CRO-Solutions Privacy Policy

Introduction

  • The purpose of this Privacy Policy is to explain what the CROS does with your personal data, whether that is from when you are found a suitable study to take part in, enhance the CROS’s relationship with you, provide you with relevant information, receive a service from you or if you are visiting the CROS website.
  • It describes how the CROS collect, use and process your data collected in accordance to our legal obligation and transparency to you.
  • This Privacy Policy applies to personal data collected from conversations with CROS staff (via telephone, live web chat, SMS, email and face to face), suppliers of clinical data, interactions with the CROS website(s) and data collected as from intermediary means such as emergency contact information from research volunteers.
  • The CROS will actively and continually measure and audit its compliance to legislation relating to data protection (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”).
  • From time to time adjustment will be made to this Privacy Policy to ensure compliance to legislation, this adjustment will be automatically implemented into this statement but a chronology can be found at the beginning of this document.
  • If you are unsatisfied with the approach this organisation is taking, you may have legal rights which are, where possible, detailed.

Basis for collection, storage, processing and sharing of personal data

The CROS holds its legal basis for the collection, storage, processing and sharing of personal data upon the grounds of Legitimate Interest. The three core factors to warrant legitimate interest as the CROS’s legal basis are:

  • Volunteers/vendors/staff members freely give their personal data to the CROS to act on their behalf to provide the best service possible to them, i.e. identify suitable Clinical Trials/Services.
  • Volunteers/vendors/staff member’s data processing is performed to ensure accuracy and relevance whilst conducting the services provided by the CROS. Data processing in this environment and manner could potentially reduce the number of unnecessary interaction with volunteers/vendors/staff members, thus enhancing their experience with the CROS.
  • It is the CROS’s belief that this approach justifiably considers the balance between collection, processing and retention of personal data with the volunteers/vendors/staff member’s interests, rights and freedoms.
  • The CROS will still obtain consent from volunteers/vendors/staff members to enhance the working relationship via tailored and personalised interactions suited to the volunteers/vendors/staff members. Consent from volunteers/vendors/staff members taken prior to 25th May 2018 was obtained (to the best of the MEUS’s knowledge) under Directive 95/46/EC.

Where written consent has been obtained records of consent are retained until instructed by the volunteer/vendor/staff member to remove under their right to withdraw consent as per POL 10. Where verbal consent is given, a record is kept to detail verbal consent is held, similarly this is retained until instructed by the volunteer/vendor/staff member to remove under their right to withdraw consent.

For verbal consent, where there is no clear and obvious indication of verbal consent provided, the CROS takes the approach that given the level of personal identifiable data collected (contact details, emergency contact details, medical conditions, social habits etc) that this indicates verbal consent was obtained.

What personal data do we collect?

Volunteer Data

We collect personal data to enable our organisation to engage with volunteers regarding appropriate studies personalised to each individual. We will need name, contact details, some brief medical information and some information pertaining to the volunteer’s social habits. Emergency contact details are collected for safety purposes only and will only be used in emergency scenarios. National Insurance and/or Passport numbers are collected to validate identify and compliance to over participation in clinical trials.

Detailed descriptions of personal data we collect on you are located in the volunteer personal data matrix below:

 

Purpose

Data Type
Communication medium
Trial suitability parameter
Regulatory or safety data
Name X   X
Address X   X
Home Telephone X   X
Mobile Telephone X   X
Work Telephone X   X
Email X   X
Date of Birth   X  
Ethnicity   X  
Height   X  
Weight   X  
Passport Number     X
NI Number     X
NHS Number     X
GP Details     X
Next of Kin     X
Social Habits   X  
Medical Conditions   X  
Medication   X  
Lung Function   X  
Test Results   X  
History of activity   X  
* This list may not be exhaustive but indicate the primary and in cases generic listings of data and their purpose.

Research Data

As a data controller (“someone/an organisation that determines the purposes and means of processing personal data”) we generate volunteer research data during the conduct of clinical trials, however this data is obtained with explicit consent given for the purposes of each individual trial and is governed independently by Clinical Research Legislation.

