Effective Date: 24 May 2018
1. CPC’s Approach to Privacy
Clinical and medical research is founded upon the collection and analysis of the most confidential information about people. Individuals will only share their sensitive information where there is a culture of trust and where stakeholders implement safe data handling practices. The Colorado Prevention Center (“CPC”) recognizes that when we handle information about any individual, we must do so responsibly, with due care to individual privacy, complying with laws on data privacy, complying with laws on data privacy and confidentiality.
CPC is committed to safeguarding your privacy. CPC has enacted internal policies, procedures, and training programs designed to support compliance with these laws and this Notice. Our policies, procedures and training programs are reviewed on a regular basis, and managed by a team of qualified professionals with executive oversight.
This Privacy Notice (“Notice”) describes the main types of Personal Information we process within our organization, how that information is used and disclosed, and our commitments to the individuals whose information we handle.
This Notice explains in general terms how we seek to comply with data privacy laws and regulations, including the but not limited to, national laws implementing the European Union (“EU”) Data Protection Directive 95/46/EC (“Directive”), to be replaced effective May 25, 2018 by the General Data Protection Regulation (“GDPR”), the Health Insurance Portability and Accountability Act (“HIPPA”), state security breach laws in the United States, data protection legislation adopted by an increasing number of other jurisdictions globally, and the privacy and confidentiality requirements of ICH Good Clinical Practice (“GCP”). The Notice does not cover any affiliate of CPC that has its own Privacy Notice or Policy.
You can visit most pages on our site without giving us any information about yourself. But sometimes, we do need additional information about you in order to provide the information or services you are requesting. This Notice explains data collection and use in those situations. We ask that you to read this Notice completely.
“Data Processor” – means any person or entity (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
“Data Controller” – the person or company that alone or jointly with others determines the purposes for which and the means by which Personal Information is processed.
“Data Subject” – The person whose personal information is being held or processed by CPC for the purpose of managing clinical trials or contacting individuals about future clinical trial opportunities.
“Personal Data” – Information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier – e.g. name, unique identifier, contact details and/or email address. It does not include information about organizations, companies and agencies but includes information relating to identified or identifiable individuals such as individual volunteers or employees within an organization, company, or agency.
“Sponsor” third party entity financing or organizing the clinical trial.
“Sensitive Data” – is a subset of personal information regarding:
• Racial or ethnic origin
• Political affiliations or political opinions
• Religion or philosophical beliefs
• Trade union membership
• Data related to Health
• Data concerning a natural person’s sex life or sexual orientation
• Criminal record or proceedings
· Genetic and biometric data
3. What Types of Personal Information Does CPC Handle and How Do We Use It?
CPC collects the following types of personally identifiable information (“Personal Information”) through our websites including but not limited to: name, title, contact details, including email address and telephone numbers provided by you.
As an academically-lead, clinical research organization, CPC designs, manages, and analyzes clinical trials. For these purposes, CPC needs to collect and use certain information about individuals (i) on behalf of Sponsors (where CPC is acting as a “Data Processor”) for the purpose of managing clinical trials and/or (ii) on its own behalf (where CPC is acting as a “Data Processor”) for the purpose of contacting individuals for future clinical trial opportunities.
CPC may also collect, host, and analyze health data relating to Data Subjects on behalf of our Sponsors. To enhance privacy, consistent with GCP, Data Subjects’ names and other direct identifiers are not attached to records or samples collected by CPC for research purposes. Instead, Data Subjects are only identified by a code. Only study doctors and authorized personnel, including but not limited to CPC monitors and CPC auditors, may access named Data Subject records at source. In cases where local law allows and in limited circumstances, CPC may also collect full date of birth attached to study records.
CPC provides additional services that may involve the collection of health information linked to named individuals (e.g. adjudication of medical events, six minute walk core lab, wound core lab, treadmill core lab, pharmacovigilance, contact centers).
All clinical and medical information processed by CPC is done so under contract with our Sponsors. In terms established by the Directive and GDPR, CPC considers that the Sponsor is ultimately in control of how and why clinical and medical data are processed within our services and as such is the “Data Controller,” while CPC and its affiliates are “Data Processors.”
