This notice is effective as of 27 May 2014
and last updated 1 October 2014
Our Approach to Privacy
Clinical and medical research are founded upon the collection and analysis of the most confidential information about people. Individuals will only share their sensitive information where there is a culture of trust, where all stakeholders implement safe data handling practices. Operating within this environment, Pharmaceutical Product Development, LLC and its affiliates (together “PPD”) recognize that when we handle information about any individual, we must do so responsibly, with due care to individual privacy, complying with laws on data privacy and confidentiality.
PPD has enacted internal policies, procedures and training programs designed to support compliance with these laws and this policy. Our policies, procedures and training programs are reviewed on a regular basis, and managed by a team of privacy professionals with senior executive oversight.
What Types of Personal Information Does PPD Handle and for What Purposes?
Clinical and Medical Information
As a global contract research organization, we collect, host and analyze significant quantities of health data and biomedical samples relating to study subjects on behalf of our clients. To enhance privacy, consistent with GCP, subjects’ names and other direct identifiers are not attached to records or samples collected by PPD for research purposes. Instead, subjects are only identified by a code. Only study doctors and authorized personnel, including PPD monitors and PPD auditors, may access named subject records at source. In certain cases where local law allows, PPD may also collect full date of birth attached to study records. We maintain that this indirect identifier can on occasion serve to verify subject identity to the benefit of patient safety.
PPD provides additional services that may involve the collection of health information linked to named individuals, for example in our Phase I clinic, and within operations supporting patient recruitment, post-approval pharmacovigilance and medical information. We appreciate the sensitivity of such information, and the privacy protections we apply in these areas are more rigorous.
All clinical and medical information processed by PPD is done so under contract with our clients. In terms established by the directive, PPD considers that the sponsor/client is ultimately in control of how and why clinical and medical data are processed within our services and as such is the “controller,” whilst PPD and its affiliates are “processors.”
Health Professional Information
PPD analyzes the professional profiles of doctors and other health care providers for the purpose of identifying potential investigators to assist in clinical and medical research on specific indications. The company will use available contact information, including email addresses, for the purpose of inviting potential investigators to apply to participate in research. PPD will source health professional information from its own databases and also indirectly from public sources, data brokers and referrals. For operational purposes, PPD will also collect information relating to the involvement and performance of investigators and supporting study staff. The company will also process financial information of investigators to support payment for services.
Employee and Human Resource Data
PPD collects personal information from applicants to open positions within the company, including private contact details, professional qualifications and previous employment history to inform employment decisions. PPD conducts various background checks on applicants, including where law allows on criminal history and professional disbarment. Once employed, PPD collects information on staff for human resource, performance, payroll and tax purposes. Various company internal systems will collect and record employee level information consistent with standard business operations. PPD processes similar information relating to consultants contracted on a freelance basis.
PPD collects named information about visitors to company websites where this is voluntarily provided to meet a request from those individuals, for example where a client contact requests information on a company service, a health professional is interested in participating in a clinical trial or where someone wants to apply for a vacant position with the company. Through the use of cookie-based technologies, PPD may collect various data linked to virtual identities allocated to visitors when they access our websites. These data are used for various purposes, including site analytics and first party marketing (see Online Issues below). In certain cases, these virtual identities are linked to the real world identities of visitors when they provide their named information as described above. This allows PPD to tailor marketing messages to those individuals, inclusive of information that is likely to be of interest to them.
Medical Information Contact Centers
PPD operates contact centers for the purpose of providing medical information to health professionals, patients and other interested parties on specific pharmaceutical products sold by our clients. These contact centers also collect adverse event information and deliver this to relevant pharmacovigilance professionals for processing as required by regulation. Personal data on those who call or email our contact centers are only collected to process requests for information and allow adverse event reporting. Calls may be recorded for quality assurance purposes. Callers (inbound and outbound) are notified if their calls are recorded.
Internal and External Disclosures of Personal Information
Personal information will be shared within PPD, companies working as agents of PPD and third parties only on a “need to know” basis to meet stated legitimate business purposes. Access to databases and folders containing personal information is restricted to appropriate staff. PPD does not trade or sell personal information. Under some circumstances, PPD may be required by law enforcement or judicial authorities to disclose certain personal information as part of investigations or for litigation purposes. PPD may disclose personal information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of PPD’s assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding.
Companies working as agents of PPD are required to sign “processor” and/or confidentiality agreements whereby they will commit to only process personal information consistent with contracted purposes, apply appropriate organizational and technical security safeguards, and where relevant, meet the requirements of the Safe Harbor Framework.