    • The Medicines Regulations 2012 (SI 2012/1916) incorporating The Medicines for Human Use (Clinical Trials) Regulations 2004 (SI 2004:1031) and subsequent amendments
    • Clinical Trials Directive (Directive 2001/20/EC)
    • GCP Directive (2005/28/EC)
    • MHRA GCP Guide (September 2012)
    • ICH GCP E6 (1996)

Vendor Data

We hold a small amount of data from our vendors to ensure we have appropriate means to communicate effectively and demonstrate compliance with current GCP requirements. We also hold financial details in order to settle service balances.

Data received as emergency details

In most cases volunteers will be involved in medical procedures and as such it is a matter of safety to hold emergency contact details. The details obtained under the purpose of “Emergency Contact” will only be used in emergency situations and for no other purpose. Only basic information is collected so that we can get in touch with an emergency contact if the need occurs.

Website Users

We collect a limited amount of data from our website users to help us improve the user experience whilst navigating around our site. We collect information upon engagement medium, length of stay, pages visited and frequency of visit. 

Some users will complete website forms in order to initiate engagement with volunteer services. The data we collect for this communication is very basic and only for the purpose of initiating communication. We collect the users name and contact details as well as some market research data such as, but not limited to, source of referral. Although it is our aim to never penalise users for not sharing personal data, in some cases without the sharing of this basic data we will not be able to fulfil our business requirement to engage with users. Any information shared in these forms will be done so freely without coercion and following acknowledgment of reading this privacy policy.

Staff Data

We collect personal data to enable our organisation to support staff regarding appropriate human resource requirements. We will need name, contact details, some brief medical information (if applicable) and some information pertaining to the staff members financial details. Emergency contact details are collected for safety purposes only and will only be used in emergency scenarios.

How do we collect your data?

Volunteer Data

There are three main ways in which we collect your data

  • Directly from you, the volunteer – by the completion of hard or digital questionnaires (via an onsite visit or through in interaction upon the website) we obtain vital information to be able to determine your clinical suitability for a trial.
  • From the National Health Service – with your consent we obtain validate relevant medical records from your general practitioner to which we impute to your volunteer records.
  • From approved third parties – with your consent we utilise third party vendors to perform technical, laboratorial & safety analysis. This data is securely sent and transferred back to our organisation then again imputed to your volunteer record.

Research Data

Data collected only for the purpose of the trials the volunteer is involved in, is exempt from General Data Protection Regulation (Regulation (EU) 2016/679), however it is regulated under Good Clinical Practice (GCP Directive (2005/28/EC)). This data is collected directly from the volunteer and in some cases by a third party vendor.

Vendor Data

We collect personal data during the course of our work with you. The extent of this data is dependent upon the variety of and volume of interactions. This data is provided to us by your organisation as part of our work.

Data received as emergency details

We collect personal data only when a volunteer provides it.

Website Users

We collect your data via cookies and web forms when you visit our site or complete an online form. Cookie settings are customised in your browser, for more information on how to amend your cookie settings please review appropriate support per browser. In some cases we collect information submitted via our chat service, this is only initiated by the website user and not invoked by this organisation.

Staff Data

We initially collect personal data during induction, more data is collected the longer you are a staff member. The extent of this data is dependent upon the areas of work in which you are assigned.

How do we use your data?

Volunteer Data

The main reason for collecting your data is to be able to efficiently and accurately identify research trials suited to you. Your personal profile, which is made up of the data we collect from you and about you, is matched to research trials based on strict inclusionary and exclusionary factors determined by the research trials adjudication and scientific panel.

The more data we hold on you the easier it becomes to identify you as suitable for a research trial and therefore we routinely prompt for updates on the information we hold on you. In some cases it will be identified that additional information about you is required to enhance our volunteer profiles, this information will be requested as part of our routine data validity & cleansing commitments.

Research Data

Research data collected is used for the scientific purposes detailed in each trial protocol. Its analysis and governance is also set out in the trial protocol and therefore bespoke to each trial. Consent is given for each trial explicitly and the use of research data is by definition, explicit to the trial it was collect for.

Vendor Data

The main purpose of using vendor data is to ensure compliance to contractual arrangements between the vendor and this organisation. This data is also used to improve the relationship between organisations whilst ensuring compliance to legal obligations.

