Our Approach to Privacy
ResearchPoint Global (“RPG”) is a full-service global Clinical Research Organization (CRO), providing contract clinical research and development services to the pharmaceutical, biotechnology and device industries. Clinical research involves the collection and analysis of clinical as well as other highly personal and confidential information. In providing these services, ResearchPoint Global and its affiliates (together “RPG”) is responsible for the collection of health data relating to study subjects on behalf of our clients. Individuals in studies agree to share this sensitive information under the premise that anyone in receipt of the data will do so in an environment built upon a culture of trust, where safe data handling practices are employed by all. RPG is committed to handling information received from any individuals responsibly, with focus on individual privacy and in compliance with laws on data privacy and confidentiality.
RPG has enacted internal policies, procedures and training programs designed to support compliance with these laws and this Policy. Our policies, procedures and training programs are reviewed on a regular basis, and managed by a team of professionals with senior executive oversight.
US HIPAA Regulation Policy is described in a separate RPG Policy document.
Privacy by Design
RPG has adopted the principle of privacy by design and will ensure that our systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more data protection impact assessments.
The data protection impact assessment will include:
- Consideration of how personal data will be processed and for what purposes
- Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
- Assessment of the risks to individuals in processing the personal data
- What controls are necessary to address the identified risks and demonstrate compliance with the regulation/legislation
Use of techniques such as data minimization (pseudonymisation) and anonymization will be considered where applicable and appropriate.
Rights of the Individual
The data subject also has rights under the GDPR. These consist of:
- The right to be informed
- The right of access
- The right of rectification
- *The right to erasure (or ‘right to be forgotten’)
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject of automated profiling and decision making.
Each of the rights are supported by the appropriate procedures within RPG that allow the required action to be taken, as required by GDPR.
The timeframes are shown in Table 1.
|Data Subject Request||Timeframe|
|The right to be informed||When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)|
|The right of access||One month|
|The right to rectification||One month|
|*The right of erasure||*Without undue delay|
|The right to restrict processing||Without undue delay|
|The right to data portability||One month|
|The right to object||On receipt of objection|
|The right not to be subject of automated profiling and decision making||Not specified|
*For purposes of regulated clinical trials conducted by RPG, the following interpretation of right to erasure is applied:
The right to erasure – even if in general, the data subject has the right to obtain from the
Controller of personal data the erasure of their personal data (without undue delay), the data subject does not have this right if processing is necessary for scientific research purposes – which means that clinical trials can retain their anonymized data for the full archive period as specified by ICH/FDA-GCP and local regulations even if the data subject requests erasure of their data. Withdrawing the subject’s consent from the clinical trial and treatment does not mean erasure of their personal data from the clinical trial. No further data will be entered into the study database for the subject.
In jurisdictions with data privacy laws, and where contractual commitments require, RPG ensures that individuals can exercise all relevant informational rights with respect to their personal information processed by the company, including but not limited to the right of access and correction, to withdraw consent at any time, object to data processing, request data deletion, restrict aspects of data processing, prevent direct marketing and request transmission of personal data in a common digital format (e.g., pdf) to themselves or another organization.
In all other respects, where ICH-GCP policy is not overriding, RPG will endeavor to allow the following informational rights under this Policy as a matter of good practice:
- to allow access to copies of personal information within a reasonable timeframe;
- to correct personal information where inaccurate;
- to allow study investigators to opt out of future solicitations to participate in studies, by contacting firstname.lastname@example.org and by indicating identifying information by which recorded information may be referenced and removed.
- to allow contact information acquired by conducting our business to opt out of future contact and solicitations for other than legal or financial reasons, by contacting email@example.com and by indicating identifying information by which recorded information by referenced and removed.
- to withdraw a previously provided consent to processing of personal information.
Study subjects must contact their investigator at their study site, who will be able to make the necessary link to subject identity.
Any document received by a RPG employee that contains personal information will be turned over to the QA Department Manager for proper de-identification (redacting the personal information and replacing it with de-identifier code such as Subject Number). If the document in question is received electronically (or is in electronic format), the document will be deleted from the email/database by the line Manger after the QA Manager is notified of the breach.
It is RPG’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours by the RPG Regulatory Affairs Department representative.
