Simbec-Orion External Privacy Policy 2018

Page 1

SIMBEC-ORION PRIVACY POLICY Simbec-Orion Group is an international contract research organisation (CRO). We conduct clinical studies for pharmaceutical, biotechnology and medical device companies. We operate to strict international standards for the conduct of those studies. We are committed to maintaining the security and privacy of the personal data we process. Operating under strict regulatory and industry requirements in order to deliver the work we conduct, we take the protection of personal data extremely seriously. This policy explains how we process personal data and the various activites which support security and privacy. We will endeavour to ensure that any information you submit to us remains private and is only used for the purposes set out in this policy.

RESPONSIBLITY FOR PERSONAL DATA Simbec-Orion operates as: (a)

a “Data Controller” for the information we collect and process for our own purposes and

when operating in this capacity we are responsible for your data; and (b)

a “Data Processor” for data, as the sponsor of the study. In this case the Client will be the

Data Controller. During a study we always ensure that appropriate contractual arrangements are in place to respect your privacy and the Data Controller’s details will be communicated to you for each study you participate in.

Simbec-Orion External Privacy Policy 2018

Page 1 of 9

WHAT INFORMATION WE COLLECT & PROCESS, AND WHY To enable Simbec-Orion to effectively deliver our website services and clinical trials, we are required to process your data in a number of different ways, depending on the requirements, such as: VOLUNTEERS DATABASE In order conduct clinical studies at Simbec Research we require, generally healthy, people to volunteer to participate in clinical studies. We advertise in local media to seek volunteers to participate in clinical studies. When volunteers contact us they will be asked to provide personal and health related information to allow us to assess a volunteer’s suitability for a trial. We process this data with a view to entering into a contract and ensuring high standards of care during our trials. We retain personal data in our systems to provide a database of people interested in participating in clinical trials. As we commence clinical studies we will match the requirements of the study against our database, so that when a new trial is conducted, we can assess if the information you have provided meets the specification agreed with each individual trial sponsor, and then directly advise you of an opportunity to participate in a new trial. If you are selected to participate in a trial, you will be required to complete further screening information along with participant consent forms, which allows us to administer medical care to you during a trial. A potential volunteer’s personal data is also provided to our trusted third-party call centre in relation to seeking participants for a specific clinical trial. Information gathered is captured at the call centre and supplied back to the Simbec-Orion Group. You are able to be removed from this database at any time.

Please contact if you wish to have your information removed. TRIAL SCREENING AND SELECTION PROCESS For each trial, volunteers are screened against the requirements of the Sponsor. Our volunteer database is checked against these requirements and if the criteria stipulated by the Sponsor is matched, then you will be invited to take part in the trial. The requirements of the trial will be explained to you and if you are happy to take part then the information you have already provided will be checked and further information will be required, such as your health information.

Simbec-Orion External Privacy Policy 2018

We need this information so that we can provide medical

Page 2 of 9

treatment to you during the trial and with a view to entering into a contract and ensuring high standards of quality and safety of health care and of medicinal products. VOLUNTEER TRIALS Those selected to participate in a specific trial, will be required to provide health information and allow us access to medical records. We need this information to ensure it is safe for you to take part in the trial and to administer medical treatment during the trial. This information will be shared with Simbec staff responsible for your care. All data provided to the Client which commissioned the study, will be provided with the results in anonymised findings. PATIENT TRIALS If you are selected by your health care practitioner as being suitable to take part in a trial, the process and purpose of the trial will be fully explained to you. During Patient Trials your data remains with the selected site and associated personnel, it is not held on our systems, as the site and sponsor are the data controller. We do visit the site and collect the trial-based information but no personally identifiable information is collected by the Simbec Orion Group. POTENTIAL EMPLOYEES Those wishing to apply for employment with Simbec-Orion Group may send their CV’s by email at an address found on the website. We do not stipulate what information is contained within a CV but accept that it will contain personal information. The CV is not shared with any other party. SALES, EVENTS AND MARKETING We often participate in organising webinars, attending industry events and building an understanding of individuals who we may want engage with in the future. We utilise industry recognised systems to process prospective customer data and review social media sites to gain a basic understanding of individuals and collect data such as name, title, contact details, correspondence regarding ongoing work and opportunities. The information we take from volunteers will be held on our databases and will only be used by Simbec-Orion Group to assess suitability and manage the clinical study. We will only share with companies supporting us to deliver our services and where we have ensured that these parties will adhere to data protection standards at least equivalent to ours.

