet the expectations about the use and security of the personal information of all those on whom we hold such data. This includes, but is not restricted to, members, patients, supporters, beneficiaries, their respective families, clinicians, volunteers and staff.

Our respective websites will recognise the IP address of the individual at each visit to the website. All other personal information, including email addresses will only be collected and recognised where the individual has voluntarily provided the information, such as by completing an online form.

The MPS Society and RDRP are joint data controllers for the processing of any personal information. This policy is applicable to both organisations. The MPS Society and RDRP store such data on separate servers with access restricted to key personnel. Personal information may be shared between these organisations on the basis of legitimate interest, Transfer of data would be made through encrypted email or password protected documents.

The MPS Society obtains consent from its members to share personal information with RDRP through its online membership form. This consent to share personal information in this way may be withdrawn at any time by the individual.

Where appropriate, RDRP has restricted access to membership data held by the MPS Society. RDRP may contact these members to ask if they would like to take part in projects that may be of interest to the community. Those wanting to take part in any such projects are asked to complete a separate project specific consent form. This explains how their personal information will be used.

Any information gained directly by RDRP from, or about research patients/respondents will not be transferred to the MPS Society but will remain under RDRP’s direct control.

1) What is personal data

The MPS Society supports children and adults with MPS, Fabry and related conditions. MPS Commercial (trading as Rare Disease Research Partners - RDRP) is a wholly owned, not for profit subsidiary of the MPS Society. RDRP’s social objectives are to reinvest any surplus to support the mission of the MPS Society to transform the lives of patients through specialist knowledge, support, advocacy and research.

Our success is dependent on the quality of our reputation and the trust that all those involved or working for the MPS Society and RDRP have in the way we conduct ourselves. We are committed to do our very best to ensure the security of our respective websites and the confidentiality of all the personal records we hold.

The MPS Society and RDRP appreciate the importance of demonstrating our adherence to the Data Protection Legislation. We aim to meet the expectations about the use and security of the personal information of all those on whom we hold such data. This includes, but is not restricted to, members, patients, supporters, beneficiaries, their respective families, clinicians, volunteers and staff.

Our respective websites will recognise the IP address of the individual at each visit to the website. All other personal information, including email addresses will only be collected and recognised where the individual has voluntarily provided the information, such as by completing an online form.

The MPS Society and RDRP are joint data controllers for the processing of any personal information. This policy is applicable to both organisations. The MPS Society and RDRP store such data on separate servers with access restricted to key personnel. Personal information may be shared between these organisations on the basis of legitimate interest, Transfer of data would be made through encrypted email or password protected documents.

The MPS Society obtains consent from its members to share personal information with RDRP through its online membership form. This consent to share personal information in this way may be withdrawn at any time by the individual.

Where appropriate, RDRP has restricted access to membership data held by the MPS Society. RDRP may contact these members to ask if they would like to take part in projects that may be of interest to the community. Those wanting to take part in any such projects are asked to complete a separate project specific consent form. This explains how their personal information will be used.

Any information gained directly by RDRP from, or about research patients/respondents will not be transferred to the MPS Society but will remain under RDRP’s direct control.

2) Our commitment to each of the data protection principles is as follows:

a) We will process personal data in a lawful and fair way, so that those whose personal information is collected will have it used in a transparent way, with a clear explanation available for its use.

b) Our Annual Notification to the Information Commissioner’s Office (ICO) will be checked to ensure that it represents the current use of personal information by the MPS Society and RDRP. An audit will be carried out each year to achieve this. No data will be used for purposes other than those notified to the ICO. In the event that there is a requirement to change the usage of the data, all those about whom the data is held will be informed and given the opportunity to consent to this amendment.

c) Personal information will be adequate, relevant and not excessive for the purpose for which it is processed. Sufficient data will be obtained for clarity of recognition and to undertake the required administration of personal records. We will only hold the minimum of personal details required to achieve this.

d) Every effort will be made to keep records accurate and where necessary updated. Updates of personal records will be made within 28 days of change notification.

e) All personal information records will be retained as details in our Data Retention and Disposal Policy available on request from the Data Protection Officer.

f) The MPS Society and RDRP gives data security the highest priority. Appropriate measures are in place against unauthorised or unlawful processing and against accidental loss, destruction or damage.

