eResearchTechnology (ERT/ERT GmbH and its subsidiaries and affiliates, “ERT”) are committed to protecting the privacy of those who entrust us with their personal/clinical information. Our employees, and all those who do business with us, trust and expect that we will protect the privacy and integrity of their personal and clinical information in accordance with the promises we make and with applicable laws and regulations.
The following authorities are applicable but not limited to this policy include:
- UK Medicines and Healthcare products Regulatory Agency (MHRA)
- US Food and Drug Administration (FDA)
- European Medicines Agency (EMA)
- US Department of Health and Human Services (DHHS)
- UK Information Commissioner’s Office (ICO)
- International Conference on Harmonisation – Good Clinical Practice (ICH-GCP R2)
- International Organization for Standardization (ISO)
This Policy establishes ERT principles and processes for protecting privacy and for ensuring the security and integrity of information that it handles in all aspects of its business worldwide. The Company respects the ethical basis of the EU-US and Swiss-US Privacy Shield Frameworks, Health Insurance Portability and Accountability Act (HIPAA), the EU Privacy Regulations and Directives namely General Data Protection Regulations (GDPR), ICH E6 GCP, world regulatory authorities, and the Helsinki accords applicable to research with human subjects. Our eligibility as a US organization, commitment and adherence to Privacy Shield principles is to establish processes and develop systems for use worldwide that comply with all these regulations and principles. We recognize that competent authorities may enact requirements from time to time that alter privacy protection and the underlying security processes, and ERT shall make reasonable efforts to become aware of such changes and to disclose the extent to which ERT products and services conform to them.
This broad policy document does not specify precisely how such objectives shall be attained, but does reference the pertinent Policies, Standard Operating Procedures (SOPs) and Reference Documents [see Internal References, TABLE 1, below] that set forth how ERT preserves both data integrity and privacy. This policy covers subjects and patients, site investigators and physicians, study staff, ERT employees, and visitors to ERT’s external website where this Policy is available (www.ERT.com). This policy does not pertain to the provisions concerning confidentiality that are established in agreements or contracts such as non-disclosure agreements.
CATEGORIES OF PRIVACY PROTECTION
Patients in Clinical Trials Using ERT Systems: Patients and controls managed by the Site Investigators for whom patient privacy shall be protected subject to provisions of the Sponsor protocols and Informed Consent. ERT shall preserve the confidentiality of patients (subjects) participating in clinical trials and will do so while fulfilling regulatory requirements for disclosure of authorship and attribution of data, including circumstances where patients themselves act directly on electronic records in clinical research.
Site staff, ERT staff, Sponsor users, and other client and study personnel who use any ERT product/solution and whose privacy protection is subject to regulations concerned with the use of electronic systems for eCommerce, medical care, and/or clinical research.
ERT Personnel: individuals who work for ERT, including contractors, and whose personnel records are entitled to protection.
Public at Large: Those who may visit www.ERT.com, the corporate website. Disclosure and Notice
To Sponsors of Clinical Investigations and Site Investigators
ERT serves both Sponsors and Site Investigators who must comply with regulations pertaining to clinical research and eCommerce and who have the ultimate responsibility under FDA 21CFR 312 subpart D for data integrity in clinical trials for medical products. In order for Sponsors and Sites to rely on ERT to help fulfill their responsibilities in using ERT systems, ERT shall disclose to such Sponsors and to Site Investigators the information defined within ERT Internal References (TABLE 1 REF 907 and REF 908):
Information concerning the protection of patient information and the processes undertaken to ensure that data and actions during the collection (preparing), editing, maintaining, and archiving of clinical trial data meet current regulations.
Information explaining our system controls and processes established by ERT to ensure that data content (measurements, and values selected or transcribed) is securely controlled by clinical entities responsible for its validity. Generally, these are Sites and Investigators rather than Sponsors. In all cases, the system controls on data integrity shall be clear-cut, validated, and auditable.
