Privacy Policy

---

Data Privacy, Security & Clinical Governance Statement

At MultiOmics Intelligence Ltd, we are committed to protecting sensitive health, molecular, genetic, and clinical data. Our Integrated Multi-Omic Health Report Platform is designed to support healthcare partners by extracting structured findings from pseudonymised health and molecular reports, organising those findings into biological domains, and generating clinician-reviewable integrated reports.

Our approach is built around privacy, security, transparency, data minimisation, human oversight, and clinical governance. We process only the information required for the agreed reporting workflow, and we do not require direct patient identity information for report generation.

Our workflows are designed to support UK GDPR-aligned processing, subject to formal Data Processing Agreements, approved security controls, and partner-specific governance review before any live patient data processing begins.

MultiOmics Intelligence does not provide medical diagnosis, prognosis, treatment recommendations, prescribing advice, or emergency medical advice. Our platform supports the extraction, organisation, and biological interpretation of pseudonymised report findings for clinician review.

All outputs are intended to support, not replace, qualified clinical judgement. Final interpretation, patient communication, and any clinical decisions remain the responsibility of the healthcare partner and their designated clinicians.

When working with healthcare partners, MultiOmics Intelligence Ltd acts as a Data Processor. The healthcare organisation, clinic, hospital, laboratory, or health provider remains the Data Controller.

The Data Controller determines the purpose of processing, the lawful basis, the special category condition, patient communication, consent where applicable, and the handling of patient data rights.

MultiOmics Intelligence processes data only on documented instructions from the Data Controller and only for the agreed purpose of preparing clinician-reviewable integrated reports.

No live patient data is processed until a formal Data Processing Agreement has been reviewed and executed by both parties.

AreaResponsibilityData ControllerHealthcare partnerData ProcessorMultiOmics Intelligence LtdPurpose of processingDefined by healthcare partnerLawful basisDetermined by healthcare partnerSpecial category conditionDetermined by healthcare partnerPatient identity mappingRemains with healthcare partnerReport reviewDesignated clinician / healthcare partnerLive data processingOnly after DPA execution

The platform is designed to process pseudonymised case data rather than direct patient identity information.

Pseudonymised data may still constitute personal data under UK GDPR where it can be re-linked to an individual by the healthcare partner or another authorised party. Therefore, all pseudonymised health, genetic, molecular, and clinical data is handled as protected personal data.

The healthcare partner remains responsible for managing the identity-to-case mapping and ensuring that files are appropriately pseudonymised before submission.

Health, genetic, molecular, and clinical data may be considered special category data under UK GDPR.

The healthcare partner, as Data Controller, is responsible for identifying and documenting the appropriate UK GDPR Article 6 lawful basis and Article 9 special category condition for processing.

MultiOmics Intelligence processes such data only under documented controller instructions and within the scope of the agreed Data Processing Agreement.

MultiOmics Intelligence processes only the information required to generate integrated, clinician-reviewable health reports.

The platform is designed to work with pseudonymised molecular, clinical, laboratory, and health-related report data submitted by healthcare partners. The exact data categories depend on the reports provided and the agreed reporting workflow.

Not every case includes all categories. We process only the data contained in submitted reports and only the fields required for structured extraction, biological interpretation, quality review, and clinician sign-off.

Data CategoryExamplesHow It Is HandledPseudonymous case identifiersCase ID, internal report reference, non-identifying patient codeUsed to manage the case without storing direct patient identity. Identity mapping remains with the healthcare partner.Genetic and genomic findingsGene names, genetic variants, zygosity, variant classification, pharmacogenomic markersTreated as highly sensitive health/genetic data. High-risk findings require clinician review.Molecular biomarker findingsBlood biomarkers, inflammatory markers, metabolic markers, disease-associated biomarkersUsed for structured extraction, biological interpretation, and report generation. Not used as standalone diagnosis.Omics-derived report findingsGenomics, transcriptomics, proteomics, metabolomics, epigenomics, microbiome, or other molecular profiling outputsProcessed only where included in submitted reports and required for integrated interpretation.Clinical laboratory resultsBiomarker values, units, reference ranges, abnormal flags, laboratory interpretationsExtracted from source reports and organised into structured fields for review.Health risk and predictive scoresRisk categories, relative risk values, biological age outputs, prevention-related indicatorsUsed to support clinician-reviewed discussion points, not autonomous medical decisions.Lifestyle and questionnaire-derived informationSleep, diet, exercise, alcohol, smoking, stress, or other health-related informationProcessed only where provided in submitted reports and relevant to interpretation.Source report documentsOriginal PDFs or structured files submitted by the healthcare partnerStored securely and retained according to the Data Processing Agreement.Extracted structured dataKey findings extracted from source documentsUsed for report generation, quality review, and clinician sign-off.Audit and workflow logsTimestamps, user actions, case reference, review status, sign-off statusUsed for security, traceability, and governance. Clinical content is minimised in logs where possible.

