Vital Systems Data Protection and Privacy Notice
This notice is effective as of 21 May 2018 and last updated 13 March 2019
Clinical research requires the collection and analysis of sensitive information from study participants to evaluate the safety and efficacy of existing and developing medical interventions and diagnostics. Vital Systems Inc. ("VSI") values the contributions of study volunteers and commits to handling the information about any individual responsibly and in compliance with the laws governing data privacy and confidentiality.
VSI has developed and maintains internal policies and procedures in compliance with these laws. These policies and procedures are approved by executive management and reviewed on a regular basis.
Types and Purpose of Data That Vital Systems Handles
Clinical Trial & Study Subject Information
VSI is a research support organization. On behalf of its clients, VSI will collect, host and analyze data relating to study subjects who have provided explicit consent for scientific and research use. Consistent with Good Clinical Practices (GCP), study subjects' names and other direct identifiers are not attached to records collected or received by VSI. Data records are only assigned a code that is not associated with a subject's identity within VSI. Only study investigators and authorized personnel, which may include VSI monitors and auditors, can access named subject records that are kept at the investigator's site. When local laws allow, VSI may receive data with subject initials, date of birth, and sex attached to study records. VSI recognizes that these indirect identifiers could be used to verify subject identity back at the data source (the investigator site, not within VSI) to facilitate patient safety.
As VSI does not collect, store or transmit directly identifiable study subject data, the company does not consider itself to be a processor of any Personally Identifiable Information (PII) or Protected Health Information (PHI). Nevertheless, VSI has established procedures and policies to align with industry standards for the protection of the data utilized.
All clinical and medical information processed by VSI is performed under contract with its clients. As defined by GDRP, VSI understands the sponsor/client to be in control of how and why clinical and medical data are collected and processed, and as such the sponsor is the "controller" while VSI is the "processor" of any data utilized.
Investigator and Health Care Provider Information
VSI is required by regulatory authorities to collect evidence of the professional qualifications of medical professionals involved in clinical research. VSI uses their information for the purpose of documenting the involvement and performance of investigators and supporting study staff. The company may also process financial information of these providers to support payment for services.
Other Professionals Information
VSI will conduct business with employees, consultants, and contractors, employed or engaged by VSI or its clients involved in clinical and medical research. VSI may record and use the names, contact details and other professional information on these individuals for legitimate business related purposes, including project management and financial transactions. The information obtained may be used to provide relevant information about VSI's services to its clients.
Employee and Human Resource Data
VSI collects personal information from employees and prospective applicants, including contact information, qualifications and previous employment history. VSI may conduct background checks, including criminal history and professional disbarment, where local laws permit. VSI collects information from employees for human resources, payroll and tax reporting. VSI also obtains information from consultants, contractors and vendors to provide products or services to VSI and/or its clients.
Web Site and Portals
VSI only collects names and contact information on company websites when this is voluntarily provided, for example where a potential client requests a proposal for services. VSI may collect IP or browser data from website visitors to be used for site analytics. This information could be linked to the identities of website visitors when they voluntarily provide identifiable contact information.
VSI utilizes a telephone system that collects the phone numbers of the source and destination, date/time and the duration of all calls to and from its corporate phone lines. Calls may be recorded for quality assurance purposes, and are accessible only to authorized VSI employees who log into its phone system website using authenticated usernames and passwords.
Internal and External Disclosures of Personal Information
Personal information will be shared within VSI, contractors and clients on a "need to know" basis for legitimate business purposes. Access to personal information is restricted to appropriate authorized personnel. VSI never trades or sells any personal information. VSI may be required by law enforcement or judicial authorities to disclose certain personal information as part of investigations or litigation.
All vendors of VSI are required to sign confidentiality and other legal agreements whereby they will commit to only process personal information consistent with contracted purposes and apply appropriate organizational and technical security safeguards.
International Transfers of Personal Information
As VSI clients may be global, personal information may be shared across international borders during the conduct of contracted project services. VSI hosts all data within the United States. VSI recognizes that many countries globally have regulations restricting the flow of personal information across international borders. VSI has enacted measures to ensure that adequate protection is provided to such data where legally mandated, including encryption of data in transit and at rest.
Notice and Consent
VSI will seek consent of individuals to collect, use and disclose their data consistent with a relevant privacy notice. However, in certain cases where law allows, where intended processing of the data is in VSI's or its clients' business requirements and where the privacy risks are low, VSI will proceed to process personal information absent of consent. VSI will use and disclose personal information without consent where required by law and judicial order. Consistent with GCP, VSI will ensure the existence of written informed consent from study subjects on behalf of its clients.
Data Quality and Record Retention
VSI, in collaboration with investigator sites, monitors, and auditors, confirms that individuals may validate, correct errors and update information at the point of collection (typically at the investigator clinical site). VSI only retains personal information in accordance with contractual, legal and regulatory requirements.
Under the GDPR regulation, clinical trial data is defined as a "special" data category whereby processing is necessary for scientific or research purposes. VSI and its clients/sponsors confirm that, prior to data collection, the study subject gives their explicit consent for the collection of these categories of data. The study volunteer, patient, or subject signs an informed consent that clearly states what data is being collected and why. This special data category overrides the subject's right to erasure, or portability, which is necessary because clinical data cannot be removed from a clinical trial dataset apart from an audit trail, and removal would invalidate the statistical analysis of the study. Subjects' withdrawal from a trial will only prevent additional data collection.
In all other respects, VSI will seek to facilitate the following informational rights as a matter of good practice:
- access to copies of personal information within a reasonable timeframe
- correction of personal information where inaccurate
- withdrawing a previously provided consent which will prevent collection of additional personal information
- study subjects will be instructed to contact their study investigator in order to link subject identity.
The company maintains information security policies and procedures that require application of technical and organizational security measures to protect all data against unauthorized access or loss. VSI's policies define procedures for dealing with any breach of personal information, including notifications to relevant individuals, companies, and governmental authorities.
Internet Links and Tracking
VSI website and portals may contain links to external web pages. Linked websites are not under the control of VSI. VSI policies and procedures do not apply to linked websites outside of VSI's control.
A cookie is a data file that is placed by a website operator on the hard drive of a visitor to their site. Cookies with the following functions may be enabled to the computers of visitors to VSI websites: to allow site functionality for the visitor's requests; to recognize repeat visits; and to allow the company to perform site analytics. The user can manage these settings through options in their web browser, such as disabling or deleting cookies and/or preventing tracking.
Children's Online Privacy Protection
VSI does not collect information through its websites from individuals who are known to be under the age of 13, and no part of its online presence is directed to anyone less than 13 years. Clinical studies that involve pediatric subjects require special language in the informed consent and/or assent by legally authorized representatives which is obtained at the investigator's site prior to data collected by the research site. VSI confirms that these written documents exist at the investigator site.
Inquiries, Complaints and Requests to Exercise Rights
Questions or comments or complaints about information rights can be made by email to: privacy@VTLsys.com
Within the EU, individuals have the legal right complain about how their information is handled to a supervisory authority that is responsible for regulating compliance with the GDPR Regulation. A list of all EU supervisory authorities is available on the European Commission website.