This policy defines Clinical Ink’s interpretation of the regulatory requirements related to Personal Health Information, Patient Privacy, the Health Insurance Portability and Accountability Act (HIPAA), Swiss-U.S. Privacy Shield, the EU-U.S. Privacy Shield principles and the EU General Data Protection Regulation (EU GDPR).
All systems used to create, modify, transfer, or store an electronic representation of any information or process regulated by the Food and Drug Administration (FDA), European Medicines Agency (EMA), and the Swiss Agency for Therapeutic Products (Swissmedic).
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Certification Statement
Clinical Ink is a provider of software and services to life sciences companies for use in the conduct of clinical trials throughout the world. Acting as a third-party agent for our clients, for each clinical project Clinical Ink receives Personal Data (name, email, phone number) from study sponsors, research site staff, study participants, various consultants/subcontractors, and employees. Additionally, as specifically authorized by our customers, Clinical Ink may also collect and store Clinical Study Data, which is collected pursuant to a project-specific informed consent with clinical research subjects, and may include detailed information regarding health status, medical assessments, test results, and other data required for a particular study. Detailed contractual arrangements, SOPs and business policies govern all our work with customer data. Clinical Ink’s internal policies are available for audit/review by our clients; provided that Clinical Ink remains responsible for the adequacy of our business practices and technical infrastructure.
1.1 Definition of Terms
“Personal Data” means any data or combination of data that could potentially identify a specific individual and includes information such as Name, Email, Address, or any other data that could be linked to a person. Personal Data does not include information that is stored in an anonymized format or is otherwise publicly available.
“Sensitive Data” pertains to data that reflects racial or ethnic origins, health, or sexual orientation and activities. Clinical research studies often collect data categorized as “sensitive”, however, a requirement of clinical research (Good Clinical Practices, GCP) requires that enrolled subjects have completed and signed an Informed Consent (IC) that notifies them of the requirements of the study, including the data (personal and sensitive) that will be collected and processed as a part of the study conduct.
“Clinical Study Data” means the specific details of an identifiable individual with respect to medical history, prescription drug use, clinical observations or test results, and other medical records. Personal Data may also be considered Clinical Study Data if collected for conducting a clinical trial.
The term “Data Subject” means an individual who is the subject of personal data. In other words, the data subject is the individual whom personal data is about. A data subject is not an individual who has died or who cannot be identified or distinguished from others.
Clinical Ink intends that its corporate privacy policies, internal SOPs and work practices are adequate to ensure compliance with applicable international laws and regulations including the US Health Insurance Portability and Accountability Act (HIPAA), the European Union’s General Data Protection Regulation (GDPR), and other similar guidelines. Clinical Ink is a self-certifying participant in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Clinical Ink has developed policies related to data collection, security, and privacy in a manner consistent with the requirements of the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield certification processes.
1.2 Types of Information Collected
Clinical Ink may collect data (including personal data and other sensitive data), from site personnel, sponsor contacts, employees, and clinical study participants through its clinical trial and general business activities.
This policy, where applicable, applies to all data collected by Clinical Ink and is subject to all applicable regulations and directives listed in this document.
In all cases where Clinical Ink is acting on our own behalf, such as with employee or customer Personal Data, the collection vehicle will specifically provide notice stating the purpose for which the information is being collected and how that information will be stored. As a Software-as-a-Service (SaaS) provider of clinical trial software and services, Clinical Ink acts as an agent on behalf of clients to collect Clinical Study Data. With respect to all Clinical Study Data, Clinical Ink shall act in a manner governed by the contractual relationship with each customer consistent with the notice provisions specified by the customer in their relationship with the individuals participating in the clinical study. Clinical Ink will disclose all information regarding how Clinical Study Data is secured to facilitate customer’s Notice responsibilities. Data Subjects may initiate a request relating to their data, and, under certain circumstances, may invoke binding arbitration. Clinical Ink will use commercially reasonable efforts to respond to individual requests within forty-five (45) days of receipt of such request and proper identity verification. All requests in this regard should be submitted via email to email@example.com. Clinical Ink may share Clinical Study Data with agents, third-parties, or partners approved by our customers and as required by contract. Therefore, Clinical Ink is liable for the onward transfers to these approved agents, third-parties, or partners. Additionally, it is important to note that Clinical Ink may be required to disclose the personal information of individuals, including certain personally identifiable information, in response to a lawful request by public authorities or under any applicable law, including to meet national security or law enforcement requirements. By self-certifying with the Privacy Shield, Clinical Ink is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Clinical Ink will not share Personal Data with third parties except in cases where the third party is acting on behalf of Clinical Ink consistent with the purposes for which such Personal Data was originally obtained. All Clinical Study Data is owned by our customer who retains the responsibility to permit individuals to withdraw consent to have their personal Clinical Study Data used for purposes other than for the originally intended purpose.