3) Good practice

a) Personal information will only be processed when absolutely necessary.

b) Individuals about whom information is obtained will be informed of the purpose for which their data is held.

c) Records will be kept of the categories of personal and sensitive data processed.

d) Personal sensitive data such as contact records, safeguarding etc is only accessible to those who have permission to view it.

e) Rules around the processing of special category and criminal offence data as set by the ICO are detailed in our Policy on Processing Special Category and Criminal Offence Data (1N) available on request from the Data Protection Officer.

f) Individuals about whom data is held have the right of ‘Subject Access’ to see and/or amend any relevant errors or omissions.

4) Notification

The MPS Society and RDRP have registered with the ICO as Joint Data Controllers.

In this respect, data subjects will be told of the data controllers’ identity and contact details. They will also be told why and how the data is being processed, and the legal basis for doing so, for example ‘consent’. In the case of legitimate interests, these will be specified.

Any breaches of this Policy will be dealt with according to the MPS Society/RDRP Employee Handbook, and may also be referred to the ICO for investigation.

5) UK GDPR definitions

Child means anyone under the age of 16, for which the consent of a parent/guardian is required. For RDRP the definition of a ‘Child’ may be determined as required by other jurisdictions, depending on where patients/participants are sourced for particular projects.

Data Subject referes to a living person about whose data is processed. This means identification by name, ID, address, online identifier, or factors such as physical, psychological, genetic, economic or social means.

Data Subject Consent may be given by written, oral statement or electronic means such as a click button. The data subject will be properly informed in a way which is clear, specific and explicit. They will be informed of how and where their personal data will be stored and their rights as a data subject. Consent will be freely given. For RDRP this will also clarify the purpose of any research project.

Data Breach refers to unauthorised disclosure, alteration, destruction or loss. As such, breaches will be reported to the MPS Society’s/RDRP’s Data Protection Officer who will assess whether the matter should be reported to the ICO. If this is the case, the ICO must be informed within 72 hours of the breach having been discovered. Whether this is required, will be assessed on the basis of the likelihood of the severity of risk to the rights and freedoms of those affected. Similarly, an internal decision will be taken on whether or not to inform the data subjects of the breach.

Special Data Categories (previously known as sensitive data) refers to matters such as race, ethnic origin, beliefs, political opinions, trade union membership, genetics, biometric identification, health, sexual orientation and sex life.

The Data Protection Officer takes over-arching management of this area, whilst all employees, temporary staff, volunteers and sub-contractors take individual responsibility for the personal information in their care.

They report to the MPS Society’s Board of Trustees, and where appropriate to RDRP’s Board in respect of the development and implementation of the Customer Relationship Management System (CRMS). The day-to-day compliance of the Data Protection Policy is the responsibility of this Officer.

The Data Protection Officer will ensure that appropriate controls are in place to ensure that risk is kept to an acceptable level. They will carry out regular risk assessments to ensure on-going compliance and to identify areas where improvement is required. They will also oversee the requirement that data collected for one purpose is not subsequently used for another without appropriate consent being obtained.

Should any new technologies be incorporated, or any new data processing events be planned, then the Data Protection Officer or relevant Head of Department will review whether a Privacy Impact Assessment is required. The ICO may be contacted for advice in this instance.

The Data Protection Officer or their delegated Head of Department will approve all collection forms. They will also manage arrangements for the deletion/destruction of personal data in accordance with the MPS Society’s/RDRP’s Data Retention and Disposal Policy.

All staff and appropriate volunteers/consultants receive GDPR training at induction and every year following, as determined by the Data Protection Officer.

The Data Protection Officer is the first point of contact for all such employees who need guidance and must be informed immediately if there is any suspicion of a data breach.

6) Legitimate interests

We rely on legitimate interests as the lawful basis for some of the personal data we process in order to conduct and manage our organisation effectively and responsibly. We may process your data where the processing is necessary for our legitimate interests or the legitimate interests of a third party.

What our legitimate interests are

We have a legitimate interest in processing personal data for purposes including (but not limited to):

• operating, improving and developing our services

• communticating with you about our services and updates

• ensuring IT and information security

• preventing fraud, misuse and other unlawful activity

• internal analytics and business planning

• protecting our legal rights and interests

These interests are balanced against your rights and expectations as an individual and do not override your interests, rights or freedoms.

