This notice is effective as of 17 November 2017
and last updated 18 April 2018
Our Approach to Privacy
Clinical and medical research are founded upon the collection and analysis of the most confidential information about people. Individuals will only share their sensitive information where there is a culture of trust and where stakeholders implement safe data handling practices. Operating within this environment, Pharmaceutical Product Development, LLC and its affiliates (together “PPD”) recognize that when we handle information about any individual, we must do so responsibly, with due care to individual privacy, complying with laws on data privacy and confidentiality.
PPD has enacted internal policies, procedures and training programs designed to support compliance with these laws and this Policy. Our policies, procedures and training programs are reviewed on a regular basis, and managed by a team of privacy professionals with senior executive oversight.
What Types of Personal Information Does PPD Handle and for What Purposes?
Clinical and Medical Information
As a global contract research organization, we collect, host and analyze significant quantities of health data and bio-medical samples relating to study subjects on behalf of our clients. To enhance privacy, consistent with GCP, subjects’ names and other direct identifiers are not attached to records or samples collected by PPD for research purposes. Instead, subjects are only identified by a code. Only study doctors and authorized personnel, including PPD monitors and PPD auditors, may access named subject records at source. In cases where local law allows, PPD may also collect full date of birth attached to study records. We maintain that this indirect identifier can on occasion serve to verify subject identity to the benefit of patient safety.
PPD provides additional services that may involve the collection of health information linked to named individuals, for example in our Phase I Clinics, and within operations supporting patient recruitment, post-approval pharmacovigilance and medical information. We appreciate the sensitivity of such information, and the privacy protections we apply in these areas are more rigorous.
All clinical and medical information processed by PPD is done so under contract with our clients. In terms established by the Directive and Regulation, PPD considers that the sponsor/client is ultimately in control of how and why clinical and medical data are processed within our services and as such is the “controller,” whilst PPD and its affiliates are “processors.”
Health Professional Information
PPD analyzes the professional profiles of doctors and other health care providers for the purpose of identifying potential investigators to assist in clinical and medical research on specific indications. The company will use available contact information, including email addresses, for the purpose of inviting potential investigators to apply to participate in research. PPD will source health professional information from its own databases and also indirectly from public sources, data brokers and referrals. For operational purposes, PPD will also collect information relating to the involvement and performance of investigators and supporting study staff. The company will also process financial information of investigators to support payment for services.
Industry Professional Information
In the course of conducting our business, PPD will interact with employees, consultants, contractors and other third parties employed or engaged by our clients involved in clinical and medical research. PPD will record and use the names, contact details and other professional information on these individuals for legitimate business related purposes, including project and financial administration. We may use the information we obtain, including email addresses, to provide relevant information on PPD’s services to our clients.
Employee and Human Resource Data
PPD collects personal information from applicants seeking employment with the company, including private contact details, professional qualifications and previous employment history to inform employment decisions. PPD conducts various background checks on applicants, including where law allows on criminal history and professional disbarment. Once employed, PPD collects information on staff for human resource, performance, payroll and tax purposes. PPD will collect and record employee level information in various company systems, consistent with standard business operations. PPD processes similar information relating to consultants, contractors and other third parties engaged by the company to provide products or services to it.
PPD collects named information about visitors to company websites where this is voluntarily provided to meet a request from those individuals, for example where a client contact requests information on a company service, a health professional is interested in participating in a clinical trial or where someone wants to apply for a vacant position with the company. Through the use of cookie-based technologies, PPD may collect various data linked to virtual identities allocated to visitors when they access our websites. This data is used for various purposes, including site analytics and first party marketing (see Online Issues below). In certain cases, these virtual identities are linked to the real world identities of visitors when they provide their named information as described above. This allows PPD to tailor marketing messages to those individuals, inclusive of information that is likely to be of interest to them.
Medical Information Contact Centers and Pharmacovigilance
PPD operates contact centers for the purpose of providing medical information to health professionals, patients and other interested parties on specific pharmaceutical products sold by our clients. These contact centers also collect adverse event information and deliver this to relevant pharmacovigilance professionals for processing as required by regulation. Personal data on those who call or email our contact centers are only collected to process requests for information and allow adverse event reporting. Calls may be recorded for quality assurance purposes. Callers (inbound and outbound) are notified if their call is recorded.
Internal and External Disclosures of Personal Information
Personal information will be shared within PPD, companies working as agents of PPD and third parties only on a “need to know” basis to meet stated legitimate business purposes. Access to databases and folders containing personal information is restricted to appropriate staff. PPD does not trade or sell personal information. Under some circumstances, PPD may be required by law enforcement or judicial authorities to disclose certain personal information as part of investigations or for litigation purposes. PPD may disclose personal information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of PPD or some or all of its assets.
Companies working as vendors of PPD are required to sign “processor” and/or confidentiality agreements whereby they will commit to only process personal information consistent with contracted purposes and apply appropriate organizational and technical security safeguards.
