Data Protection Policy

Effective Date: 24 September 2015

1. Purpose

In the process of designing, managing and analyzing clinical trials, The Colorado Prevention Center “(CPC“) needs to collect and use certain information about individuals (i) on behalf of Sponsors (where CPC is acting as “Data Processor”) for the purpose of managing clinical trials and/or (ii) on its own behalf (where CPC is acting as “Data Processor”) for the purpose of contacting individuals for future clinical trial opportunities.

This Policy explains how CPC, acting on its own behalf or on behalf of its Sponsors, collects and processes Personal Information in accordance with applicable laws, rules, regulations, and Sponsor instructions.

2. Scope

This Policy applies to all Personal Information collected whether on paper, stored in a computer database, or recorded on other material about individuals working with CPC on a clinical trial including but not limited to client personnel, site personnel and vendor personnel. This includes information that is collected personally or through the completion of a form. This Policy does not apply to clinical trial subjects or CPC Community Health program activities.

3. Definitions

“Data Processor” – means any person or entity (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.

“Data Controller” – the person or company that alone or jointly with others determines the purposes for which and the means by which Personal Information is processed.

“Individual/Service User” – The person whose personal information is being held or processed by CPC.

“Personal Information” – Information about living individuals that enables them to be identified – e.g. name, unique identifier, contact details and/or email address. It does not include information about organizations, companies and agencies but includes information relating to identified or identifiable individuals such as individual volunteers or employees within an organization, company, or agency.

“Sponsor” third party entity financing or organizing the clinical trial.

 “Sensitive Data” – is a subset of personal information regarding:

•     Racial or ethnic origin

•     Political affiliations

•     Religion or similar beliefs

•     Trade union membership

•     Physical or mental health

•     Sexuality

•     Criminal record or proceedings

This Policy also covers Sensitive Data. Data protection legislation imposes additional safeguards for Sensitive Data, for example, tighter obligations around when such data can be collected and the need for explicit consent when collecting and using Sensitive Data. While CPC aims at minimising the amount of Sensitive Data that it processes, CPC may process such data in certain circumstances such as when it is obliged by the Data Controller or by law to do so.

4. Policy Statement

CPC regards the lawful and correct treatment of information as very important to maintaining the confidence of those with whom we work with. CPC intends to ensure that information is treated lawfully and correctly.

For Personal Information that CPC processes as a Data Processor, CPC will act on the instructions of the applicable Data Controller, usually one of our Sponsors. At a minimum, CPC will ensure that Personal Information is collected and processed within the boundaries defined in this Policy and the instructions provided to CPC by the Data Controller.

For Personal Information that CPC processes as a Data Controller, CPC will ensure that Personal Information is collected within the boundaries defined in this Policy and will take steps to ensure that Personal Information is processed in accordance with the applicable laws.

Data Collection, Access, and Accuracy:

As Data Controller, CPC will take steps to ensure that:

  1. When collecting data, CPC will take reasonable steps to ensure that the Individual/Service User:
    1. Clearly understands why the information is needed.
    2. Understands what it will be used for and, where applicable law requires the consent of the individual, what the consequences are should the Individual decide not to give consent to processing.
    3. To the extent required by applicable law,, grants explicit consent, either written or verbal for data to be processed.
    4. Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress.
    5. Has received sufficient information on why their data is needed and how it will be used.
  2. Set out clear procedures for responding to requests for information by Individuals/Service Users.
  3. Deal promptly and courteously with any inquiries about handling Personal Information or access request in the terms and deadlines established by the applicable legislation.

As Data Processor, CPC will:

  1. Collect and process Personal Information on behalf of the Data Controller only for the following purposes (i) management or conduct of the clinical trial for which it was collected, (ii) to determine potential future collaborations, and (iii) in compliance with any applicable regulatory requirements.
  2. Deal promptly and courteously with any inquiries about handling Personal Information as well as promptly forwarding any access requests to the Data Controller.

When acting either as Data Controller or Data Processor, CPC will take reasonable steps to ensure that:

  1. The Personal Information is adequate, relevant and not excessive in relation to its purpose(s) and where necessary kept up to date.
  2. CPC will not collect Sensitive Data unless required to do so by the relevant Data Controller.
  3. Not keep Personal Information for longer than is necessary for the purpose or purposes for which it was intended, or as required by the Controller or by applicable law.
  4. Meet its legal obligations to specify the purposes for which information is used.
  5. The rights of people about whom information is held:
    1. Are informed that processing is being undertaken,
    2. Have the right of access to their personal information,
    3. Have the right to prevent processing in certain circumstances, and
    4. Have the right to correct, rectify, block or erase information which is regarded as wrong information.
    5. Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information.
    6. Take reasonable steps to ensure that this information is kept up to date by asking Individuals whether there have been any changes.

Data Storage:

When acting either as Data Controller or Data Processor, CPC will reasonably ensure that:

  1. Personal Information is kept secure by appropriate physical, technical, organizational and other measures to safeguard Personal Information and prevent unauthorized or unlawful processing or accidental loss or destruction of, or damage to, Personal Information.
  2. Personal Information will be stored securely and will only be accessible to authorized staff and applicable CPC clients.
  3. Personal Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately.
  4. Personal Information is not recoverable from any computer system previously used within CPC, which has been passed on/sold to a third party, other than the applicable Data Controller.
  5. Ensure that everyone processing Personal Information understands that they are contractually responsible for following good data protection practice.
  6. Ensure that everyone processing Personal Information is appropriately trained to do so.
  7. Ensure that everyone processing Personal Information is appropriately supervised.

Data Transfer:

CPC will transfer the Personal Information to the Data Controller its affiliates and their respective agents’ worldwide, to regulatory agencies and as required by law. This may include transfer to countries that may not have equivalent laws to protect Personal Information or which lack adequate privacy laws.

CPC will take appropriate steps to ensure that appropriate technical and security measures are put into place when transferring Personal Information within CPC, and that such data transfers are carried out in accordance with applicable local law. Where Personal Information is transferred to an organisation outside CPC, CPC will ensure that any such transfer protects the legitimate interests of Individual/Service User in line with this Policy and applicable local law.

CPC will regularly assess and evaluate its methods and performance in relation to handling Personal Information. This Policy will be updated as necessary to reflect best practice in data management, security and control.

In case of any queries or questions in relation to this Policy please contact Marilyn Greenwalt: at 1-303-860-9900

This Policy was last updated on the Effective Date. A notice will be posted on www.cpcmed.org for 30 days whenever this Policy is changed in a material way.