Health Professional Information
CPC analyzes the professional profiles of doctors and other health care providers for the purpose of identifying potential investigators to assist in clinical and medical research on specific indications. CPC will use available contact information, including email addresses, for the purpose of inviting potential investigators to apply to participate in research. CPC will source health professional information from its own databases and also indirectly from public sources, data brokers, and referrals. For operational purposes, CPC will also collect information relating to the involvement and performance of investigators and supporting study staff. CPC will also process financial information of investigators to support payment for services.
Industry Professional Information
In the course of conducting our business, CPC will interact with employees, consultants, contractors and other third parties employed or engaged by our Sponsors involved in clinical and medical research. CPC will record and use the names, contact details and other professional information on these individuals for legitimate business related purposes, including project and financial administration. We may use the information we obtain, including email addresses, to provide relevant information on CPC’s services to our Sponsors.
Employee and Human Resource Data
CPC collects Personal Data from applicants seeking employment with CPC, including private contact details, professional qualifications, and previous employment history to inform employment decisions. CPC conducts various background checks on applicants, including where law allows on criminal history and professional disbarment. Once employed, CPC collects information on staff for human resource, performance, payroll, and tax purposes. CPC will collect and record employee level information in various company systems, consistent with standard business operations. CPC processes similar information relating to consultants, contractors, and other third parties engaged by CPC to provide products or services to it.
Data protection legislation imposes additional safeguards for Sensitive Data, for example, tighter obligations around when such information can be collected and the need for explicit consent when collecting and using Sensitive Data. While CPC aims at minimizing the amount of Sensitive Data that it processes, CPC may process such information in certain circumstances such as when it is obliged by the Data Controller or by law to do so.
We ask that you not send us or disclose any Sensitive Data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background, or trade union membership) on or through our website or via other unsecure means.
Medical Information Contact Centers and Pharmacovigilance
CPC operates contact centers for the purpose of discussing medical information with health professionals in order to conduct medical monitoring activities for studies. These contact centers also collect adverse event information and deliver this to relevant pharmacovigilance professionals for processing as required by regulation. Personal Data on those who call or email our contact centers are only collected to process requests for information and allow adverse event reporting. Calls may be recorded for quality assurance purposes. Callers (inbound and outbound) are notified if their call is recorded.
4. How Does CPC Collect Your Information?
CPC collects named information about visitors to company websites where this is voluntarily provided to meet a request from those individuals, for example where Sponsor contact requests information on a company service, a health professional is interested in participating in a clinical trial, or where someone wants to apply for a vacant position with the company. In certain cases, these virtual identities are linked to the real world identities of visitors when they provide their named information as described above.
Through Your Browser or Device
Certain information is collected by most browsers or automatically through your device, such as your media access control (MAC) address, computer operating system (Windows or MacOS), screen resolution, operating system name and version, device manufacturer and model, language, internet browser type and version, the name and version of the websites you are using, and your “IP Address”.
Your “IP Address” is a number that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP). An IP Address may be identified and logged automatically in our server log files whenever you access the sites, along with the time of the visit and the page(s) that you visited. Collecting IP Addresses is standard practice and is done automatically by many websites, applications, and other services. CPC uses IP Addresses to calculate usage levels of its websites, help diagnose problems with its servers, administer the websites, and monitoring the regions from which you navigate to CPC’s websites.
Through the use of cookie-based technologies, CPC may collect information and data linked to virtual identities allocated to visitors when they access our websites. This information and data is used for various purposes including site analytics (see Online Issues below).
CPC may also use web analytics services, which includes Google Analytics.
CPC may collect Personal Data through mobile/personal electronic device apps, email, telephone, SMS messages, surveys, chats, letters, and correspondence that refer to this Notice.
CPC may collect Personal Data from you offline, such as when you attend one of our events, during phone calls with our representatives or experts, or when you contact us.
5. Will CPC Share Personal Data it Receives?
Internal and External Disclosures of Personal Data
Personal Data about our users is an integral part of CPC’s business. Personal Data will be shared within CPC, companies working as agents of CPC, and third parties only on a “need to know” basis to meet stated legitimate business purposes. CPC does not trade or sell Personal Data.
Agents and Service Providers
We contract with other companies and people to perform tasks on our behalf and may share your Personal Data with them to provide products or services to you, or to otherwise communicate with you. Examples may include removing repetitive information from customer lists, analyzing data, conducting billing, processing credit card payments, engaging technical support for our services, providing customer service, and performing analyses related to our products or services. We may also provide your Personal Data to agents and service providers to verify or compile aggregate usage data that we provide to our business partners. When we share this information in this way, we contractually require the agent or service provider to maintain the privacy, confidentiality and security of the Personal Data.
