CODE OF ETHICS AND BUSINESS CONDUCT
This Code of Ethics and Business Conduct (this “Code”) applies to all directors, officers and full-time, part-time, temporary/intermittent and contract employees (collective, “Employee or Employees”) of Explorer Holdings, Inc., eResearchTechnology, Inc. and its subsidiaries (collectively, “ERT”). We require the highest standards of professional and ethical conduct. Our reputation for honesty and integrity among our customers, employees, vendors, and stockholders is key to the success of our business. This Code reflects our commitment to a culture of honesty, integrity and accountability and outlines the basic principles and policies with which all employees, officers and directors are expected to comply. Please read this Code carefully. Your cooperation is necessary to the continued success of our business and the cultivation and maintenance of our reputation as a good corporate citizen. Any questions or concerns regarding anything contained in or referenced by this Code should be directed to eResearchTechnology, Inc.’s Vice President, Human Resources (”VP-HR”) or your local office designee who is responsible for administering the Code. You may have an employment agreement with ERT, or have otherwise signed confidentiality or other agreement with ERT (collectively, the “Agreements”). You have been provided an employee handbook, policies and standard operating procedures from ERT (collectively, the “Documents”). This Code does not replace the Agreements or Documents, and the Agreements and Documents remain in full force and effect. If anything contained in the Agreements or Documents conflict with this Code, this Code shall govern. Click here for ERT’s Code of Ethics and Business Conduct.
ERT Statement – Compliance with applicable data privacy and security laws and regulations
This statement (“Statement”) gives an overview about how eResearch Technologies, Inc., on behalf of itself and each of its affiliates (collectively “ERT”), complies with data privacy laws and regulations to protect personal data processed and retained by it. ERT is a global company with offices located in, without limitation: in the EU, USA, and Japan.
This Statement applies to data entered, maintained, retained and reported, using the ERT systems, for providing services to its clients. Such services are provided, in accordance with applicable data privacy laws and regulations, including without limitation: the guidelines of FDA (21 CFR Part 11) and DHHS (45 CFR Parts 160, 162 & 164 (HIPAA)) and the European General Data Protection Regulation (EU) 2016/679 (GDPR).
ERT acts as the Data Processor (as defined under GDPR) for its clients and contracted client projects. As such, any applicable data transfers, required are for data processing purposes as a ‘data processor’ and are compliant with the requirements of European and international data protection laws for processing ‘sensitive personal data.’
Regarding ERT staff and staff data, ERT is a data controller registered with the Information Commissioner’s Office in the UK under the Data Protection Act 2018. ERT is independently audited for compliance with data protection legislation, with particular emphasis on administrative, physical, and technical security controls.
ERT maintains a privacy policies in line with applicable data privacy laws and regulations, supported by the EU Privacy Shield and Swiss Privacy Shield Principles and associated FAQs, and is self-certified with the US Department of Commerce. This voluntary membership demonstrates ERT’s commitment to observing ‘best practices’ around data privacy protection requirements wherever ERT processes data on behalf of its clients.
ERT has had a dedicated team comprising of data privacy, protection specialists and legal experts (internal staff and consultants) who have worked to ensure ERT is compliant with applicable data privacy laws and regulations across its organization. This team has reviewed existing processes for each of its European sites, but also across the global business. If any process was found to not be compliant, steps were taken to remediate gaps identified. Process review included the following:
- Creation of new, or updates to existing, data and HR Policies and Standard Operating Procedures covering::
- Breach notification and remediation;
- Data request receipt, confirmation; and response;
- Data portability request receipt, confirmation, and response;
- Data retention confirmation and archiving; and
- Data deletion request receipt, confirmation, and response.
- Established Contracting and Data Transfer Agreement / Corporate Registrations
- Contract Templates (Client, Vendor and Assessment);
- Data Processing Agreement (DPA);
- Transfer Agreements among ERT entities (ERT Ltd, GmbH, Inc); and
- ICO Corporate Registration (ERT Inc., ERT Limited).
- Hiring of a full-time Data Privacy Officer (DPO) (N.B. ERT’s consulting DPO will be retained as an in-country presence in our Estenfeld, Germany Office location).
- Employee Training
- Employee training was initially deployed for EU Locations followed by global distribution.
- Expansion and training for the dedicated internal team.
ERT’s Data Protection Officer (DPO), and security management team are responsible for data privacy maintenance, monitoring, and process improvement for ERT’s global privacy and security compliance.
The following steps were performed to ensure data privacy and security compliance:
|All ERT staff are required to undergo compliance training, including GXP, HIPAA and Security training, prior to being granted access to the ERT services. Access to subject data is highly restricted on an “as-needed” basis. Additional GDPR training was generated and provided to all ERT staff and added to the onboarding training. Existing annual compliance training will be updated to include GDPR requirements.
Internally the HIPAA Policy has been supplemented with a GDPR Policy, both are included in mandatory training for all staff.
|2. Information Held
|All data has been assessed to identify personal data held by ERT. Such analysis identified data held, where it is obtained, use, and access.
|3. Communicating Privacy Information
|Existing privacy policies were reviewed and updated to ensure compliance with applicable data privacy laws and regulations. Updated privacy policies have been uploaded to the ERT corporate website along with this document.
|4. Individual Rights
|A review of the existing processes and procedures were completed to determine data subjects’ rights were covered. It was confirmed ERT is in compliance with these requirements. However, the procedures have been expanded to apply these requirements to ERT globally.|
|5. Subject Access Requests
|A review of existing data subject access request processes and procedures were completed to determine this topic was covered. It was confirmed ERT is in compliance with these requirements. However, the procedures have been expanded to apply these requirements to ERT globally.
|6. Legal Basis for Processing Personal Data
|The legal basis for the capture, processing and retention of personal data by ERT for and on behalf of it clients was reviewed and found to be compliant with the requirements of GDPR, HIPAA and Good Clinical Practices. All data processed and retained is for supporting clinical research, contact information and staff data required to run the business and meet legal requirements.
Guidance documentation to support this processing, and retention, will be generated and provided to clients, as appropriate.
|A review of the existing data consent processes and procedures determined that these already covered subject consent. However, the procedures have been expanded to apply these requirements to ERT globally.
|A review of the existing data consent processes determined that these already covered parental /guardian consent. However, the procedures have been expanded to apply these requirements to ERT globally.|
|9. Data Breaches||A review of the existing data breach processes and procedures were conducted, which determined the processes are adequate. However, the procedures have been expanded to apply these requirements to ERT globally.
|10. Data Protection by Design and Data Protection Impact Assessments
|A review of the existing software programming processes and procedures were conducted, which determined that these processes were adequate, ensuring privacy and security data protection within the design.
Data protection impact assessments were performed, where necessary. Existing client data protection was assessed as already compliant. However, this indicated changes were needed for internal staff personal data. The existing procedures have been expanded and new procedures generated to apply these requirements to ERT globally.
|11. Data Protection Officer and Security Management
|ERT’s Data Protection Officer (DPO) and security management team are responsible for data privacy maintenance, monitoring, and process improvement for ERT’s global privacy and security compliance.|
|12. International||A review of the data transfer processes and controls indicated that except for two remote sites all data transfers are already covered by existing corporate policies and Privacy Shield. In the case of the two remote sites Data Transfer Agreements have been generated and implemented.
ERT is registered and compliant to the ICO (UK) and with Privacy Shield (US).
Based on the foregoing initiatives, ERT’s processes and procedures are compliant with applicable data privacy laws and regulations.