- Introduction
The law protects all information about an individual from which the individual can be identified, this is called personal data. It may include contact details, other personal information, photographs and expressions of opinion about them or any other indications. Some information is considered special or sensitive information because it relates to race or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, trade union membership, physical or mental health, sexual life or contains biometric information. Such sensitive information is given a special protection
2. Data protection principles
The Company might hold personal data about subjects in Clinical Trials. Consent for the processing of personal data of clinical trial subjects is given through the Informed Consent procedure owned by the sponsor. Datametrix processes data about staff for legal, personnel, administrative and management purposes and to enable our legal obligations as an employer to be met, for example to pay an employee and to confer benefits in connection with their employment. “Processing” means doing anything with the data, such as accessing, storing, disclosing, destroying or using the data in any way.
2. Processed for specified, explicit and legitimate purposes.
3. Adequate, relevant and limited to what’s necessary for the purpose.
Datametrix will only use personal data about staff and subjects on clinical trials for the purposes for which it was collected, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use personal data for an unrelated purpose, we will tell staff or the sponsor (if need be ) and we will explain the legal basis which allows us to do so.
4.Accurate, up to date.
Datametrix will keep personal data about staff accurate and up to date. Data that is inaccurate or out of date will be destroyed. It is the responsibility of staff to update the DPO if personal details change or if you become aware of any inaccuracies in the personal data held about you.
5.Adequate, relevant and limited to what’s necessary for the purpose.
datametrix does not keep personal data for longer than is necessary. This means that data is destroyed or erased from all systems when it is no longer required in accordance with the data retention period sset out in the contracts with the sponsors. Where applicable, documents are destroyed at the end of the year in which the retention period expires ,and document destruction records are maintained.
6.Processed in line with individuals’ rights.
See section 4.3
7.Secure.
Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorized purposes) of the personal data. datametrix has considered how to protect personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed inappropriately.
Datametrix will ensure that appropriate measures are taken to achieve these objectives
Datametrix has in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
8.Not transferred to people or organization situated in countries without adequate protection.
Datametrix will only transfer subject data outside of the EU where there is adequate protection for their personal data. Agreements for such transfer between countries are in place.
3. Individual’s rights :
This section applies to all individuals (i.e. Datametrix Staffand subjects from clinical trials).Individuals have the right
a)Request and receive access to any personal data held about you: This is commonly known as a “subject access request”. The purpose of a subject access request is to allow staff to access their personal data held by datametrix
b)Right to object: You have the right to object, for reasons relating your particular situation, to datametrix prcessing your personal data for reasons of our legitimate interests. When we receive any objection to processing on this ground, we will restrict access to the relevant information while weassess whether our legitimate interests override your objection. If we can demonstrate that they do or the information may be needed for legal claims, we are allowed to continue to process your personal data; otherwise we will stop processing it.
c)Ask to have inaccurate data held about you amended: If you think that any personal data about you which datametrix holds is incorrect or incomplete you have the right to request that the information is changed. The request goes to the DPO for correction.
d)Right to have data deleted –the so called “right to be forgotten ”In the following situations you have the right to have your personal data deleted:
i. Where the personal data is no longer necessary for the purpose for which it was originally collected/processed.
ii When we have asked you for consent to process your personal data and you have withdrawn that consent
iii. When you object to the processing (see section b above) and there is no overriding legitimate interest for continuing the processing
iv. When the personal data was unlawfully processed;
v.When the personal data has to be erased in order to comply with a legal obligation.
Datametrix can refuse your request if the personal data may be needed for legal claims.
If datametrix has provided deleted personal data to someone else, we will, where possible, ask them to also delete the information .
e)Right to restrict processing: If you tell us that you think some personal data we hold about you is incorrect or incomplete or you object to us processing your personal data for reasons of our legitimate interests, we will restrict access tot he relevant personal data while we assess whether or not it is incorrect/incomplete or whether we are allowed to continue processing your personal data. This means that we will continue to store the relevant personal data, but we won’t use it for any other purposes.If we have previously provided the restricted personal data to someone else, we will, where possible, ask them to also restrict the data .
f )Right to transfer of your personal data: Where you have provided personal data to datametrix and we are processing it via automated means either based on your consent or for the performance of your employment contract/contract for services, you have the right to request that this personal data is provided to you, or to someone else, in a commonly used electronic form.Then:
i.All commitments of datametrix with the sponsor regarding the privacy and the confidentiality of data will be transferred by default to all the staff working on this data.
ii .Confidential sponsor data and information must not be shared with any foreigner person or third party’sorganization.
4.Storage of information
▪Confidential data and information are stored electronically The information issafeguarded by restricting access to unauthorized associates and users.
▪Hard copies of confidential documents (contracts, SOPs, agreements…)are kept in a locked cabinet and only responsible person (or deputy) has the key
▪Convert paper-base d information into electronic records and keepa copy on the appropriate shared drives
▪In order to respect the rules of the storage and security of both electronic and paper-based information, associates must not:
-Transmit, transfer or disclose datametrix’ s confidential information to un authorized person.
-Examine, change, or use another person’s files without prior authorization.
-Store the confidential business information ont heir computer local drive. The information should be only stored on the Network shared drive
-Leave confidential or business sensitive information on desks except when they are in use. Where applicable, ensure that the paper-based information is stored in a locked cabinet when leaving the office.
5 Training
An important principle of data protection laws is accountability. We must not only comply with the law but be able to show that we comply with it. There are several aspects to accountability –one is putting in place policies such as this policy, another is training the staff. Due to the importance of data protection laws, online data protection training through our internal training platform (LMS) will be provided and is mandatory.