The CROS holds its legal basis for the collection, storage, processing and sharing of personal data upon the grounds of Legitimate Interest. The three core factors to warrant legitimate interest as the CROS’s legal basis are:
Where written consent has been obtained records of consent are retained until instructed by the volunteer/vendor/staff member to remove under their right to withdraw consent as per POL 10. Where verbal consent is given, a record is kept to detail verbal consent is held, similarly this is retained until instructed by the volunteer/vendor/staff member to remove under their right to withdraw consent.
For verbal consent, where there is no clear and obvious indication of verbal consent provided, the CROS takes the approach that given the level of personal identifiable data collected (contact details, emergency contact details, medical conditions, social habits etc) that this indicates verbal consent was obtained.
We collect personal data to enable our organisation to engage with volunteers regarding appropriate studies personalised to each individual. We will need name, contact details, some brief medical information and some information pertaining to the volunteer’s social habits. Emergency contact details are collected for safety purposes only and will only be used in emergency scenarios. National Insurance and/or Passport numbers are collected to validate identify and compliance to over participation in clinical trials.
Detailed descriptions of personal data we collect on you are located in the volunteer personal data matrix below:
Purpose |
|||
Data Type |
Communication medium |
Trial suitability parameter |
Regulatory or safety data |
Name | X | X | |
Address | X | X | |
Home Telephone | X | X | |
Mobile Telephone | X | X | |
Work Telephone | X | X | |
X | X | ||
Date of Birth | X | ||
Ethnicity | X | ||
Height | X | ||
Weight | X | ||
Passport Number | X | ||
NI Number | X | ||
NHS Number | X | ||
GP Details | X | ||
Next of Kin | X | ||
Social Habits | X | ||
Medical Conditions | X | ||
Medication | X | ||
Lung Function | X | ||
Test Results | X | ||
History of activity | X | ||
* This list may not be exhaustive but indicate the primary and in cases generic listings of data and their purpose. |
As a data controller (“someone/an organisation that determines the purposes and means of processing personal data”) we generate volunteer research data during the conduct of clinical trials, however this data is obtained with explicit consent given for the purposes of each individual trial and is governed independently by Clinical Research Legislation.
We hold a small amount of data from our vendors to ensure we have appropriate means to communicate effectively and demonstrate compliance with current GCP requirements. We also hold financial details in order to settle service balances.
In most cases volunteers will be involved in medical procedures and as such it is a matter of safety to hold emergency contact details. The details obtained under the purpose of “Emergency Contact” will only be used in emergency situations and for no other purpose. Only basic information is collected so that we can get in touch with an emergency contact if the need occurs.
We collect a limited amount of data from our website users to help us improve the user experience whilst navigating around our site. We collect information upon engagement medium, length of stay, pages visited and frequency of visit.
Some users will complete website forms in order to initiate engagement with volunteer services. The data we collect for this communication is very basic and only for the purpose of initiating communication. We collect the users name and contact details as well as some market research data such as, but not limited to, source of referral. Although it is our aim to never penalise users for not sharing personal data, in some cases without the sharing of this basic data we will not be able to fulfil our business requirement to engage with users. Any information shared in these forms will be done so freely without coercion and following acknowledgment of reading this privacy policy.
We collect personal data to enable our organisation to support staff regarding appropriate human resource requirements. We will need name, contact details, some brief medical information (if applicable) and some information pertaining to the staff members financial details. Emergency contact details are collected for safety purposes only and will only be used in emergency scenarios.
There are three main ways in which we collect your data
Data collected only for the purpose of the trials the volunteer is involved in, is exempt from General Data Protection Regulation (Regulation (EU) 2016/679), however it is regulated under Good Clinical Practice (GCP Directive (2005/28/EC)). This data is collected directly from the volunteer and in some cases by a third party vendor.
We collect personal data during the course of our work with you. The extent of this data is dependent upon the variety of and volume of interactions. This data is provided to us by your organisation as part of our work.
We collect personal data only when a volunteer provides it.
We collect your data via cookies and web forms when you visit our site or complete an online form. Cookie settings are customised in your browser, for more information on how to amend your cookie settings please review appropriate support per browser. In some cases we collect information submitted via our chat service, this is only initiated by the website user and not invoked by this organisation.