To All Categories of Persons with Whom ERT Has Privacy Obligations
As per the above commitments, ERT shall provide a written statement that describes to individuals in each category how ERT complies with the principles and established under the Privacy Shield Frameworks: Notice, Choice, Accountability & Onward Transfer (Transfers to Third Parties), Information Security, Data Integrity & Purpose Limitation, and Recourse, Enforcement & Liability. (See TABLE 1 – Internal References, REFs 121 – 124)
ERT for GDPR compliance is registered with the UK Information Commissioners Office (ICO). In the event an individual wish to complain about how ERT processes their data they can contact the ICO at www.ico.org.uk.
Privacy Shield Framework Principles Adopted Worldwide
ERT is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). ERT may also be required to disclose an individual’s personal information in response to a lawful request by public authorities.
2.0 RELATED DOCUMENTS
POL COR-009 – ERT Health Insurance Portability and Accountability Act Policy
POL COR-014 – ERT General Data Protection Regulation (GDPR) Policy
3.0 DEFINITIONS AND ABBREVIATIONS
The following terms are used throughout this document and are defined here for clarification.
NOTE: A subject in a clinical trial is not necessarily a patient, but a patient in a clinical trial is a subject. See also subject, Although, often used interchangeably as a synonym for subject, a healthy volunteer is not a patient.
4.1 ROLES AND RESPONSIBILITIES
The following table lists participant roles and responsibilities required by this process:
4.2 PRIVACY PRINCIPLES
All Personal /Clinical Information pertinent to ERT employees shall be subject to privacy and security protection in keeping with the principles of the Privacy Shield Frameworks and this Information Privacy and Integrity Policy [See TABLE 1: REF 0123]. ERT collects employee Personal /Clinical Information and/or Sensitive Personal Data for the following reasons, which include but are not limited to: employee management and administration generally (including both during and after employment), employment verification, administering employee benefits, administering personal short or long term compensation programs or benefits, evaluating performances, managing corporate programs, conducting disciplinary proceedings, addressing labour relations issues, processing health insurance claims. ERT also contracts with third party providers to render related services, including payroll processors and support services. Note that we do not share HR data with non-agent third parties. If that practice should change in the future, we will update this policy and provide opt-out choice to individuals prior to releasing their information.
ERT will handle employee personal data transferred from both foreign and domestic office locations to ERT Corporate headquarters located in the United States of America. ERT collects only directly relevant information considered to be “sensitive personal data” for ERT employees both foreign and domestic (for example, race statistics for US Affirmative Action Plans). ERT shall ensure that its systems, processes and products that handle Personal/ Clinical Information pertaining to ERT employees shall conform to the GDPR [TABLE1: POL COR-014] and the HIPAA privacy provisions [TABLE 1: POL COR-009]. ERT employees will be able to access this policy via ERT’s external website where this Policy is available (www.ERT.com). The HIPAA and GDPR policies can be accessed through ERT’s internal employee training management system where the policies will be distributed to all employees as a read & understood training activity.
4.3 PRIVACY PRINCIPLES FOR SITES, SUBJECTS AND SPONSORS
All Personal/Clinical Information captured from patients and/ or trial subjects during the conduct of clinical research activities shall be subject to privacy and security protections contractually agreed and as set forth in this Policy and the associated Internal References (TABLE 1). For Sponsors, the patient information is anonymized (i.e. the study information/ data do not include the patient name or other Personally Identifiable Information only an ID code that is not publicly available). Sponsors shall NOT have access to protected Personal Clinical Information from trial subjects beyond that defined by study protocol and informed consent disclosure. For Site Investigators, who have clinical responsibility for the patients in a trial, it is necessary for administrative, regulatory, medical and ethical reasons for the clinical staff to be able to identify a particular patient and to review the clinically relevant information pertaining to that patient. In serving the Investigator Sites, ERT therefore may collect identifying information on their behalf. Such information is subject to the privacy and security protections specified in the Internal References (TABLE 1: POL COR-009 & POL COR-014) and is not accessible or transferred to Sponsors.