The platform does not require direct patient identifiers for report generation.

We do not intend to process:

patient names
home addresses
national identification numbers
phone numbers
personal email addresses
financial details
photographs

The intended workflow uses pseudonymised case identifiers. The healthcare partner remains responsible for managing the identity-to-case mapping and for submitting appropriately pseudonymised files.

MultiOmics Intelligence may perform intake checks to identify obvious residual identifiers in filenames, metadata, or visible document headers before processing continues.

Our workflow is designed to support structured, traceable, and clinician-reviewed report preparation.

The healthcare partner submits pseudonymised source reports through an agreed secure method.

Files are checked for format, case reference, and obvious residual identifiers.

Relevant findings are extracted from source reports into structured fields.

The AI-assisted processing environment supports organisation, summarisation, and cross-report biological interpretation.

Extracted findings are checked for completeness, consistency, and traceability.

A qualified clinician reviews the draft report, findings, priorities, and interpretation.

The report is approved before patient-facing use or delivery.

The final report is delivered through an agreed secure method.

Data is retained, returned, or securely deleted according to the Data Processing Agreement.

MultiOmics Intelligence uses an AI-assisted processing environment to support structured extraction, organisation, and cross-report biological interpretation of pseudonymised report findings.

The AI layer supports workflow efficiency, consistency, and report preparation. It does not make autonomous diagnoses, determine treatment, prescribe medication, or replace clinical judgement.

Final reports require human review and clinician sign-off before delivery or patient discussion.

PrincipleMeaningHuman oversightAI-assisted outputs are reviewed before report delivery.No autonomous diagnosisThe system does not diagnose disease or prescribe treatment.Pseudonymised processingDirect patient identity is not required for AI-assisted processing.Traceable outputsFindings are linked back to source reports where possible.Clinical responsibilityFinal interpretation remains with qualified healthcare professionals.

Our platform is designed with technical and organisational measures to protect sensitive health and molecular report data.

Security ControlDescriptionPseudonymisationCases are processed using pseudonymous identifiers rather than direct patient identity.Encryption in transitSecure encrypted transfer methods are used for patient-related files.Encryption at restStored files and structured data are protected using encrypted storage.Role-based accessAccess is limited according to role and need-to-know basis.Multi-factor authenticationMFA is required for users accessing patient-related workflows.Audit loggingKey user actions, timestamps, review steps, and sign-off events are logged.Data minimisationOnly information needed for the agreed reporting workflow is processed.Secure deletionData is deleted, returned, or retained according to the Data Processing Agreement.Human review gatesDraft outputs require review before final delivery.Partner-controlled identity mappingThe healthcare partner retains the link between case ID and patient identity.

Before live patient data processing begins, the healthcare partner may be required to complete a Data Protection Impact Assessment.

MultiOmics Intelligence can support this process by providing information about data flows, security controls, sub-processors, AI-assisted processing, retention, deletion, human review safeguards, and clinical governance measures.

Where required, live processing will not begin until appropriate risk assessment and governance review steps have been completed.

Where approved sub-processors are used, they will be disclosed to the healthcare partner before live processing.

Any sub-processor access will be governed by appropriate contractual, security, confidentiality, and data protection obligations.

Where any data transfer outside the United Kingdom occurs, appropriate UK GDPR transfer safeguards will be assessed and documented before processing begins.

The Integrated Multi-Omic Health Report Platform is designed to support healthcare professionals, not replace them.

AI-assisted processing helps organise and interpret information from multiple source reports, but all final report outputs should be reviewed by a qualified clinician before being used in patient consultation or clinical decision-making.

Potentially significant findings, such as pathogenic or likely pathogenic genetic variants, are highlighted for clinician attention.

The clinician reviews extracted findings, integrated interpretation, and proposed priority areas.

No report should be delivered for patient-facing use until it has been reviewed and approved.