We initially collect personal data during induction, more data is collected the longer you are a staff member. The extent of this data is dependent upon the areas of work in which you are assigned.
The main reason for collecting your data is to be able to efficiently and accurately identify research trials suited to you. Your personal profile, which is made up of the data we collect from you and about you, is matched to research trials based on strict inclusionary and exclusionary factors determined by the research trials adjudication and scientific panel.
The more data we hold on you the easier it becomes to identify you as suitable for a research trial and therefore we routinely prompt for updates on the information we hold on you. In some cases it will be identified that additional information about you is required to enhance our volunteer profiles, this information will be requested as part of our routine data validity & cleansing commitments.
Research data collected is used for the scientific purposes detailed in each trial protocol. Its analysis and governance is also set out in the trial protocol and therefore bespoke to each trial. Consent is given for each trial explicitly and the use of research data is by definition, explicit to the trial it was collect for.
The main purpose of using vendor data is to ensure compliance to contractual arrangements between the vendor and this organisation. This data is also used to improve the relationship between organisations whilst ensuring compliance to legal obligations.
This data will only be used during an emergency scenario only when the volunteer who originally provided this information is directly involved in the emergency.
We use this data to improve the users experience of using our website. For example: analysing the statistics around trial searching/selection to help us present a greater volume of these trials to our users. We may also use this data to help improve both aesthetics and navigation around our site to improve user experience. Please note that some statistics and communications data may be used as part of internal investigations or litigation.
The main purpose of using staff data is to ensure compliance to employment law and to provide best support on a personalised level. This data is also used to improve the relationship between staff and this organisation whilst ensuring compliance to legal obligations.
We may share your data with various parties in various ways for various reasons. Each circumstance will be managed on its individual needs and requirements to fulfil only the purpose of that stated in a data sharing agreement.
All research data generated by this organisation about you is shared only with the approved sponsor for the specific trial the data relates too. Consent is obtained for this sharing of data prior to the commencement of the trial and nothing is shared without consent.
Unless you specify otherwise, we may share your information with any of our affiliated companies, such as service providers, where we deem appropriate for best delivery of service.
Unless you specify otherwise, we may share this information with our affiliated emergency service organisations.
Unless you specify otherwise, we may share your data with web analytics services, marketing platforms to ensure we are targeting you with the correct information.
Unless you specify otherwise, we may share your data with financial service providers, occupational health services, Disclose and Barring Service and a select number of other core service providers.
We take the security around your data extremely seriously which is why we put in appropriate measures to prevent unauthorised access and misuse. We do this by using a range of technical and procedural methodologies that work simultaneously to identify, if needed, data breaches.
If you suspect any misuse, loss or unauthorised access of your personal data please let us know immediately.
We will keep your data for as long as we maintain a meaningful collaborative relationship with you. This will be for a minimum of three years and upto a time where the law or relevant regulation determines we should destroy your data.
As a custodian of your data we, as an organisation, strive to work closely with you when requests are made (following identity verification) to recall, remove, revise and reformat personal data.
If we are using your data for purposed deemed ‘legitimate business reason’, that you do not agree with, you have the right to object to its use. Objection must be submitted in written form to:
We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases).
Where we have obtained consent to process your personal data for legitimate business activities (for example, aligning a trial to your clinical profile), or consent to market to you, you may withdraw consent at any time for one or all of these activities.
You will be consent explicitly for trials which take part in, withdrawal of consent for these trials would need to be in accordance to the participant information guidance provided as per trial.
You have the right to ask us to confirm what information we hold about you at any time, and you may ask us to modify, update or delete such information (following identity verification). Where we are legally permitted to do so, we may decline your request, but we will explain our reason for doing do. Subject Access Requests must be submitted in written form to:
We will respond to your request within 40 days (although we may be allowed to extend this period in certain cases).
It is your right to request that all data held about you is removed from all media within our organisation. Requests to be forgotten must be submitted in written form to:
We will respond to your request within 40 days (although we may be allowed to extend this period in certain cases). In some limited cases we may not be able to remove your information, if this is the case you will be given notice of what information we have retained and the purpose for doing so.
You have the right to request that your data is transferred to another data controller. We will endeavour to facilitate an electronic data transfer or by providing you a copy in machine readable format.
MEUS controls the processing of personal data collected from all input media (data forms, questionnaires, website etc).