Activities performed by ERT in the context of a trial are subject to ERT’s Quality Management System but also subject to the Sponsor’s instructions and written agreements. ERT does not share personal information about patients, site-staff, or sponsor personnel with third parties (e.g. contractors, etc.) unless those parties are contractually bound to adhere to these same quality procedures and the terms of such instructions and written agreements. Note that we do not share personal data with non-agent third parties. If that practice should change in the future we will update this policy and provide opt-in or opt-out choice, as applicable, to individuals prior to releasing their information.
All personal information captured from patients in the course of clinical trials shall be protected as Sensitive Personal Data.
The integrity of Personal Information is an important adjunct to the privacy of such information. Personal Information is expected to be correct, accessible, and in conformance with 21 CFR Part 11/Annex 11 controls. In addition to tracking all actions on electronic records, a key element of Personal Information/ Data integrity concerns control of the content of data in a clinical trial, and this policy establishes ERT’s intent to act as a third party to ensure that Site Investigators can fulfill their regulatory obligations to maintain and retain records obtained using ERT systems about subjects in a clinical investigation. ERT shall also ensure that Sites shall have the tools and documentation in order to provide the access for subjects to personal information about them during and after a clinical investigation.
4.4 PRIMARY PRINCIPLES SET FORTH IN THE PRIVACY SHIELD FRAMEWORK
ERT will, as required by law, notify individuals about the purposes for which it collects and uses Personal Information [See TABLE 1: REF 0121-0124], how to contact ERT, the types of third parties with which it shares that information, and the choice and means ERT offers individuals for limiting the use and disclosure of Personal Information about them. Through ERT’s controlled document management system, ERT will issue, as a training requirement, notification regarding ERT’s intended use of Personal Information. This information will be provided as soon as practicable and, in any event, before ERT may use the information for a purpose other than that for which it was originally obtained.
ERT will not issue notice when contracted to acquire, process and report data received during the active status of Sponsor defined clinical trials. ERT considers the protocol and trial specific training to constitute sufficient notice about what ERT collects in a trial and why.
ERT will, as required by law, offer individuals the opportunity to choose whether Personal Information about them is processed for purposes other than those for which the information was originally obtained or was subsequently authorized by the individual (“opt-out”). Unless required by law, ERT will not Process Sensitive Personal Information about individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the individual unless the individual affirmatively and explicitly consents to the processing (“opt-in”).
ERT will not offer choice when contracted to acquire, process and report data received during the active status of Sponsor defined clinical trials. ERT does not have the authority or responsibility to undertake direct interaction with any study subject concerning the medical history or case history of that subject. ERT does have access to source records and is responsible under contract for the accuracy of certain metadata such as timestamps, for protection of records against undetected tampering, and for the attribution of any actions undertaken on the electronic records that it creates and holds as eSource records on behalf of the site investigators. However, ERT is not responsible for verifying study subject identity. ERT shall maintain the records on which site investigators rely for attribution of actions on electronic records that such identified subjects may author or alter. ERT does not hold contracts with Investigators selected by the Sponsor to recruit study subjects nor is ERT independently responsible for ensuring Informed Consent or IRB approval of the protocol and documentation pertaining to the conduct of a study. Even if ERT provides a system or process for capturing informed consent and/or recruiting study subjects, these activities remain the responsibility of the study Sponsor.
Accountability and Onward Transfer
ERT will only transfer Personal Information about individuals to an agent where the agent has entered into a written agreement to provide adequate assurances to ERT that it will protect the information consistently with this Policy. Where ERT has knowledge that an agent is Processing Personal Information in a manner contrary to this Policy, ERT will take reasonable steps to prevent or stop the Processing.
