CODE OF ETHICS AND BUSINESS CONDUCT
This Code of Ethics and Business Conduct (this “Code”) applies to all directors, officers and full-time, part-time, temporary/intermittent and contract employees (collective, “Employee or Employees”) of Explorer Holdings, Inc., eResearchTechnology, Inc. and its subsidiaries (collectively, “ERT”). We require the highest standards of professional and ethical conduct. Our reputation for honesty and integrity among our customers, employees, vendors, and stockholders is key to the success of our business. This Code reflects our commitment to a culture of honesty, integrity and accountability and outlines the basic principles and policies with which all employees, officers and directors are expected to comply. Please read this Code carefully. Your cooperation is necessary to the continued success of our business and the cultivation and maintenance of our reputation as a good corporate citizen. Any questions or concerns regarding anything contained in or referenced by this Code should be directed to eResearchTechnology, Inc.’s Vice President, Human Resources (”VP-HR”) or your local office designee who is responsible for administering the Code. You may have an employment agreement with ERT, or have otherwise signed confidentiality or other agreement with ERT (collectively, the “Agreements”). You have been provided an employee handbook, policies and standard operating procedures from ERT (collectively, the “Documents”). This Code does not replace the Agreements or Documents, and the Agreements and Documents remain in full force and effect. If anything contained in the Agreements or Documents conflict with this Code, this Code shall govern. Click here for ERT’s Code of Ethics and Business Conduct.
ERT Statement on compliance to the data protection regulations covered by the General Data Protection Regulation (GDPR) and the Health Information Portability and Accountability Act (HIPAA)
The following statement details the method by which eResearch Technologies (ERT) is compliant with the controls to protect personal data processed and retained by ERT. ERT is a global company with offices in but not limited to the EU and USA.
This covers data entered, maintained, retained and reported using the ERT systems in providing its services to its clients. These services are provided in accordance with the guidelines of DHHS (45 CFR Parts 160, 162 & 164 (HIPAA)) and international privacy and data protection legislation, namely the European General Data Protection Regulation (EU) 2016/679 (GDPR).
ERT acts as the Data Processor for clients and contracted client projects. As such, any data transfers, pursuant to contractual terms, are purely for the purposes of processing data as ‘data processor’ and are fully compliant with the requirements of European and international data protection law for processing ‘sensitive personal data’. With respect to ERT staff and staff data, ERT is a data controller registered with the Information Commissioner’s Office in the UK under the Data Protection Act 2018. ERT is independently audited for compliance with HIPAA and data protection legislation, with particular emphasis on physical, organisational and technical security controls.
ERT has been compliant to the HIPAA requirements since 2013 with annual external assessments to ensure compliance has been maintained.
Since 2017, ERT has had a dedicated team comprising of data privacy, protection specialists and legal experts (internal staff and consultants) who have worked to ensure that ERT is GDPR and HIPAA compliant. This team has reviewed existing processes and data specifically for each of our European sites but also across the global business. If any process were found not to be compliant these have been updated, most of this work involved updating internal i.e. staff rather than client specific processes. This work involved the following:
- Creation of new or updates to existing Data & HR Policies and Standard Operating Procedures covering:
- Breach identification, notification and remediation
- Data request receipt, confirmation and response
- Data portability request receipt, confirmation and response
- Data retention confirmation and data archiving
- Data deletion request receipt, confirmation and response
- Established Contracting & Data Transfer Agreements / Corporate Registrations
- Contract Templates (Client, Vendor & Assessment)
- Data Processing Agreement (DPA)
- Transfer Agreements between ERT entities (ERT Ltd, GmbH, Inc).
- ICO Corporate Registration (ERT Inc, ERT Limited)
- Hiring of a full-time Data Privacy Officer (DPO) (N.B. ERT’s consulting DPO will be retained as an in country presence in our Estenfeld, Germany Office location.)
- Employee Training
- Employee training was initially deployed for EU Locations followed by global distribution.
- Expansion and training for the dedicated internal team.
In addition, ERT will provide guidance in the form of templated documents for use by clients and ensure operation staff in conjunction with the dedicated team can provide guidance and support for ERT clients. ERT has a Data Protection Officer (DPO), who will lead the maintenance, monitoring and process improvement of the data compliance for ERT global privacy and security.
As identified by the ICO (UK) the following steps were performed to ensure compliance to GDPR.
|All ERT staff are required to undergo induction qualification, including GXP, HIPAA and Security training, prior to being granted access to the ERT services. Access to subject data is highly restricted on an as needs basis. Additional training specific to GDPR was generated and provided to all staff and added to the induction training. Existing annual refresher training is to be updated to include GDPR.
Internally the HIPAA Policy has been supplemented with a GDPR Policy, both are included in mandatory training for all staff.
|2. Information Held
|All data has been assessed to identify the personal data held by ERT. This indicated the data held, where it was obtained, what use was made of the data and whom it was shared with.
|3. Communicating Privacy Information
|4. Individual Rights
|A review of the existing processes and procedures was completed to determine that these individual’s rights were covered. It was confirmed that these already cover individual’s rights. However, the procedures have been expanded to apply these requirements to ERT globally.|
|5. Subject Access Requests
|A review of the existing subject data access request processes and procedures determined that these already covered subject access requests. However, the procedures have been expanded to apply these requirements to ERT globally.
|6. Legal Basis for Processing Personal Data
|The legal basis for the capture, processing and retention of personal data by ERT for and on behalf of it clients was reviewed and found to be compliant with the requirements of GDPR, HIPAA and Good Clinical Practices. All data processed and retained is for supporting Clinical Research, contact information and staff data required to run the business and meet legal requirements.
Guidance documentation to support this processing and retention will be generated and provided to clients as appropriate.
|A review of the existing data consent processes and procedures determined that these already covered subject consent. However, the procedures have been expanded to apply these requirements to ERT globally.
|A review of the existing data consent processes determined that these already covered parental /guardian consent. However, the procedures have been expanded to apply these requirements to ERT globally.|
|9. Data Breaches||A review of the existing data breach processes and procedures was conducted which determined that these processes were adequate. However, the procedures have been expanded to apply these requirements to ERT globally.
|10. Data Protection by Design and Data Protection Impact Assessments
|A review of the existing software programming processes and procedures was conducted which determined that these processes were adequate, already ensuring software considered data protection within the design.
Data Protection Impact Assessments were performed where necessary. Existing client data protection was assessed as already compliant. However, this indicated changes were needed for internal staff personal data. The existing procedures have been expanded and new procedures generated to apply these requirements to ERT globally
|11. Data Protection Officer
|An internal Data Protection Officer (DPO) has been recruited and will be supported by the existing internal privacy team.|
|12. International||A review of the data transfer processes and controls indicated that except for two remote sites all data transfers are already covered by existing corporate policies and Privacy Shield. In the case of the two remote sites Data Transfer Agreements have been generated and implemented.
ERT is registered and compliant to the ICO (UK) and with Privacy Shield (US).
Following the work done ERT claim that its processes and procedures are compliant with data protection and data privacy in accordance with both GDPR and with HIPAA regulations.