7) Third party

Every effort will be made to ensure that third parties are required to comply with this policy. Where applicable a data confidentiality agreement will be in place.

The MPS Society/RDRP may audit information held in respect of this.

8) Data subject awareness

Data subjects will be informed about how their information will be processed and this will be given at the time of data collection. As described above, this information will detail the Controllers’ identity, retention period and individual rights.

The purpose for the data collection by the MPS Society will be stated at the earliest opportunity before any personal information is collected.

For RDRP, the purpose of data collection and usage will be determined in the Participant Information and Consent Form relating to the recruitment of individuals for each particular research project; and the RDRP Use of Data Form in relation to individuals and their carers providing personal information for clinical trial logistics.

9) The rights of data subjects

Data subjects are notified that:

a) they have the right to make subject access requests about their personal data which is held and to rectify any errors/omissions. A data subject will be entitled to the following:

• A copy of their personal data

• The purpose of the processing

• Any organisations to whom the MPS Society/RDRP discloses the data

• A copy of recorded opinions about them, unless given in confidence

b) Any such information will be available within one month of the original request being received. No charge will be made for this provision. The request must be made on the MPS Society’s/RDRP’s Request Form for a Copy of Personal Data (Subject Access). This is available on request from the Data Protection Officer and also at the end of this policy.

10) Consent

As described above, consent for the processing of personal information must be:

a) Informed

b) Clear

c) Specific

d) Explicit

e) Freely given

This can be provided in a written statement such as a Consent Form, or by affirmative action such as an online ‘tick box’ offering an opt-in facility.

Consent can be withdrawn at any time.

11) Data security

All employees and those with accredited access to the personal information held by the MPS Society and RDRP are personally responsible for keeping it secure.

Storing and accessing personal data

This must be stored as appropriate in:

a) a locked room

b) a locked cabinet or drawer

c) an encrypted/secure online environment

Personal information on computer screens and terminals must not be visible other than to the MPS Society’s/RDRP’s authorised staff. Passwords must be used for computer access and changed periodically as determined by the Data Protection Officer.

No manual records may be removed from the Office without the written authorisation of either the Data Protection Officer or another member of the MPS Society’s/RDRP’s Senior Leadership Team. The Manual Document(s) Removal Record will be completed at all stages.

12) Disclosure of data

Employees and others with authorised access to MPS Society’s/RDRP’s personal information must take steps to ensure that no such data is ever disclosed to friends, family members or anyone outside these organisations. No disclosure to government bodies nor the Police may take place without the Data Protection Officer’s agreement, having taken legal opinion and/or advice from the ICO.

Disclosure is permissable in certain circumstances such as in the interest of:

a) safeguarding national security

b) crime prevention and detection

c) discharging regulatory functions such as health and safety

d) serious harm to a third party

e) protecting the vital interests of the data subject (i.e. in a life and death situation).

13) Data retention and disposal

This is determined on the basis of necessity and as documented in the Data Retention and Disposal Policy.

Manual records must be shredded and disposed of as confidential waste. Any removable or portable computer media (USBs/hard drives) must be destroyed as per the Data Retention and Disposal Policy.

14) Future policy

Whilst we do not envisage any alterations to this Policy, should circumstances, legislation or technology change, the MPS Society and RDRP may need to update this. In such an event, any revisions will be posted on the respective websites. Staff will receive adequate briefing of any revisions.

15) Complaints

These should be addressed to:

The Data Protection Officer, The MPS Society / Rare Disease Research Partners, MPS House, Repton Place, White Lion Road, Amersham, Bucks HP7 9LP

In the event that a complaint is not dealt with satisfactorily, the matter can be raised with the ICO, Wycliffe House, Walter Lane, Wilmslow, Cheshire SK9 5AF

16) Document owner

The Data Protection Officer is the owner of this policy document and must ensure that it is periodically reviewed according to the review requirements herein.

The latest version of this policy document dated 15.01.2026 is available to all employees of the MPS Society/RDRP on the Company server.

This policy document was approved under the MPS Society’s policy approval process on a version-controlled basis.

Name of GCEO: Bob Stevens Date: 15.01.2026

View the PDF of the UK Data Protection and Privacy Policy (English)