ERT will NOT transfer clinical/personal data captured/received beyond that defined by protocol/informed consent from identified subjects in a clinical trial to a Sponsor or a Sponsor approved third party “Agent” as required by authorized business contracts. Instead, ERT will transfer the data items set forth in the protocol as relevant to the trial objectives linked only to a subject ID code for which there is no public access or any access by the Sponsor except through the authorized Site Investigators. ERT will only subcontract to firms which conform to or otherwise appropriately address ERT security, integrity and privacy protection standards, privacy pledges, confidentiality agreements, authority controls, training requirements and etc. “Subcontractor” shall mean a person or entity that has been retained to perform all or a portion of ERT’s obligations; particularly those services directly related to the processing of clinical trial data. The Sponsor will be notified of the use of any subcontractors utilized which requires the transfer of clinical/personal information. In cases of onward transfer to third parties of clinical data of EU and Swiss individuals received pursuant to the EU-US and Swiss-US Privacy Shield Frameworks, ERT is potentially liable.
ERT will only transfer personal data to a non-agent third party in a manner consistent with the principles described within the “Notice” and “Choice” sections of this Policy.
ERT will take reasonable precautions to protect personal data in its possession from loss, misuse and unauthorized access, disclosure, alteration and/or destruction.
ERT’s Services and systems employ role-based functionality metadata that reside behind ERT’s firewall. Individual user roles are defined by management personnel and require the use of an active User ID and complex password combination to gain access to the system. Also, ERT’s clinical systems incorporate a defined workflow for the processing of clinical data received during the active status of any contracted study. Additional security measures include: incremental and/or daily backups which are retained for indefinite off-site storage. ERT’s systems physically reside at an off-site data center with all system maintenance managed by ERT personnel. Data replication to a warm failover instance occurs during regularly scheduled intervals. Routine audits of these processes ensure adherence to ERT Standard Operating Procedures. [See TABLE 1:: SOP 760; SOP 763]
Information Integrity & Purpose Limitation
ERT will only use and share clinical/personal data in a way that is consistent with the purposes for which the data were collected or as subsequently authorized by the individual to whom such data pertain. ERT seeks to collect Personal Information that is adequate, relevant and not excessive for the purposes for which it is to be processed. ERT employees have a responsibility to assist ERT in maintaining accurate, complete and current Personal Information collected and Processed in the course of conducting human resource and related activities.
ERT will only use and share Clinical/Personal Data in a way that is consistent with the purposes for which the data were collected as specified by the Sponsor, authorized by the Site Investigator and agreed by the subject or employee in keeping with all the Privacy Shield Principles described in this Policy. To the extent necessary for those purposes, ERT will take reasonable steps to ensure that the data are accurate, complete, and current.
In the case of clinical data captured as electronic records for clinical investigations for submission or review by regulatory authorities, any actions on such data shall be tracked using a computer-generated audit trail. (See TABLE 2, 21CFR Part 11 and Listed Guidance). To the extent that ERT may transcribe data from paper source records into electronic records, ERT shall preserve scanned electronic files so that the original information on the paper record can be reviewed. The preservation of any paper source documents that are part of the case history shall rest with Site Investigators in accordance with 21 CFR 312.62 (c). In addition to tracking all actions on electronic records, a key element of data integrity concerns control of the content of data in a clinical trial, and this policy establishes ERT’s intent to act as a third party to enable Site Investigators to fulfil their regulatory obligations to prepare and maintain any data obtained using ERT systems about subjects in a clinical investigation. ERT relies on Sites to serve as the agents who may provide the access of subjects to personal information about them during and after a clinical investigation.