Protection of CPC and Others
Under some circumstances, CPC may be required to disclose your Personal Data (a) under applicable law, including laws outside your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our affiliates, and (f) as part of investigations or for litigation purposes.
Companies working as vendors of CPC are required to sign data protection and/or confidentiality agreements whereby they will commit to only process Personal Data consistent with contracted purposes and apply appropriate organizational and technical security safeguards.
Access to databases and folders containing Personal Data is restricted to appropriate employees, agents, consultants, and service providers with whom CPC contractually requires to maintain the privacy, confidentiality and security of the Personal Data.
6. International Transfers of Personal Data
CPC is an academically led clinical research organization serving an industry that is increasingly globalized in its approach to clinical research. Your Personal Data may be stored and processed in any country in which we engage service providers. By disclosing information to us you consent to the transfer of information to countries outside of your country of residence, including but not limited to the United States, Canada, Australia, Germany, Ireland, Israel, Japan, and the UK. These countries may have different data protection rules than those of your country of residence or citizenship or the country in which you were located when you initially provided the information. CPC has put in place measures to ensure that adequate protection is provided to such data where legally mandated. For example, CPC implements Standard Data Protection Clauses (“SDPC”) for the purpose of transferring Personal Data from the European Economic Area. EU residents whose Personal Data is handled under these SDPC may request a copy of the agreement from CPC by emailing email@example.com. Where privacy risks are very low, for example with respect to the sharing of key coded data, CPC may rely on informed consent from individuals for the transfer of their information to legal regimes with less strong data privacy safeguards.
7. Notice and Consent
At the point of data collection, CPC will provide notice to individuals in a clear and conspicuous language about how their information will be used, disclosed and transferred; what choices they have in relation to how their data are handled; what informational rights they have under data privacy law or under this Notice; and who to contact with any questions or complaints. These privacy notices are tailored to specific situations of data collection. In providing such notice, CPC meets its obligations to be transparent and fair with individuals as is required by many data privacy laws. Dependent on the medium, notice may be given in person, by email, post, telephone, or by posting on our website.
In many situations, including where mandated by data privacy law, and also where it is a matter of good practice, CPC will seek consent of individuals to collect, use and disclose their data consistent with the relevant privacy notice. However, in certain cases where law allows, particularly where gaining consent will involve a disproportionate effort, where intended processing of the data is in CPC’s or our clients’ legitimate interests and the privacy risks are low, CPC will proceed to process Personal Data absent of consent. Also, CPC will use and disclose Personal Data without consent where required by law and judicial order. Consistent with GCP, laws on confidentiality and data privacy regulations, CPC will collect necessary informed consents of Data Subjects on behalf of its clients.
8. Data Quality and Record Retention
Data quality and accuracy are fundamentally important principles to CPC. Crucial to the integrity of clinical research is the accuracy of data relating to Data Subjects, particularly where attached to bio-medical samples. Consistent with regulatory requirements, CPC employs a professional quality assurance department. In general, our privacy notices provide individuals easy means of validating, correcting errors and updating information. CPC retains Personal Data in accordance with contractual, legal and regulatory requirements.
9. Your Rights to Your Information
In jurisdictions with data privacy laws, and where contractual commitments require, CPC ensures that individuals can exercise all relevant informational rights with respect to their Personal Data processed by the company, including but not limited to the right of access and correction, to withdraw consent at any time, object to data processing, request data deletion, restrict aspects of data processing, and request transmission of personal data in a common digital format (e.g., pdf) to themselves or another organization.
In all other respects, where no overriding interest prevails, CPC will endeavor to allow the following informational rights under this Notice as a matter of good practice:
· to allow access to copies of Personal Data within a reasonable timeframe;
· to correct Personal Data where inaccurate;
· to allow study investigators to opt out of future solicitations to participate in studies, by contacting CPC at firstname.lastname@example.org; and
· to withdraw a previously provided consent to processing of Personal Data.
Study subjects must contact their investigator at their study site, who will be able to make the necessary link to subject identity.