ACCOUNTABILITY FOR ONWARD TRANSFER:
Clinical Ink may share Clinical Study Data with agents, third-parties, or partners approved by our customers and as required by contract. Clinical Ink will not disclose any Clinical Study Data to third-parties without explicit approval from our Customer. In cases where Clinical Ink contracts with a third-party, then Clinical Ink will obtain assurances that they will safeguard Personal Data and Clinical Study Data in a manner consistent with this Policy. Furthermore, when transferring personal information to a third party acting as an agent, Clinical Ink will:
(i) transfer such data only for limited and specified purposes;
(ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield Principles;
(iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
(iv) require the agent to notify the organization if it decides that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
(v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and
(vi) provide a summary or a representative copy of the relevant privacy provisions of our contract with that agent to the Department of Commerce or Federal Trade Commission upon verified request.
Clinical Ink will employ reasonable safeguards to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration and destruction. Clinical Ink strictly controls access to Clinical Study Data through multiple security mechanisms and adheres to a Defense-In-Depth approach about data security which includes the following:
i.) environmental monitoring,
ii.) anti-virus software,
iii.) network segmentation with multilayer security access controls,
iv.) intrusion detection monitoring and alerting,
v.) database logging and auditing,
vi.) multi-factor authenticated VPN,
vii.) data at rest encryption,
viii.) transport layer encryption,
ix.) anonymization of certain data elements.
DATA INTEGRITY AND PURPOSE LIMITATION:
Clinical Ink facilitates the collection of Personal Data and Clinical Study Data as specified by our customer. Customers must also receive the appropriate regulatory and oversight approvals (e.g. FDA, EMA, Institutional Review Boards, etc.) necessary to conduct the clinical trial. Clinical Ink does not own or have any rights to any Clinical Study Data and makes no decisions based on such data. Additionally, Clinical Ink takes reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current. Clinical Ink adheres to these principles if such information is retained.
Upon request, Clinical Ink will facilitate reasonable access to personal information, made by a clinical research participant, received by customers, or while fulfilling contractual obligations to collect and store Clinical Study Data. With respect to Personal Data maintained solely on behalf of Clinical Ink, upon request, will provide reasonable means to ensure such data is accurate. Clinical Ink employees have a responsibility to ensure that all Personal Data is updated regularly as changes occur. It must be noted that Clinical Ink may deny an access request where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. Such decisions would be documented in writing and retained for future access.
RECOURSE, ENFORCEMENT AND LIABILITY:
Clinical Ink will fully cooperate with all customer requests to investigate potential violations related to Clinical Study Data and will do so expeditiously and at no cost to the individual. Individuals, including employees, who feel that Clinical Ink has violated this Policy in any way, may contact the designated Data Protection Officer directly to initiate a formal inquiry. Employees found willfully disregarding this Policy shall be terminated.
1.5 Dispute Resolution
Clinical Ink Attn:
Data Protection Officer 525 Vine Street, Suite 130
Winston-Salem, NC 27101
Clinical Ink is committed to refer unresolved privacy complaints under the Privacy Shield Principles to a non-profit alternative dispute resolution provider located in the United States, the International Centre for Dispute Resolution, A Division of the American Arbitration Association (ICDR/AAA). If you do not receive timely acknowledgment of a complaint, or if Clinical Ink does not satisfactorily address such complaint, please visit www.adr.org for more information or to file a complaint. You can also visit the U.S. Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov/ to learn more information on the Privacy Shield Framework. Disputes involving the handling of employee Personal Data shall be handled through an internal review process according to the severity of the complaint. By self-certifying with the Privacy Shield, Clinical Ink commits to cooperate in investigations by EU Data Protection Authorities as well as comply with the advice of competent EU authorities in such cases.
1.6 Reservation of Rights
Clinical Ink reserves the right to share Personal Data as required by law to respond to duly authorized information requests of government authorities. For such requests involving Clinical Study Data, Clinical Ink shall provide notice to affected customers, but shall not necessarily seek permission, prior to disclosing any data to regulatory agencies.