International Transfers of Personal Information
PPD is a global company serving an industry that is increasingly globalized in its approach to clinical research. Personal information will be shared across international borders as required to service global projects. PPD hosts personal information in databases in different locations throughout the world, mainly in the United States. In certain circumstances, PPD and client personal information will be hosted within vendor platforms located in the Internet cloud. PPD recognizes that many countries globally have regulations restricting the flow of personal information across international borders. PPD has put in place measures to ensure that adequate protection is provided to such data where legally mandated. For example, PPD has executed Standard Data Protection Clauses (“SDPC”) for the purpose of transferring personal information from the European Economic Area. EU residents whose personal information is handled under these SDPC may request a copy of the agreement from PPD through the contact details listed below. Where privacy risks are very low, for example with respect to the sharing of key coded data, PPD may rely on informed consent from individuals for the transfer of their information to legal regimes with less strong data privacy safeguards.
Notice and Consent
At the point of data collection, PPD will provide notice to individuals in a clear and conspicuous language about how their information will be used, disclosed and transferred; what choices they have in relation to how their data are handled; what informational rights they have under data privacy law or under this Policy; and who to contact with any questions or complaints. These privacy notices are tailored to specific situations of data collection. In providing such notice, PPD meets its obligations to be transparent and fair with individuals as is required by many data privacy laws. Dependent on the medium, notice may be given in person, by email, post, telephone, or by posting on our website.
In many situations, including where mandated by data privacy law, and also where it is a matter of good practice, PPD will seek consent of individuals to collect, use and disclose their data consistent with the relevant privacy notice. However, in certain cases where law allows, particularly where gaining consent will involve a disproportionate effort, where intended processing of the data is in PPD’s or our clients’ legitimate interests and the privacy risks are low, PPD will proceed to process personal information absent of consent. Also, PPD will use and disclose personal information without consent where required by law and judicial order. Consistent with GCP, laws on confidentiality and data privacy regulations, PPD will collect necessary informed consents of study subjects on behalf of its clients.
Data Quality and Record Retention
Data quality and accuracy are fundamentally important principles to PPD. Crucial to the integrity of clinical research is the accuracy of data relating to study subjects, particularly where attached to bio-medical samples. Consistent with regulatory requirements, PPD employs a professional quality assurance department. In general, our privacy notices provide individuals easy means of validating, correcting errors and updating information. PPD retains personal information in accordance with contractual, legal and regulatory requirements.
In jurisdictions with data privacy laws, and where contractual commitments require, PPD ensures that individuals can exercise all relevant informational rights with respect to their personal information processed by the company, including but not limited to the right of access and correction, to withdraw consent at any time, object to data processing, request data deletion, restrict aspects of data processing, prevent direct marketing and request transmission of personal data in a common digital format (e.g., pdf) to themselves or another organization.
In all other respects, where no overriding interest prevails, PPD will endeavor to allow the following informational rights under this Policy as a matter of good practice:
- to allow access to copies of personal information within a reasonable timeframe;
- to correct personal information where inaccurate;
- to allow study investigators to opt out of future solicitations to participate in studies, by contacting https://survey.ppdi.com/opt-out-form.htm; and
- to withdraw a previously provided consent to processing of personal information.
Study subjects must contact their investigator at their study site, who will be able to make the necessary link to subject identity.
The company maintains a comprehensive information security policy that seeks to apply technical and organizational security measures that protect personal information, particularly sensitive clinical data, against unauthorized access or loss. Consistent with regulatory requirements, particularly under U.S. state law and the Regulation, PPD also maintains a detailed Security Breach Policy, which establishes a procedural response to dealing with any breach of personal information, including making any necessary notifications to individuals or governmental authorities.
A cookie is a data file that is placed by a website operator on the hard drive of a visitor to their site. Cookies with the following functions are enabled to the computers of visitors to PPD websites: to allow the site to deliver the service requested by the visitor; to remember repeat visitors; to improve the user experience of the site; to allow the company to perform site analytics; and to help tailor marketing messages to the visitor based on previous browsing. Your online relationship with PPD may be managed by using settings available on most internet browsers. For example, most browsers will allow a visitor to choose which cookies can be placed on his/her computer, to delete or disable cookies, and to set Do Not Track as a function. Please note that disabling cookies may prevent a visitor from using certain features on PPD websites.
Children's Online Privacy Protection
PPD does not collect information through our websites from individuals who are known to be under the age of 13, and no part of our online presence is directed to anyone less than 13 years.
Inquiries, Complaints and Requests to Exercise Rights
Communications, queries or requests to exercise informational rights (e.g., access to data) or complaints can be addressed to the attention of Executive Director of Global Privacy (“EDGP”), PPD, Granta Park Cambridge, CB21 6GQ, United Kingdom, or emailed to firstname.lastname@example.org.
Under the Regulation, Pharmaceutical Product Development Spain, S.L. as PPD’s leading EU affiliate (“controller”) for data protection purposes, shall be primarily responsible for data protection matters affecting our EU group of companies. For purposes of compliance with the Regulation, the EDGP is the nominated Data Protection Officer and may be contacted through the co-ordinates above.
Within the EU, individuals have the right in law to complain about how their information is handled to a supervisory authority that is responsible for regulating compliance with the Regulation. A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
Legal Status of Policy and Policy Changes