eResearchTechnology (ERT/ERT GmbH and its subsidiaries and affiliates, “ERT”) are committed to protecting the privacy of those who entrust us with their personal/clinical information. Our employees, and all those who do business with us, trust and expect that we will protect the privacy and integrity of their personal and clinical information in accordance with the promises we make and with applicable laws and regulations.
This Policy establishes ERT principles and processes for protecting privacy and for ensuring the security and integrity of information that it handles in all aspects of its business worldwide. The Company respects the ethical basis of the EU Privacy Shield Framework, HIPAA, the EU Privacy Directives, ICH E6 GCP, world regulatory authorities, and the Helsinki accords applicable to research with human subjects. Our eligibility as a US organization, commitment and adherence to Privacy Shield principles is to establish processes and develop systems for use worldwide that comply with all these regulations and principles. We recognize that competent authorities may enact requirements from time to time that alter privacy protection and the underlying security processes, and ERT shall make reasonable efforts to become aware of such changes and to disclose the extent to which ERT products and services conform to them.
This broad policy document does not specify precisely how such objectives shall be attained, but does reference the pertinent Policies, Standard Operating Procedures (SOPs) and Reference Documents [see Internal References, TABLE 1, below] that set forth how ERT preserves both data integrity and privacy. This policy covers subjects and patients, site investigators and physicians, study staff, ERT employees, and visitors to ERT’s external website where this Policy is available (www.ERT.com). This policy does not pertain to the provisions concerning confidentiality that are established in agreements or contracts such as non-disclosure agreements.
Subjects in Clinical Trials Using ERT Systems: Patients and controls managed by the Site Investigators for whom patient privacy shall be protected subject to provisions of the Sponsor protocols and Informed Consent. ERT shall preserve the confidentiality of patients (subjects) participating in clinical trials and will do so while fulfilling regulatory requirements for disclosure of authorship and attribution of data, including circumstances where patients themselves act directly on electronic records in clinical research.
Site staff, ERT staff, Sponsor users, and other study personnel who use any ERT product/solution and whose privacy protection is subject to regulations concerned with the use of electronic systems for eCommerce, medical care, and/or clinical research.
ERT Personnel: individuals who work for ERT, including contractors, and whose personnel records are entitled to protection.
Public at Large: Those who may visit www.ERT.com, the corporate website.
ERT serves both Sponsors and Site Investigators who must comply with regulations pertaining to clinical research and eCommerce and who have the ultimate responsibility under FDA 21CFR 312 subpart D for data integrity in clinical trials for medical products. In order for Sponsors and Sites to rely on ERT to help fulfill their responsibilities in using ERT systems, ERT shall disclose to such Sponsors and to Site Investigators the information defined within ERT Internal References (TABLE 1 REF 907 and REF 908):
As per the above commitments, ERT shall provide a written statement that describes to individuals in each category how ERT complies with the seven principles and 16 supplemental principles established under the Privacy Shield Framework: Notice, Choice, Accountability & Onward Transfer (Transfers to Third Parties), Information Security, Data Integrity & Purpose Limitation, and Recourse, Enforcement & Liability. (See TABLE 1 - Internal References, REFs 121 – 124)
ERT is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). ERT may also be required to disclose an individual’s personal information in response to a lawful require by public authorities, including to meet national security or law enforcement requirements.
The following terms are used throughout this document and are defined here for clarification.
“Agent” means a third party that processes personal data solely on behalf of and under the instructions of the study Sponsor. Additionally and alternatively, “Agent” means any ERT Corporate representative or contractor that collects/processes personal data for the purposes of ERT employee management including third party processers.
“Personal/Clinical Information or Data” means any information or set of information that identifies or can reasonably be used to identify an individual. Personal/Clinical information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non- public personal information. "Personal data" and "personal information" are data about an identified or identifiable individual that are within the scope of the Directive, received by a U.S. organization from the European Union, and recorded in any form. The European Union's comprehensive privacy legislation, the Directive on Data Protection (the Directive), became effective on October 25, 1998 [from the US EU framework].