2.0 45 CFR 164.508 (HIPAA)
45 CFR 164.508, commonly referred to as the Health Insurance Portability and Accountability Act (HIPAA), states that it is typical that a contract between a Sponsor and a site stipulates that a site obtain the subject’s permission to use their protected information for all necessary uses and additionally permits that such information may also be accessed by agents acting on behalf of the Sponsor for purposes related to the clinical trial; typically citing 45 CFR 164.508(c), which specifies how that authorization should be granted. Therefore, Clinical Ink interprets that the Sponsor has complied with the requirement to contract with the covered entity (the site) to specify the purposes for which the research data, including the personal identifying information, is being collected. Presumably, the informed consent document, then, has language that meets the required HIPAA disclosures/authorizations. Clinical Ink recognizes that site contracts between Sponsors and a site vary, therefore, if necessary, the Sponsor may request a more specific HIPAA related agreement between themselves and Clinical Ink.
Additionally, U.S. Department of Health and Human Services (HHS) regulations have clarified the circumstances under which covered entities need to have in place a “Business Associate Agreement”. Such an agreement is not necessary for contracts between Clinical Ink and a pharmaceutical sponsor because neither is a “covered entity”. In cases where Clinical Ink contracts directly with a site located in the United States, then a “Business Associate Agreement” must be put in place, as clarified by HHS. This statement addresses the security requirements that will help protect the privacy of Protected Health Information (PHI). Clinical Ink will:
• Not make known to any unauthorized party any PHI other than what is allowable by a specific agreement or as may be required by law
• Use appropriate precautions to prevent any unauthorized use or disclosure of PHI
• Promptly report any use of PHI, of which Clinical Ink is aware, that is not provided for by the agreement or as may be required by law to the client
• Ensure any subcontractors, agents, or representatives to whom Clinical Ink provides PHI agree to these same restrictions and conditions
• Only make PHI available as provided for by the agreement or as may be required by law
• Make accounting of disclosure information available as provided for by the agreement or as may be required by law
• Make internal PHI procedures and records received from the client available to the appropriate governing authority for purposes determining compliance with the law
• Return or destroy all client-provided PHI that Clinical Ink maintains in its possession, at the request of the client
• Put in place an Incident Response procedure that will define timelines, escalation path(s), and notification obligations.
Furthermore, Clinical Ink’s system incorporates explicit safeguards at a field level basis that permit unique user roles to have access to PHI. Each study will have specific security permissions established that define which roles have access to data elements that could be considered PHI.
3.0 General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) replaced the Data Protection Directive 95/46/EC, effective 25-May-2018. This regulation is directly applicable to each member state of the European Union and affects data controllers and processors inside and outside of the EU which collect data on EU data subjects. Clinical Ink assessed its technical and procedural safeguards to ensure compliance with the GDPR which are outlined below. For the purposes of this regulation, the following definitions apply: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data; Notification Standards Per the GDPR, data controllers are required to provide notice of a “personal data breach” to the supervisory authority “without undue delay, and where feasible, not later than 72 hours after having become aware of it”.
As a data processor on behalf of the data controller, Clinical Ink commits to the notification standard by following internal process outlined in SOP 106 – Data Privacy Incident Response. Data Protection Officer Clinical Ink has designated Marc Wartenberger, Quality Operations Manager as the Data Protection Officer who shall monitor Clinical Ink’s compliance with the GDPR and other data protection laws, including managing internal data protection activities, training staff, and conducting internal audits. This person also serves as the main contact for interactions with regulatory authorities with regards to issues surrounding the processing of personal data. Additionally, this person is responsible to ensure data subject rights regarding data protection practices, withdrawal of consent, the right to be forgotten, and related rights are satisfied. This person operates independently from other business units and reports to the highest management level within Clinical Ink. Consent Per GDPR, the consent must be “freely given, specific, and unambiguous” with “a statement or clear affirmative action”. If applicable, Clinical Ink may provide the data controller with guidance and specific language to be included in the subject’s informed consent form. The data processed by Clinical Ink on behalf of the data controller is subject to the protocol-specific attributes of the study. Clinical Ink provides this language on a project-basis and will, at a minimum, include the following to describe Clinical Ink’s processing of the data:
• Description of how Clinical Ink will collect the data – through SureSource Capture and/or Engage applications.
• Description of where Clinical Ink will store the data collected through its application.
• Description of how long Clinical Ink will maintain and store the data.