ERT acknowledges the EU and Swiss individuals’ right of access to data. ERT will provide individuals, e.g. employees or study staff, with reasonable access to their own Personal Information upon request, subject to exemptions permitted by law or by written agreement. ERT will also take reasonable steps to allow individuals to review Personal Information about them for the purposes of correcting such information
ERT will not offer access to clinical trial participants to the information such subjects have supplied using ERT systems or products. ERT believes that such access is appropriately provided by the Site Investigator and ERT shall supply the Site Investigator or other entity with responsibility for the preparation and maintenance of source documents that are included in the case history, with access to individual subject records that the Site Investigator may share with the proper subject. Such access may be restricted in connection with the masking or other procedures in a particular study, and ERT shall incorporate controls on sharing to assist the investigator in such cases. Upon completion of the contracted study ERT delivers as contractually required and specified in the protocol or data transfer agreements all final clinical data received and processed to the study Sponsor. Where applicable, ERT delivers the eSource case histories and trial documentation needed for study reconstruction for retention to Site Investigators. Access by patients after the conclusion of a study is enabled through these records under the control of the Site Investigator.
As a standard for during the execution of contracted clinical trials, ERT does not require, receive or collect clinical or sensitive personal identifying information such as study subject name or medical record number for transfer to such Sponsors. ERT shall transfer only blinded, encoded, pseudonymised and anonymised study subject study subject identifiers (demography) to confirm uniqueness as may be defined by the study Sponsor (e.g. Date of Birth, gender, etc.) and approved by the IRB / Ethical Committees. However, ERT shall provide systems and products whereby the Site Investigator can identify records as pertaining to a particular known subject and to be included in the case history for each patient. Additionally, ERT may receive identifying information during the recruiting and screening of participating study subjects, completion of interviews with subjects, and/or collecting paper questionnaire data from subjects during the execution of internal research studies.
ERT collects employee personal information at its various business locations for purposes of employee management. In connection with the authorization and participation of study site and sponsor staff ERT may collect contact information and professional credentials from individuals who collaborate to conduct clinical studies.
Legal Basis for Retention
ERT has established the legal need to capture, process and retain personal data for the performance of its business e.g. in contacting clients, suppliers, etc. and in support of clinical research.
Recourse, Enforcement, Liability
ERT has established internal mechanisms to verify ongoing adherence to this Policy [See TABLE 1: SOP 104 – Confidentiality; ERT encourages individuals covered by this Policy to raise any concerns they have regarding the Processing of Personal Information.
It is the policy of ERT neither to tolerate nor ignore possible misuse of Personal/Clinical Information or Data received. All employees are responsible for reporting any suspected cases of misuse or disclosure of
clinical/personal data to ERT Quality Management or an ERT Corporate Officer. ERT’s Quality Assurance department is responsible for the oversight of the formal investigation to review initial evidence and/or data and then conclude if Breach Notification is required or not. In both cases the QA Department must document the actions taken or the reasons why there is not a need for further action. [See TABLE 1: POL COR-003]
ERT will take reasonable steps to ensure protection of our employees, study subject safety and to protect the integrity of the data being collected. In cases of substantiated evidence of suspected personal information misuse or disclosure the study sponsor and/or the third party contracted for the management the sponsor’s clinical trial(s) will need to be informed, in writing upon confirming conclusions. [See TABLE 1: POL COR-003;]. Misuse or disclosure of personal/clinical information found to be committed by ERT personnel is considered grounds for disciplinary action, including the possibility of termination of employment, as well as legal prosecution.
Privacy and Breach
In addition to the above principles specified in the Privacy Shield Framework, ERT conforms in activities worldwide to the principles and requirements set forth in the EU GDPR [See TABLE 1: POL COR-014 and US HIPAA [See TABLE 1: POL COR-009]; Identification of a breach begins with reporting a suspected privacy and security incident for assessment. Not all privacy or security incidents are a breach. It is critical for employees, business associates and business associates contractors, data processors and data processor contractors to follow the formal incident reporting procedures so that a breach assessment can be performed. Use DOC COR-009_01 Protected Health Information – Accounting of Disclosures as the initial step in reporting incidents.