Under the GDPR the relevant (EU) Data Protection Authority has the authority to impose a range of fines up to four percent of annual worldwide turnover or twenty million Euros, whichever is the higher, for infringements of the regulations.
The final value of the administrative fine is determined by a number of factors such as, if there are any previous breaches, the level of co-operation with the supervisory authority and the category of personal data involved. Under the GDPR, data subjects who have been involved in a breach can seek compensation if they can justify that the breach has caused distress.
National laws in Denmark and Estonia prohibit administrative fines, therefore penalties in those EU member states will be pursued through the criminal courts.
The European Data Protection Supervisor, also known as the article 29 working party, has overall jurisdiction on data protection in EU and EEA member states. Complaints about your supervisory authority should be directed to this body.
Phone: Not Available
The Information Commissioner’s Office is the UKs supervisory authority under the General Data Protection Regulation (GDPR). Breach notifications, further advice and clarification of the regulation should be sought from this public-sector body.
Phone: 0303 123 1113 / +44 (0) 1625 545 745
How Information is Used
What Types of Personal Information Does RPG Handle
and for What Purposes?
In addition to information associated with Clinical Studies, we may collect data in the following categories.
Employee and Human Resource Data
RPG collects personal information from applicants seeking employment with the company, including private contact details, professional qualifications and previous employment history to inform employment decisions. RPG conducts various background checks on applicants, including where law allows on criminal history and professional disbarment. Once employed, RPG collects information on staff for human resource, performance, payroll and tax purposes. RPG will collect and record employee level information in various company systems, consistent with standard business operations. RPG processes similar information relating to consultants, contractors and other third parties engaged by the company to provide products or services to it.
Internal and External Disclosures of Personal Information
RPG may hold information relating to its clients, staff, investigators and other individuals. Under some circumstances RPG may be required by law enforcement or judicial authorities to disclose certain personal information as part of investigations or for litigation purposes.
International Transfers of Personal Information
Personal information will be shared across international borders as required to service global projects. RPG hosts personal information mainly in the United States. In certain circumstances, RPG and client personal information will be hosted within vendor platforms located in other US locations. Data stored on these other platforms are managed by RPG under this policy. RPG recognizes that many countries globally have regulations restricting the flow of personal information across international borders. RPG has put in place measures to ensure that adequate protection is provided to such data where legally mandated.
Notice & Consent
At the point of data collection, RPG will provide notice to individuals in a clear and conspicuous language about how their information will be used, disclosed and transferred; what choices they have in relation to how their data are handled; what informational rights they have under data privacy law or under this Policy; and who to contact with any questions or complaints. These privacy notices are tailored to specific situations of data collection. In providing such notice, RPG meets its obligations to be transparent and fair with individuals as is required by many data privacy laws. Dependent on the medium, notice may be given in person, by email, post, telephone, or by posting on our website.
In many situations, including where mandated by data privacy law, and also where it is a matter of good practice, RPG will seek consent of individuals to collect, use and disclose their data consistent with the relevant privacy notice. However, in certain cases where law allows, particularly where gaining consent will involve a disproportionate effort, where intended processing of the data is in RPG’s or our clients’ legitimate interests and the privacy risks are low, RPG will proceed to process personal information absent of consent. Also, RPG will use and disclose personal information without consent where required by law and judicial order. Consistent with GCP, laws on confidentiality and data privacy regulations, RPG will collect necessary informed consents of study subjects on behalf of its clients.
Data Quality & Record Retention
Consistent with regulatory requirements, RPG employs a professional quality assurance department. In general, our privacy notices provide individuals easy means of validating, correcting errors and updating information. RPG retains personal information in accordance with contractual, legal and regulatory requirements.
Communication, Queries, & Requests
Communications, queries or requests to exercise informational rights (e.g., access to data) or complaints can be addressed to the attention of RPGprivacy.firstname.lastname@example.org for the purpose of delegation to the appropriate department.
Under the Regulation, RPG [or provide WuXi EU office appointed DPO or EDGP person] shall be primarily responsible for data protection matters affecting our EU group of companies. For purposes of compliance with the Regulation, the EDGP is the nominated Data Protection Officer and may be contacted through the co-ordinates above.
Within the EU, individuals have the right in law to complain about how their information is handled to a supervisory authority that is responsible for regulating compliance with the Regulation. A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.