"Sensitive Personal Data" means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sex life. Additionally, information will be treated as sensitive personal data where it is received from a third party that treats and identifies it as sensitive.
All Personal /Clinical Information pertinent to ERT employees shall be subject to privacy and security protection in keeping with the principles of the Privacy Shield Framework and this Information Privacy and Integrity Policy [See TABLE 1: REF 0123]. ERT collects employee Personal /Clinical Information and/or Sensitive Personal Data for the following reasons, which include but are not limited to: employee management and administration generally (including both during and after employment), employment verification, administering employee benefits, administering personal short or long term compensation programs or benefits, evaluating performances, managing corporate programs, conducting disciplinary proceedings, addressing labor relations issues, processing health insurance claims. ERT also contracts with third party providers to render related services, including payroll processors and support services.
ERT will handle employee personal data transferred from both foreign and domestic office locations to ERT Corporate headquarters located in the United States of America. ERT collects only directly relevant information considered to be “sensitive personal data” for ERT employees both foreign and domestic (for example, race statistics for US Affirmative Action Plans). ERT shall ensure that its systems, processes and products that handle Personal/ Clinical Information pertaining to ERT employees shall conform to the HIPAA privacy provisions [TABLE 1: POL COR-009]. ERT employees will be able to access this policy via ERT’s external website where this Policy is available (www.ERT.com) or through ERT’s internal employee training management system (TMS Web – http://tmsweb.ert.com/tms/) where the policy will be distributed to all employees as a read & understood training activity.
All Personal/Clinical Information captured from patients and/ or trial subjects during the conduct of clinical research activities shall be subject to privacy and security protections set forth in this Policy and the associated Internal References (TABLE 1). For Sponsors, the patient information is anonymized (i.e. the study information/ data do not include the patient name or other PI other than an ID code that is not publicly available). Sponsors shall NOT have access to protected Personal Clinical Information from trial subjects beyond that defined by study protocol and informed consent disclosure. For Site Investigators, who have clinical responsibility for the patients in a trial, it is necessary for administrative, regulatory, medical and ethical reasons for the clinical staff to be able to identify a particular patient and to review the clinically relevant information pertaining to that patient. In serving the Investigator Sites, ERT therefore may collect identifying information on their behalf. Such information is subject to the privacy and security protections specified in the Internal References (TABLE 1: POL COR-009), and is not accessible or transferred to Sponsors.
Activities performed by ERT in the context of a trial are subject to ERT’s Quality Management System but also subject to the Sponsor’s instructions and written agreements. ERT does not share personal information about patients, site-staff, or sponsor personnel with third parties (e.g. contractors, etc.) unless those parties are contractually bound to adhere to these same quality procedures and the terms of such instructions and written agreements.
All personal information captured from patients in the course of clinical trials shall be protected as Sensitive Personal Data.
The integrity of Personal Information is an important adjunct to the privacy of such information. Personal Information is expected to be correct, accessible, and in conformance with 21 CFR Part 11/Annex 11 controls. In addition to tracking all actions on electronic records, a key element of Personal Information/ Data integrity concerns control of the content of data in a clinical trial, and this policy establishes ERT’s intent to act as a third party to ensure that Site Investigators can fulfill their regulatory obligations to maintain and retain records obtained using ERT systems about subjects in a clinical investigation. ERT shall also ensure that Sites shall have the tools and documentation in order to provide the access for subjects to personal information about them during and after a clinical investigation.
ERT will, as required by law, notify individuals about the purposes for which it collects and uses Personal Information [See TABLE 1: REF 0121-0124], how to contact ERT, the types of third parties with which it shares that information, and the choice and means ERT offers individuals for limiting the use and disclosure of Personal Information about them. Through ERT’s controlled document management system, ERT will issue, as a training requirement, notification regarding ERT’s intended use of Personal Information. This information will be provided as soon as practicable and, in any event, before ERT may use the information for a purpose other than that for which it was originally obtained.