International Transfers of Personal Information
PPD is a global company serving an industry that is increasingly globalized in its approach to clinical research. Personal information will be shared across international borders as required to service global projects. PPD hosts personal information in databases in different locations throughout the world, mainly in the United States. In certain circumstances, PPD and client personal information will be hosted within vendor platforms located in the Internet cloud. PPD recognizes that many countries globally have regulations restricting the flow of personal information across international borders. PPD has put in place measures to ensure that adequate protection is provided to such data where legally mandated. For example, PPD’s U.S. affiliates commit to comply with the Safe Harbor Framework for the transfer of personal information from the European Economic Area and Switzerland. In other circumstances, PPD has entered into intra-group agreements to provide necessary safeguards to data. Where privacy risks are very low, for example with respect to the sharing of key coded data, PPD may rely on informed consent from individuals for the transfer of their information to legal regimes with less strong data privacy safeguards.
Notice and Consent
At the point of data collection, PPD will provide notice to individuals in a clear and conspicuous language about how their information will be used, disclosed and transferred; what choices they have in relation to how their data are handled; what informational rights they have under data privacy law or under this policy; and who to contact with any questions or complaints. These privacy notices are tailored to specific situations of data collection. In providing such notice, PPD meets its obligations to be transparent and fair with individuals as is required by many data privacy laws. Dependent on the medium, notice may be given in person, by email, post, telephone or by posting on our website.
In many situations, including where mandated by data privacy law, and also where it is a matter of good practice, PPD will seek consent of individuals to collect, use and disclose their data consistent with the relevant privacy notice. However, in certain cases where law allows, particularly where gaining consent will involve a disproportionate effort and the privacy risks are low, PPD will proceed to process personal information absent of consent. Also, PPD will use and disclose personal information without consent where required by law and judicial order.
Consistent with GCP, laws on confidentiality and data privacy regulations, PPD will collect necessary informed consents of study subjects on behalf of its clients. PPD will suggest template consent language to its clients, including necessary content as dictated by local law.
Data Quality and Record Retention
Crucial to the integrity of clinical research is the accuracy of data relating to study subjects, particularly where attached to biomedical samples. Consistent with regulatory requirements, PPD employs a professional quality assurance organization to ensure accuracy of clinical information. In general, our privacy notices provide individuals easy means of validating, correcting errors and updating information. PPD retains personal information according to purpose and regulatory requirement, as directed by our corporate retention schedules.
In jurisdictions with data privacy laws, and where Safe Harbor Framework commitments require, PPD ensures that individuals can exercise all relevant informational rights with respect to their personal information processed by the company, including but not limited to the right of access and correction, to prevent direct marketing, block processing and erase data. In all other respects, where no overriding interest prevails, PPD will endeavor to allow the following informational rights under this policy as a matter of good practice:
- to allow access to copies of personal information within a reasonable timeframe;
- to correct personal information where inaccurate;
- to allow study investigators to opt out of future solicitations to participate in studies, by contacting https://survey.ppdi.com/opt-out-form.htm; and
- to withdraw a previously provided consent to processing of personal information.
Study subjects must contact their investigator at site, who will be able to make the necessary link to subject identity.
The company maintains a comprehensive information security policy that seeks to apply technical and organizational security measures that protect personal information, particularly sensitive clinical data, against unauthorized access or loss. Consistent with regulatory requirements, particularly in the U.S., PPD also maintains a detailed security breach policy, which establishes a procedural response to dealing with any breach of personal information, including making any necessary notifications to individuals or governmental authorities.
A cookie is a data file that is placed by a website operator on the hard drive of a visitor to their site. Cookies with the following functions are enabled to the computers of visitors to PPD websites: to allow the site to deliver the service requested by the visitor; to remember repeat visitors; to improve the user experience of the site; to allow the company to perform site analytics; and to help tailor marketing messages to the visitor based on previous browsing. Company cookies are enabled and controlled by the PPD digital communications team, which is established on U.S. territory. The online relationship with PPD may be managed by using settings available on most internet browsers. For example, most browsers will allow a visitor to choose which cookies can be placed on their computer, to delete or disable cookies, and to set "do not track" as a function. Please note that disabling cookies may prevent a visitor from using certain features on PPD websites.
Children's Online Privacy Protection
PPD does not collect information through its websites from individuals who are known to be under the age of 13, and no part of PPD's online presence is directed to anyone less than 13 years.
Inquiries, Complaints and Requests to Exercise Rights
All communications, queries, requests to exercise informational rights (e.g., access to data) or complaints, including those that relate to compliance with the Safe Harbor Framework, should be addressed to the attention of the executive director of global privacy, PPD, Granta Park Cambridge, CB21 6GQ, United Kingdom, or emailed to firstname.lastname@example.org.
As is required by the Safe Harbor Framework, Pharmaceutical Product Development, LLC and its U.S. affiliates, employ mechanisms for providing recourse to individuals and remedying any problems arising out of failure to comply with the Safe Harbor Principles by committing to cooperate with European data protection authorities. More about the Safe Harbor Principles and PPD’s obligations under the Safe Harbor Framework is available at the U.S. Department of Commerce's Safe Harbor website at: http://export.gov/safeharbor/.
Legal Status of Policy and Policy Changes