Simbec-Orion External Privacy Policy 2018

Page 3 of 9

PERSONAL INFORMATION ABOUT COLLABORATORS As a necessary part of carrying out clinical studies for our clients we are required under the law and regulations governing the conduct of clinical studies to collect personal data about certain people with whom we collaborate. These collaborators are typically the specialist staff working in hospitals and clinics who manage patients in clinical studies and include doctors, nurses and other medical staff, pharmacists and laboratory scientists. This data is needed to confirm the technical competency of those staff and this information is retained in that study’s specific Trial Master File. PERSONAL INFORMATION ABOUT CLIENTS We retain information about our clients in our customer relationship management system (CRM). This provides us with basic information about a Client’s staff member. This information is derived from data provided by that person, for example on their business card. We retain a minimum amount of information to allow us to appropriately provide information about products and services directly relevant to them. We occasionally send our Clients information about technical or scientific matters which are relevant to their line of work. Consequently, we rely upon the legitimate interests of both parties for these communications. We always provide such people the option to opt out of any information distribution despite the general principal described above.

TYPES OF PERSONAL DATA WE PROCESS YOUR NAME AND CONTACT DETAILS We use your name and contact details, such as email, postal address and contact number, to get back in contact with you so that you can tell us your question, query or feedback. We may also request your company name, if the request is on behalf of a business. We use the same information to send you information by email or post about our services, if you request it. We may also use your name and contact details in order to perform our contract with you should you become a volunteer patient. Without this information, we could not provide you with our services. YOUR DATE OF BIRTH AND GENDER INFORMATION If we collect your date of birth and/or gender information, it will be used to assess your suitability for or in the course of any clinical trial you have volunteered to take part in.

Simbec-Orion External Privacy Policy 2018

Page 4 of 9

HEALTH RELATED INFORMATION If we collect information relating to your health, including illnesses, allergies, physical measurements, General Practitioner details, habits and contraceptive use, we do so to assess your suitability for or in the course of any clinical trial you have volunteered to take part in. We take this information to ensure that high standards of quality and safety are provided to you. YOUR FINANCIAL INFORMATION If you are accepted as a volunteer patient, we will collect bank details and information from you. This is in order for us to make a payment to you. We do not keep this information for longer than is necessary and is destroyed once the payment has been made.

LAWFUL BASIS FOR PROCESSING Depending on the process, we will use relevant provisions of Article 6, but specifically: (a) consent has been given for us to use your personal information for one or more specific reason(s); (b) to process your information as part of the contract between us or when entering into such a contract; (c) processing your information because we have to comply with a legal requirement. Where we process special categories of data, such as your health information, we also apply an additional reason to do so under Article 9. Specifically, we will also apply relevant provisions of Article 9(h), (i) and (j); (h) to process your information for the purposes of preventive medicine as part of the study or trial; (i) to process your information for reasons of public interest in the area of public health, to ensure high standards of quality and safety of health care and of medicinal products or medical devices; (j) to process your information for recording functions as the research is for scientific purposes. We do this in accordance with suitable and specific measures to safeguard your fundamental rights and interests. We only use your information for the purposes detailed in this policy. If there are any changes to the way we process your data we will contact you and ensure that any new processing is done in accordance with the GDPR. The information we take from you will be held on our database and will only be used by SimbecOrion Group to assess your suitability and will only be shared with companies supporting us to deliver our services. Simbec-Orion External Privacy Policy 2018

Page 5 of 9

These companies are: The Over-volunteering Prevention System (TOPS) – We only provide your National Insurance number, passport number if not a UK citizen and the date of your last dose of study medicine. This is to ensure it is safe for you to participate in the study.

WHERE IS INFORMATION PROCESSED? We primarily process personal data in the United Kingdom or countries within the European Economic Area (EEA). Some of the systems that we use may be hosted outside of the European Economic Area (EEA) and countries deemed as not having adequate levels of protection for privacy. When we process data in these countries, we will always ensure that this is done in accordance with Data Protection Law and make use of standard contractual clauses and other provisions within the GDPR. Again, dependent on the trial’s sponsor and trial specific content, your data may be processed in additional countries, which will be governed by the other party, who will provide you their privacy notification and supporting information at that time.

WHO WE SHARE PERSONAL DATA WITH We use selected and approved companies to provide services on behalf of our business, which may involve the processing of personal information. When we do this, we ensure that appropriate contracts and other controls are in place to ensure that personal information is treated with the same high standards as if it were our own. As an essential part of being able to provide our services to you, we may share your information with the following parties: •

Companies in the Simbec-Orion group;

Professional service providers who help us in the day to day running of our trials;

Credit references agencies, law enforcement and fraud prevention agencies to assist us in challenging dishonesty;

We do not not sell personal data to third parties.