10. Information Security
We have implemented organizational, technical, and administrative measures in an effort to protect Personal Data within our organization, including security controls that are intended to prevent unauthorized access to our systems, including standard operating procedures, firewalls and restricted access. While we take these reasonable steps to secure your Personal Data from loss, misuse, interference and unauthorized access, modification and disclosure, you should be aware no security procedures or protocols are ever guaranteed to be 100 percent secure from intrusion or hacking, and there is therefore always some risk to sharing Personal Data online. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us at email@example.com.
CPC also maintains a comprehensive information security policy that seeks to apply technical and organizational security measures that protect Personal Data, particularly Sensitive Data, against unauthorized access or loss. Consistent with regulatory requirements, particularly under U.S. state law and GDPR, CPC also maintains a policy, which establishes a procedural response to dealing with any breach of Personal Data, including making any necessary notifications to, as applicable, individuals, Data Controllers, or governmental authorities.
11. Online Issues
A cookie is a data file that is placed by a website operator on the hard drive of a visitor to their site. Cookies with the following functions may be enabled to the computers of visitors to CPC websites: to allow the site to deliver the service requested by the visitor; to remember repeat visitors; to improve the user experience of the site; to allow the company to perform site analytics. Your online relationship with CPC may be managed by using settings available on most internet browsers. For example, most browsers will allow a visitor to choose which cookies can be placed on his/her computer, to delete or disable cookies, and to set Do Not Track as a function. Please note that disabling cookies may prevent a visitor from using certain features on CPC websites.
Children’s Online Privacy Protection
CPC does not knowingly or specifically collect information about minors under the age of 18, and believe that children of any age should get their parents’ or legal guardians’ consent before providing any Personal Data. No part of our online presence is directed to anyone less than 18 years. If you believe that we have mistakenly or unintentionally collected such information, please notify us at firstname.lastname@example.org so that we may delete the information from our servers.
Third Party Sites
Our websites may permit you to link to other websites on the internet through direct links or through applications such as “share” or “Like” buttons, and other websites likewise may contain links to CPC’s websites. The information practices or content of such other websites is governed by the privacy statements of those websites and not by this Notice. We encourage you to review the privacy policies found on such other websites, services, and applications to understand how your information may be collected and used.
Similarly, please note that we are not responsible for the collection, use and disclosure policies and practices (including the data security practices) of other organizations, such as Facebook, Apple, Google, Microsoft, LinkedIn, social media platform providers, operating system providers, wireless service providers, or device manufacturers, including any Personal Data you disclose to other organizations through or in connection with your use of the Apps or the Social Media Pages.
12. Inquiries, Complaints and Requests to Exercise Rights
Communications, queries or requests to exercise informational rights (e.g., access, correct, amend, remove, or limit the use or disclosure of your Personal Data) or complaints can be emailed to email@example.com. For purposes of compliance with GDPR, the Associate Director of Contracts, Proposals, and Procurement for CPC is the nominated Data Protection Officer and may be contacted through the email address above.
For your protection, we may only implement requests with respect to the Personal Data associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will respond to your request within 30 days.
Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting such access, change or deletion.
Within the EU, individuals have the right in law to complain about how their information is handled to a supervisory authority that is responsible for regulating compliance with GDPR. A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
13. Legal Status of Notice and Notice Changes
This Notice is not a contract, and it does not create any legal rights or obligations. CPC reserves the right to modify or amend this Notice. For instance, the Notice may need to change as new legislation is introduced or as it is amended. The updated Notice will be posted on http://cpcmed.org/data-protection-policy/.
CPC will regularly assess and evaluate its methods and performance in relation to handling Personal Data. This Notice will be updated as necessary to reflect best practice in data management, security and control.
This Notice was last updated on the Effective Date. A notice will be posted on www.cpcmed.org for 30 days whenever this Notice is changed in a material way.
14. Questions, Concerns, or Complaints
Your privacy is important to us. If you have any questions, concerns, or complaints regarding the way we collect and handle your information, please contact us by email at firstname.lastname@example.org or by mail at 13199 E. Montview Blvd., Ste. 200, Aurora, CO 80045 – ATTN: Data Protection Officer. Because email communications are not always secure, please do not include Sensitive Data in your emails to us.
CPC will take any privacy complaint seriously and any complaint will be assessed by an appropriate person with the aim of resolving any issue in a timely and efficient manner. We request that you cooperate with us during this process and provide us with any relevant information that we may need.