ERT will not issue notice when contracted to acquire, process and report data received during the active status of Sponsor defined clinical trials. ERT considers the protocol and trial specific training to constitute sufficient notice about what ERT collects in a trial and why.
ERT will, as required by law, offer individuals the opportunity to choose whether Personal Information about them is processed for purposes other than those for which the information was originally obtained or was subsequently authorized by the individual (“opt-out”). Unless required by law, ERT will not Process Sensitive Personal Information about individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the individual unless the individual affirmatively and explicitly consents to the processing (“opt-in”).
ERT will not offer choice when contracted to acquire, process and report data received during the active status of Sponsor defined clinical trials. ERT does not have the authority or responsibility to undertake direct interaction with any study subject concerning the medical history or case history of that subject.
ERT does have access to source records, and is responsible under contract for the accuracy of certain metadata such as timestamps, for protection of records against undetected tampering, and for the attribution of any actions undertaken on the electronic records that it creates and holds as eSource records on behalf of the site investigators. However, ERT is not responsible for verifying study subject identity. ERT shall maintain the records on which site investigators rely for attribution of actions on electronic records that such identified subjects may author or alter. ERT does not hold contracts with Investigators selected by the Sponsor to recruit study subjects nor is ERT independently responsible for ensuring Informed Consent or IRB approval of the protocol and documentation pertaining to the conduct of a study. Even if ERT provides a system or process for capturing informed consent and/or recruiting study subjects, these activities remain the responsibility of the study Sponsor.
ERT will only transfer Personal Information about individuals to an agent where the agent has provided adequate assurances to ERT that it will protect the information consistently with this Policy. Where ERT has knowledge that an agent is Processing Personal Information in a manner contrary to this Policy, ERT will take reasonable steps to prevent or stop the Processing.
ERT will NOT transfer clinical/personal data captured/received beyond that defined by protocol/informed consent from identified subjects in a clinical trial to a Sponsor or a Sponsor approved third party “Agent” as required by authorized business contracts. Instead, ERT will transfer the data items set forth in the protocol as relevant to the trial objectives linked only to a subject ID code for which there is no public access or any access by the Sponsor except through the authorized Site Investigators. ERT will only subcontract to firms which conform to or otherwise appropriately address ERT security, integrity and privacy protection standards, privacy pledges, confidentiality agreements, authority controls, training requirements and etc. “Subcontractor” shall mean a person or entity that has been retained to perform all or a portion of ERT’s obligations; particularly those services directly related to the processing of clinical trial data. The Sponsor will be notified of the use of any subcontractors utilized which requires the transfer of clinical/personal information. In cases of onward transfer to third parties of clinical data of EU individuals received pursuant to the EU-US Privacy Shield, ERT is potentially liable.
ERT will only transfer personal data to a non-agent third party in a manner consistent with the principles described within the “Notice” and “Choice” sections of this Policy.
ERT will take reasonable precautions to protect personal data in its possession from loss, misuse and unauthorized access, disclosure, alteration and/or destruction.
ERT’s Cardiac Safety, Respiratory, eCOA, Clinical Insights and Consulting Service systems employ role based functionality metadata that reside behind ERT’s firewall. Individual user roles are defined by management personnel and require the use of an active User ID and complex password combination to gain access to the system. Also, ERT’s clinical systems incorporate a defined workflow for the processing of clinical data received during the active status of any contracted study. Additional security measures include: daily backups which are retained on-site in a fireproof safe, weekly backups that are sent off-site for 5 weeks thus allowing for the monthly back up to be completed for indefinite off-site storage. ERT’s systems physically reside at an off-site data center with all system maintenance managed by ERT personnel. Data replication to a warm failover instance occurs during regularly scheduled intervals. Routine audits of these processes ensure adherence to ERT Standard Operating Procedures. [See TABLE 1:: SOP 760; SOP 763]
ERT will only use and share clinical/personal data in a way that is consistent with the purposes for which the data were collected or as subsequently authorized by the individual to whom such data pertain. ERT seeks to collect Personal Information that is adequate, relevant and not excessive for the purposes for which it is to be processed. ERT employees have a responsibility to assist ERT in maintaining accurate, complete and current Personal Information collected and Processed in the course of conducting human resource and related activities.