Simbec-Orion External Privacy Policy 2018

Page 6 of 9

HOW LONG IS PERSONAL DATA RETAINED? Simbec-Orion will only keep personal data for as long as necessary to provide the necessary services to clients, Specifically in relation to clinical information, we are required to produce a Trial Master File (TMF). This contains all information about the clinical study. Under current law this must be retained for 25 years under EU Clinical Trials Regulation 536/2014. When you register as a volunteer we will retain your data for 5 years, unless you request to be removed from our database. This is to ensure that if any relevant trials take place, which you may be applicable for, that we can contact you.

HOW IS PERSONAL INFORMATION KEPT SECURE We ensure that personal data is protected with appropriate technical and organisational controls. Across our organisation we also have a Quality Management System this includes Standard Operating Procedures. SOP’s exist in relation to data protection and these provide clear guidance to staff so that they are aware how to handle data and keep it secure. We use encryption for securing data as it is sent across the internet and networks and also use it to secure data that is held in storage, so that if the physical equipment holding the data was to be lost or stolen, the data could not be accessed due to strong levels of encryption. We use security controls such as anti-virus software, mail filtering, and URL filtering. We conduct penetration testing to ensure our systems are robust to withstand a malicious attack. We may also use third party software. Generally, we seek to use software from industry’s leading providers to ensure the highest standards are maintained. We are not able to control or dictate their security but we always perform due diligence to ensure their security practices meet our standards. Paper documentation is kept in secure areas under strong physical security. We ensure personally identifiable data is used as little as possible and afforded high levels of protection.

Simbec-Orion External Privacy Policy 2018

Page 7 of 9

YOUR RIGHTS Under Data Protection Laws individuals have a number of Rights in relation to how their data is processed. In order to exercise any of the Rights, a request should be made to or by writing or visit out contact page People whose personal data is held by us have certain rights as set out in this part of our policy. •

You have the right to be informed about how your data is processed, which is arictulated within this Policy.

You have the right to have your data rectified if you believe there are inaccuracies to your personal data or preferences.

You have the right to access the your personal data that is processed by Simbec-Orion and how it is processed,

If you believe your data should be erased by Simbec-Orion, then you have the right to request Erasure of your data, this is not an absolute Right and we will inform you of the outcome either way.

You have the right to request that Simbec-Orion restrict processing your data.

You have the right to have your data sent to another provider under your Right to Data Portability, which allows personal information to be moved, copied or transfered from one IT environment to another in a safe and secure manner

You have the right to Object to processing of your personal data, such as objecting to receive marketing communications from us.

Simbec-Orion does not carry out solely automated decision making and/or profiling. This policy is regularly reviewed and if this changes, it will be reflected in this policy.

If you wish to provide us with any feedback regarding this policy, have a complaint or wish to exercise any of your rights listed above, please contact us at Simbec-Orion by emailing: If you prefer to write to us, rather than send an email, please do so at The Data Protection Officer Simbec-Orion Group Limited Merthyr Tydfil Industrial Park Merthyr Tydfil CF48 5DR United Kingdom

Simbec-Orion External Privacy Policy 2018

Page 8 of 9

Alternatively, if you are not satisfied with our response, you can contact our supervisory authority, which is the United Kingdom, Information Commissioner’s Office (ICO) who can be contacted directly on 0303 123 1113 or by visiting

CHANGES TO OUR PRIVACY POLICY We may occasionally make alterations to this page which will reflect how we process and look after your data. This is to ensure our commitment to you in protecting your information and upholding your rights. If important changes are made to this policy, we will draw your attention to them by making this clear on our website, through our services or by another means of communication, such as email. This will allow you to assess the changes and make an up-to-date decision if you would like to continue using our services.

COOKIES AND WEBSITE ANALYTICS We may use the following types of cookies on our website. •

Strictly necessary cookies. These cookies are essential for you to browse the Simbec-Orion website and use its features. Without these cookies, some services cannot be provided. For more detail on this please see this Link.

Performance cookies. These cookies collect information about how you use our websites. This data may be used to help optimise our website and make it easier for you to navigate.

Functional cookies. These cookies allow our website to remember the choices you make and personalise your experience. For example, where a member chooses to store his or her password for log on purposes a pseudonymised version of this data is stored locally on the machine which means that no one can easily recover a member’s user name or password but it makes it easy to log back on.

Third Party cookies. Third party cookies are those placed by websites and/or parties other than Simbec-Orion. These cookies may be used on our website to improve our products or services or to help us provide more relevant advertising. These cookies are subject to their respective privacy policies for these external services.

HOW TO CONTROL COOKIE SETTINGS Most web browsers allow you to control cookies through their settings preferences, however if you limit the ability of websites to set cookies, you may impact your overall user experience. Further information may be found in our cookie policy. Simbec-Orion External Privacy Policy 2018

Page 9 of 9