CRF Inc. and its parent corporation CRF Box Oy and its subsidiary CRF Inc. LTD. (collectively “CRF Health”) offers online newsletters and mailings of information about our organization. This is designed to provide product-related information and services, as well as corporate and financial news and employment information.
CRF Health collects identifying information when you visit the Web Site (including, without limitation, any crfhealth.com web pages or landing pages), and when you submit data to through a form such as those found on contact pages.
When you visit the Web Site, CRF Health collects your Internet Protocol (“IP”) addresses to track and aggregate non-personal information. For example, CRF Health uses IP addresses to monitor the regions from which you navigate CRF Health’s Site.
In addition, we receive and store certain types of information whenever you interact with us via our Web Site, including what pages you visit and activities you perform on our Site. CRF Health automatically receives and records certain “traffic data” including your IP address, third party cookie information, and the page you requested. CRF Health uses this traffic data to help diagnose problems with its server, analyze trends and administer the Web Site. We may also use any data we collect on or through the Web Site to better understand and market to our customers or website users, individually or in the aggregate.
CRF Health collects and uses Personal Information for several general purposes: to fulfill your requests for certain products and services, to personalize your experience on our Web Site, to keep you up to date on the latest product announcements, software updates, special offers or other information we think you would like to hear about, and to better understand your needs and provide you with better services. We may also use your information to send you direct marketing information or contact you for market research using automated tools to contact multiple recipients.
Personal information about you will be accessible to CRF Health, including its subsidiaries, divisions and groups worldwide.
CRF Health may also share such information with agents, contractors or business partners of CRF Health in connection with services that these individuals or entities perform for, or with, CRF Health. Such third parties are restricted from using this data in any way other than providing services for or on behalf of CRF Health or its affiliates.
Except as set forth above, we will not otherwise use or disclose any of your personally identifiable information, except to the extent reasonably necessary:
(i) to correct technical problems and malfunctions and to technically process your information; (ii) to protect the security and integrity of our Web Site;
(iii) to protect our rights and property and the rights and property of others;
(iv) to take precautions against liability;
(v) to the extent required by law or to respond to judicial process; or
We use appropriate security measures to protect against the loss, misuse and alteration of data used by our system. It is your personal responsibility to secure your own copies of your passwords and related access codes for our online resources.(5) How can you stop receiving e-mails or other marketing information from CRF Health?
If you wish to stop receiving emails or other marketing information from us you can unsubscribe by emailing us with your name and email address and request at email@example.com.(6) How does CRF Health protect the privacy of children?
In general, CRF Health’s Web Site is not directed at children and all of the online content that we offer is designed for individuals who are 18 years of age or older.(7) How may I access and correct personal information about me?
You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this Web Site. Therefore it is recommended that you do not disable cookies although the final decision is yours.The Cookies We Set
When you visit our Web Site, we may use both session and persistent cookies. This cookie may contain information (such as a unique user ID) that is used to track your usage of our Web Site, and may be used to send you ads or offers when you browse our Web Site or other websites. CRF Health employs cookies to enable our systems to recognize your browser and tell us how and when pages in our Web Site are visited and by how many people, and also in order for our server to recognize a return visitor as a unique user.
CRF Health uses Web beacons alone or in conjunction with cookies to compile information about your usage of CRF Health’s Web Site and interaction with emails from CRF Health. For example, CRF Health may place Web beacons in marketing emails that notify CRF Health when you click on a link in the email that directs you to CRF Health’s Web Site. CRF Health uses Web beacons to operate and improve CRF Health’s Web Site and email communications and to send more customized or relevant emails, advertisements and offers to users.Third Party Cookies
CRF Health uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, text files that are stored on your computer, to analyze your use of the website. The information generated by the cookie about your use of this website (including your shortened IP address) is transmitted to a Google server in the U.S. and stored there. Google will use this information to evaluate your use of the website, compile reports on website activity for website operators and to provide other services related with the website and internet use. Google may also transfer this information to third parties if required by law, or where third parties process these data on behalf of Google. For more information about Google Analytics, or to opt out of Google Analytics, please go to: https://tools.google.com/dlpage/gaoptoutOpting Out of Targeted Advertising
You may opt out of targeted advertising by visiting the DAA opt-out site (www.aboutads.info) or the NAI opt-out site (networkadvertising.org/choices), or for those in Europe, the EDAA opt out site (youronlinechoices.eu).(9) What is CRF Health’s contact address for privacy questions?