ERT employees must execute Incident Handling/Customer Care Support SOP0407/SOP 1418 to assign, track and resolve any study related incident that may also affect privacy and security so that a full breach risk assessment can be performed and documented.
ERT will retain staff and former staff personal data in accordance with retention periods as defined within ERT HR policies. ERT will retain all personal data obtained using its services to support its client projects for a minimum of 25 years as detailed within ICH guidance. Other personal data including contacts details will be retained in accordance with ERT internal procedures unless removed to comply with a person’s right such as detailed in Subjects Rights below.
ERT has established the following rights for people who have voluntarily provided their details or information:
- Right to be informed
- Right to erasure
- Subject data access request
- Subject data portability request
- Right to be rectification
- Right to be restrict processing
- Right to object
- Right in relation to automated decision making and profiling
All ERT employees shall execute the privacy pledge and shall be trained to identify a security and/or privacy breach [POL COR-003]. All employees shall be trained in the process of reporting such a breach and in the escalation to senior management [DOC COR-009_01 Protected Health Information – Accounting of Disclosures]. Such training shall be refreshed annually, and a basic understanding of security and privacy protection shall be evidenced.
Advanced Training and Compliance Policy for Access to Data in Production Environments
ERT employees and/or contractors with access to data in production environments (the authoritative eSource data, not protected copies thereof) have a particularly important responsibility for the protection of data integrity and for protection of privacy. Automated and validated controls on data review may not be in place for experts who may be granted administrative access to the data in production environments. Any such access must be requested, temporary, justified, logged and explained by individuals who have been authorized and trained. In accordance with ERT SOP 759 – Access Controls and in coordination with Production Access Request Form must be completed prior to a grant of access and shall be included in documentation for review by the Data Protection Officer, line manager or designee so that the authorization and conformance with applicable policies and procedures can be confirmed.
Dispute Resolution and Enforcement for EU and Swiss Individuals
1818 Market Street, Suite 1000
Philadelphia, PA 19103
500 Rutherford Avenue
Boston, MA 02129
617 973 1600
eResearch Technology GmbH
ERT Data Protection Officer
97230 Estenfeld, Germany
ERT will reply within a maximum of 30 days to any concern raised.
If such reply is not deemed satisfactory, any complaints may be brought, free of charge, to the following organizations:
- ERT commits to cooperate with the EU Data Protection Authorities with respect to any questions or complaints regarding its handling of EU employee data.
- As ERT has an operational facility in Geneva, Switzerland, ERT commits to cooperate with the Swiss Federal Data Protection and Information Commissioner with respect to any questions or complaints regarding its handling of Swiss employee data.
- ERT has further committed to refer unresolved non-human resources privacy complaints under the EU-US and Swiss-US Privacy Shield Principles BBB EU Privacy Shield, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for- eu-consumers/ for more information and to file a complaint.
As a last resort, under certain conditions (in particular prior exhaustion of certain other redress possibilities), non-human resources complaints may be brought by individuals to binding arbitration before the Privacy Shield Panel. The Privacy Shield Panel may impose individual-specific, non-monetary equitable relief in case of non-compliance with the privacy shield principles.
Binding arbitration by the Privacy Shield Panel may not be invoked if a European or Swiss data protection authority is competent to resolve the complaint, i.e. in the case of complaints related to human resources data collected in the employment context.
4.5 INTERNAL REFERENCES
The following documents establish the processes and commitments whereby ERT conforms to the principles set forth in this policy.
4.6 EXTERNAL REFERENCES
The following documents provide important background information for this instruction:
A Guide to Self-Certification. Including the full text of the official declaration of the Privacy Shield Privacy Principles, as announced on July 12, 2016
Limitation on Scope of Principles
Adherence by ERT to these privacy principles may be limited to the extent required to meet any legal, governmental, national security or public interest obligation.
4.7 RECORD RETENTION
All documents (electronic or hard copy) produced in accordance with this Policy, shall be retained in accordance with the ERT Record Retention Policy.