ERT will only use and share Clinical/Personal Data in a way that is consistent with the purposes for which the data were collected as specified by the Sponsor, authorized by the Site Investigator and agreed by the subject or employee in keeping with all the Privacy Shield Principles described in this Policy. To the extent necessary for those purposes, ERT will take reasonable steps to ensure that the data are accurate, complete, and current.
In the case of clinical data captured as electronic records for clinical investigations for submission or review by regulatory authorities, any actions on such data shall be tracked using a computer generated audit trail. (See TABLE 2, 21CFR Part 11 and Listed Guidance). To the extent that ERT may transcribe data from paper source records into electronic records, ERT shall preserve scanned electronic files so that the original information on the paper record can be reviewed. The preservation of any paper source documents that are part of the case history shall rest with Site Investigators in accordance with 21 CFR 312.62 (c). In addition to tracking all actions on electronic records, a key element of data integrity concerns control of the content of data in a clinical trial, and this policy establishes ERT’s intent to act as a third party to enable Site Investigators to fulfill their regulatory obligations to prepare and maintain any data obtained using ERT systems about subjects in a clinical investigation. ERT relies on Sites to serve as the agents who may provide the access of subjects to personal information about them during and after a clinical investigation.
ERT acknowledges EU individuals’ right of access to data. ERT will provide individuals, e.g. employees or study staff, with reasonable access to their own Personal Information upon request, subject to exemptions permitted by law or by written agreement. ERT will also take reasonable steps to allow individuals to review Personal Information about them for the purposes of correcting such information.
ERT will not offer access to clinical trial participants to the information such subjects have supplied using ERT systems or products. ERT believes that such access is appropriately provided by the Site Investigator and ERT shall supply the Site Investigator or other entity with responsibility for the preparation and maintenance of source documents that are included in the case history, with access to individual subject records that the Site Investigator may share with the proper subject. Such access may be restricted in connection with the masking or other procedures in a particular study, and ERT shall incorporate controls on sharing to assist the investigator in such cases. Upon completion of the contracted study ERT delivers as contractually required and specified in the protocol or data transfer agreements all final clinical data received and processed to the study Sponsor. Where applicable, ERT delivers the eSource case histories and trial documentation needed for study reconstruction for retention to Site Investigators. Access by patients after the conclusion of a study is enabled through these records under the control of the Site Investigator.
As a standard for during the execution of contracted clinical trials, ERT does not require, receive or collect clinical or sensitive personal identifying information such as study subject name or medical record number for transfer to such Sponsors. ERT shall transfer only blinded, encoded, pseudonymised and anonymised study subject study subject identifiers (demography) to confirm uniqueness as may be defined by the study Sponsor (e.g. Date of Birth, gender, etc.) and approved by the IRB / Ethical Committees. However, ERT shall provide systems and products whereby the Site Investigator can identify records as pertaining to a particular known subject and to be included in the case history for each patient. Additionally, ERT may receive identifying information during the recruiting and screening of participating study subjects, completion of interviews with subjects, and/or collecting paper questionnaire data from subjects during the execution of internal research studies.
ERT collects employee personal information at its various business locations for purposes of employee management. In connection with the authorization and participation of study site and sponsor staff ERT may collect contact information and professional credentials from individuals who collaborate to conduct clinical studies.