Data received as emergency details

This data will only be used during an emergency scenario only when the volunteer who originally provided this information is directly involved in the emergency.

Website Users

We use this data to improve the users experience of using our website. For example: analysing the statistics around trial searching/selection to help us present a greater volume of these trials to our users. We may also use this data to help improve both aesthetics and navigation around our site to improve user experience. Please note that some statistics and communications data may be used as part of internal investigations or litigation.

Staff Data

The main purpose of using staff data is to ensure compliance to employment law and to provide best support on a personalised level. This data is also used to improve the relationship between staff and this organisation whilst ensuring compliance to legal obligations.

Who do we share data with?

Volunteer Data

We may share your data with various parties in various ways for various reasons. Each circumstance will be managed on its individual needs and requirements to fulfil only the purpose of that stated in a data sharing agreement.

Research Data

All research data generated by this organisation about you is shared only with the approved sponsor for the specific trial the data relates too. Consent is obtained for this sharing of data prior to the commencement of the trial and nothing is shared without consent.

Vendor Data

Unless you specify otherwise, we may share your information with any of our affiliated companies, such as service providers, where we deem appropriate for best delivery of service.

Data received as emergency details

Unless you specify otherwise, we may share this information with our affiliated emergency service organisations.

Website Users

Unless you specify otherwise, we may share your data with web analytics services, marketing platforms to ensure we are targeting you with the correct information.

Staff Data

Unless you specify otherwise, we may share your data with financial service providers, occupational health services, Disclose and Barring Service and a select number of other core service providers.

How do we safeguard your data?

We take the security around your data extremely seriously which is why we put in appropriate measures to prevent unauthorised access and misuse. We do this by using a range of technical and procedural methodologies that work simultaneously to identify, if needed, data breaches.

If you suspect any misuse, loss or unauthorised access of your personal data please let us know immediately.

How long do we keep your data?

We will keep your data for as long as we maintain a meaningful collaborative relationship with you. This will be for a minimum of three years and upto a time where the law or relevant regulation determines we should destroy your data.

What rights do I have about the data you hold on me?

As a custodian of your data we, as an organisation, strive to work closely with you when requests are made (following identity verification) to recall, remove, revise and reformat personal data.

Right to object

If we are using your data for purposed deemed ‘legitimate business reason’, that you do not agree with, you have the right to object to its use. Objection must be submitted in written form to:

Data Protection Officer
Medicines Evaluation Unit
The Langley Building
Southmoor Road
Wythenshawe
Manchester
M23 9QZ

We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases).

Right to withdraw consent

Where we have obtained consent to process your personal data for legitimate business activities (for example, aligning a trial to your clinical profile), or consent to market to you, you may withdraw consent at any time for one or all of these activities.

You will be consent explicitly for trials which take part in, withdrawal of consent for these trials would need to be in accordance to the participant information guidance provided as per trial.

Right to Access “Subject Access Request (SAR)”

You have the right to ask us to confirm what information we hold about you at any time, and you may ask us to modify, update or delete such information (following identity verification). Where we are legally permitted to do so, we may decline your request, but we will explain our reason for doing do. Subject Access Requests must be submitted in written form to:

Data Protection Officer
Medicines Evaluation Unit
The Langley Building
Southmoor Road
Wythenshawe
Manchester
M23 9QZ

We will respond to your request within 40 days (although we may be allowed to extend this period in certain cases).

Right to be forgotten

It is your right to request that all data held about you is removed from all media within our organisation. Requests to be forgotten must be submitted in written form to:

Data Protection Officer
Medicines Evaluation Unit
The Langley Building
Southmoor Road
Wythenshawe
Manchester
M23 9QZ

We will respond to your request within 40 days (although we may be allowed to extend this period in certain cases). In some limited cases we may not be able to remove your information, if this is the case you will be given notice of what information we have retained and the purpose for doing so.

Right to data portability

You have the right to request that your data is transferred to another data controller. We will endeavour to facilitate an electronic data transfer or by providing you a copy in machine readable format.

Who is responsible for processing your personal data?

MEUS controls the processing of personal data collected from all input media (data forms, questionnaires, website etc).