AI assists with extraction, organisation, and draft interpretation of report findings. A qualified clinician remains responsible for reviewing, modifying where necessary, and approving any report before it is delivered for patient discussion.

MultiOmics Intelligence does not replace emergency, diagnostic, prescribing, or treatment decision-making by qualified healthcare professionals.

Retention and deletion schedules are agreed with each healthcare partner through the Data Processing Agreement.

As a principle, MultiOmics Intelligence retains data only for as long as required to provide the agreed service, support quality review, maintain auditability, and meet contractual or legal obligations.

Data TypeRetention ApproachSource reportsRetained according to the DPA or securely deleted after the agreed period.Extracted structured dataRetained only for the agreed reporting and governance period.Final reportsRetained according to agreed clinical audit and service requirements.Audit logsRetained for security, traceability, and governance.End of partnershipData is returned or securely deleted according to the DPA.Deletion requestProcessed following verified instruction from the Data Controller.

The healthcare partner remains responsible for managing patient data subject rights as the Data Controller.

MultiOmics Intelligence supports the Data Controller by helping locate, correct, export, restrict, or delete case-level data held within the agreed processing environment, subject to the terms of the Data Processing Agreement and applicable legal requirements.

Right or ObligationOur SupportAccessProvide case-level data held by MultiOmics Intelligence where requested by the Controller.RectificationCorrect inaccurate extracted data following verified instruction.ErasureDelete relevant case-level data according to the DPA and legal requirements.RestrictionSupport restriction of processing where required.Audit supportProvide relevant evidence of security and governance controls.Breach supportNotify and assist the Controller according to agreed contractual terms.

Before any live patient data is processed, a formal Data Processing Agreement must be reviewed and executed by both parties.

The Data Processing Agreement will include UK GDPR Article 28 processor terms, including documented processing instructions, confidentiality, security measures, sub-processor controls, assistance with data subject rights, breach support, deletion or return of data, audit support, and processing only for the agreed purpose.

MultiOmics Intelligence Ltd is reviewing and completing its ICO data protection fee registration requirements before any live patient data processing begins.

Once completed, this page will be updated to confirm the company’s ICO registration status as a UK data protection fee payer, where applicable.

Before any live patient data is processed, key governance, security, and operational steps must be agreed between MultiOmics Intelligence and the healthcare partner.

RequirementDescriptionData Processing AgreementA formal DPA must be reviewed and executed by both parties.Processing purposeThe healthcare partner confirms the purpose and scope of processing.Lawful basisThe healthcare partner confirms the applicable lawful basis.Special category conditionThe healthcare partner confirms the applicable special category condition.Pseudonymisation processThe partner confirms how case IDs are generated and identity mapping is managed.Secure submission methodBoth parties agree the secure transfer method.Infrastructure confirmationHosting, access, and security arrangements are confirmed.Sub-processor disclosureAny relevant third-party infrastructure or processing providers are disclosed where required.International transfer reviewAny transfer outside the UK is assessed and documented where applicable.DPIA supportDPIA information is provided where required by the healthcare partner.Clinician reviewer onboardingThe partner identifies the clinician or team responsible for review and sign-off.Dry-run testingA test workflow may be completed using dummy, synthetic, or consented test data.Retention scheduleRetention, deletion, and audit requirements are agreed in the DPA.ICO data protection fee registrationRegistration status will be confirmed before live patient data processing begins, where applicable.

Healthcare partners may request additional documentation to support internal due diligence, compliance review, and onboarding.

Available or planned documents may include:

Data Privacy & Security Summary
Draft Data Processing Agreement
Security questionnaire responses
Data flow summary
Technical workflow summary
Clinical governance summary
Retention and deletion schedule
Sub-processor schedule
AI-assisted processing summary
DPIA support information

For healthcare partner due diligence, DPA requests, or technical security questions, please contact:

info@multiomicsintelligence.co.uk

Subject line: Partner Data Security Review

For data privacy, security, DPA, or healthcare partnership enquiries, please contact:

MultiOmics Intelligence Ltd
Website: www.multiomicsintelligence.co.uk
Email: info@multiomicsintelligence.co.uk
Location: London, United Kingdom

This statement describes the intended privacy, security, and clinical governance approach for MultiOmics Intelligence Ltd healthcare partner workflows. It does not replace a formal Data Processing Agreement, partner-specific due diligence, legal review, clinical governance review, or regulatory assessment.