ERT has established internal mechanisms to verify ongoing adherence to this Policy [See TABLE 1: SOP 104 - Confidentiality; ERT encourages individuals covered by this Policy to raise any concerns they have regarding the Processing of Personal Information.
It is the policy of ERT neither to tolerate nor ignore possible misuse of Personal/Clinical Information or Data received. All employees are responsible for reporting any suspected cases of misuse or disclosure of clinical/personal data to ERT Quality Management or an ERT Corporate Officer. ERT’s Quality Assurance department is responsible for the oversight of the formal investigation to review initial evidence and/or data and then conclude if Breach Notification is required or not. In both cases the QA Department must document the actions taken or the reasons why there is not a need for further action. [See TABLE 1: POL COR-003]
ERT will take reasonable steps to ensure protection of our employees, study subject safety and to protect the integrity of the data being collected. In cases of substantiated evidence of suspected personal information misuse or disclosure the study sponsor and/or the third party contracted for the management the sponsor’s clinical trial(s) will need to be informed, in writing upon confirming conclusions. [See TABLE 1: POL COR-003;] Misuse or disclosure of personal/clinical information found to be committed by ERT personnel is considered grounds for disciplinary action, including the possibility of termination, as well as legal prosecution.
In addition to the above principles specified in the Privacy Shield Framework, ERT conforms in activities worldwide to the principles and requirements set forth in the US HIPAA. [See TABLE 1: POL COR- 009; Identification of a breach begins with reporting a suspected privacy and security incident for assessment. Not all privacy or security incidents are a breach. It is critical for employees, business associates and business associates contractor to follow the formal incident reporting procedures so that a breach assessment can be performed. Use DOC COR-009_01 - HIPAA - Protected Health Information – Accounting of Disclosures as the initial step in reporting incidents.
ERT employees must execute Incident Handling/Customer Care Support SOP0407/SOP 1418 to assign, track and resolve any study related incident that may also affect privacy and security so that a full breach risk assessment can be performed and documented.
All ERT employees shall execute the privacy pledge and shall be trained to identify a security and/or privacy breach [POL COR-003]. All employees shall be trained in the process of reporting such a breach and in the escalation to senior management [DOC COR-009_01 - HIPAA - Protected Health Information – Accounting of Disclosures]. Such training shall be refreshed annually and a basic understanding of security and privacy protection shall be evidenced.
ERT employees and/or contractors with access to data in production environments (the authoritative eSource data, not protected copies thereof) have a particularly important responsibility for the protection of data integrity and for protection of privacy. Automated and validated controls on data review may not be in place for experts who may be granted administrative access to the data in production environments. Any such access must be Requested, temporary, justified, logged and explained by individuals who have been authorized and trained. In accordance with ERT SOP 759 – Access Controls and in coordination with Production Access Request Form must be completed prior to a grant of access and shall be included in documentation for review by the Privacy Officer, line manager or designee so that the authorization and conformance with applicable policies and procedures can be confirmed.
1818 Market Street, Suite 1000
Philadelphia, PA 19103
eResearch Technology GmbH
ERT Data Protection Officer
97230 Estenfeld, Germany
ERT will reply within 45 days to any concern raised.
If such reply is not deemed satisfactory, any complaints may be brought, free of charge, to the following organizations:
As a last resort, under certain conditions (in particular prior exhaustion of certain other redress possibilities), complaints may be brought by individuals to arbitration before the privacy shield panel. The privacy shield panel may impose individual-specific, non-monetary equitable relief in case of non- compliance with the privacy shield principles.
Arbitration by the privacy shield panel may not be invoked if a data protection authority is competent to resolve the complaint, i.e. in the case of complaints related to human resources data collected in the employment context.
1818 Market Street, Suite 1000
Philadelphia, PA 19103
eResearch Technology GmbH
ERT Data Protection Officer
97230 Estenfeld, Germany
ERT has further committed to refer unresolved privacy complaints under the US-Swiss Safe Harbor to an independent dispute resolution mechanism operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.