Data Subject Rights Clinical Ink addresses Data Subject Rights covering the right of access, rectification and erasure restriction of processing, data portability, and to object in dedicated SOP 106 – Data Subject Request, to ensure compliance to the GDPR is met through internally developed processes and procedures. Adequacy Decision Adequacy Decisions allow for data flow from the EU (and Norway, Liechtenstein and Iceland) to a third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transmissions of data. The European Commission has recognized the United States as providing adequate protection as long as companies subject to and comply with the Privacy Shield framework. Data Protection Impact Assessments & Standard Contractual Clauses As a processor, Clinical Ink acts on the behalf of the controller. When selecting a processor, controllers must use only processors that provide sufficient guarantees of their abilities to implement the technical and organizational measures necessary to meet the requirements of the GDPR. Clinical Ink welcomes a data protection impact assessment to be performed by the controller to demonstrate its compliance with the GDPR. Additionally, certain contract provisions regarding the tasks and responsibilities of the processor as well as standard contractual clauses are also mechanisms where the controller can establish the provisions of the processing carried out by the data processor. These provisions include how and when data will be returned or deleted after processing, and the details of the processing, such as subject-matter, duration, nature, purpose, type of data and categories of data subjects. The controller and processor may also choose to use standard contractual clauses adopted by the Commission. Clinical Ink will follow the lead of the controller and either commit to the data protection requirements through contract provisions or standard contractual clauses.
Data Processor Subcontractors
Clinical Ink relies on outsourcing for success in today’s competitive marketplace. Selecting the best vendors for the products or services that support a Clinical Ink project or system is critical to the success of Clinical Ink. Clinical Ink SOP 107 – Vendor Acquisition and Management is the method by which Clinical Ink selects the best vendor to support the needs of the business, acquires products and/or services and manages the vendor through the lifetime of the vendor relationship and the product contract. Subcontractors of Clinical Ink are also subject to the same requirements under the GDPR and they are also bound by any contracts with the controller.
This Internet Policy describes how Clinical Ink processes personal information gathered during user sessions on Clinical Ink’s public website. It is written in the context of someone who would be reading the company’s website. Items under sections 2 and 5 (below) require inputs and controls by Clinical Ink staff. This policy will be posted on our company website.
Clinical Ink occasionally distributes emails of information about our organization. This is designed to provide product-related information and services, as well as corporate news and employment information.
2. Why does Clinical Ink collect, use and disclose Personal Information?
Clinical Ink collects identifying information when you visit the Web Site (including, without limitation, any clinicalink.com web pages or landing pages), and when you submit data to through a form such as those found on gated resources and contact pages.
When you visit the website, Clinical Ink collects your Internet Protocol (“IP”) addresses to track and aggregate non-personal information.
In addition, Clinical Ink receives and stores certain types of information whenever you interact with us via our website, including the pages you visit and activities you perform on the Clinical Ink website. Clinical Ink automatically receives and records certain “traffic data” including your IP address, third party cookie information, and the page you requested. Clinical Ink uses this traffic data to help analyze trends, diagnose problems with its server, and administer its website. We may also use any data we collect through the website to better understand and market to our customers or website users, individually or in the aggregate.
Clinical Ink collects and uses Personal Information for several general purposes: to fulfill requests for certain products and services, to personalize the user experience on our website, to update visitors on the latest product announcements, software updates, or other information we think you would like to hear about, and to better understand your needs and provide you with better services. We may also use your information to send you direct marketing information or contact you for market research using automated tools to contact multiple recipients.
Clinical Ink will provide every user of its website and recipient of marketing-related information the opportunity to “opt out” of receiving such materials.
This affirmative action to indicate that you no longer consent or wish to withdraw consent will be presented to you, for instance by clicking or checking the appropriate option or box at the point of collection or upon receiving an automated email or text message.
3. How does Clinical Ink secure personal information?
We use industry-standard security measures to protect against the loss, misuse and alteration of data used by our system. It is your personal responsibility to secure your own copies of your passwords and related access codes for Clinical Ink online resources.
4. Who will have access to personal information about me?
Personal information about you will be accessible to Clinical Ink only.
Clinical Ink may also share such information with contractors or business partners of Clinical Ink in connection with services that these individuals or entities perform for, or with, Clinical Ink. Such third parties are restricted from using this data in any way other than providing services for or on behalf of Clinical Ink.
Except as set forth above, we will not otherwise use or disclose any of your personally identifiable information, except to the extent reasonably necessary:
(i) to correct technical problems and malfunctions and to technically process your information;
(ii) to protect the security and integrity of our Web Site;
(iii) to protect our rights and property and the rights and property of others;
(iv) to take precautions against liability; (v) to the extent required by law or to respond to judicial process; or