In accordance with Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC, the Annex titled “Standard Contractual Clauses” is hereby incorporated by reference in its entirety. With respect to such Annex the “Data Exporter” shall be defined as you and the “Data Importer” shall be defined as CRF Health. You may find a complete version of the text on our regulatory page.NO REPRESENTATIONS/ NO LIABILITY
CRF Health makes no representations about the content of the information found on this Web Site. The information presented on this Web Site is provided to you “AS IS,” WITHOUT ANY WARRANTY, IMPLIED OR EXPRESSED, INCLUDING BY WAY OF EXAMPLE BUT WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR OTHERWISE.
Under no circumstances shall CRF Health assume liability for the use or interpretation by you of information found on this Web Site; rather, this will be your responsibility.
CRF Health expressly disclaims liability for any direct, indirect, incidental, consequential or special damages arising out of your visit to this Web site and/or the information contained on this Web Site, even if CRF Health is proven negligent.Purpose
The purpose of this Policy is to outline the responsibilities and procedures that are in place to ensure that the privacy and confidentiality of all personal (identifiable) data provided to, or collected and processed by CRF Health.
CRF Health operates globally and as such, emphasis is placed on describing how CRF Health institutes the US Department of Commerce Safe Harbor Act with regard to sharing of personal information from the EU, EEA, and Switzerland. These Safe Harbor Principles provide equivalency to the principles set out in the EU Data Protection Directive (Directive 95/42/EEC) to satisfy the “adequacy for sharing” requirements dictated by Directive 95/46/EEC. When applied by organisations based wholly or partly in the United States, the Safe Harbor Principles provide a framework for this cross-border sharing and compliance with both EEA and US privacy and data protection legislation. This document describes how these principles are implemented at CRF Health. This policy will be posted on our company website, http://www.crfhealth.com/privacy
The policy applies to personal (identifiable) data held by CRF Health for
(1) All individuals who provide personal and sensitive information including (but not limited to); customers, investigator site staff, clinical trial subjects, suppliers, job applicants and employees (past and present).
(2) All CRF Health locations.
(3) Personal (Identifiable) Data, in all media, from the point of receipt by CRF Health through processing and to final disposition e.g., destruction or transfer of ownership of that data.
The United States Department of Commerce, the European Commission, and Switzerland have agreed on a set of data protection principles and frequently asked questions (the “US-EU Safe Harbor Framework & the U.S.–Swiss Safe Harbor Framework”) to enable U.S. companies to satisfy the requirement under European Union and Swiss law that adequate protection be given to personal information transferred from the EU and Switzerland to the United States.
The EEA also has recognized the U.S. Safe Harbor as providing adequate data protection (OJ L 45, 15.2.2001, and p.47).
Consistent with its commitment to protect personal privacy, CRF Health has certified that it adheres to the Safe Harbor Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view CRF Health’s certification, please visit http://www.export.gov/safeharbor/
Recognizing variations in applicable local regulation, CRF Health is also registered as a Data Controller with the United Kingdom Information Commissioner’s Office (ICO). To see the CRF Health entry on the ICO Register, go to: http://ico.org.uk/ESDWebPages/DoSearch?reg=5015901.2. Scope
For purposes of this Policy, the following definitions shall apply (EU versus US commonly used terms included for reference):
|Term and Definition||EU common term(s)||US common term(s)|
Personal Data, Identifiable Data
Individually Identifiable Health Information (IIHI), Personal Information
Business Associate, Agent
SENSITIVE PERSONAL INFORMATION
Sensitive Personal Data
Sensitive Personal Information
The privacy principles in this Policy are based on the Safe Harbor Principles. The following sections, aligned with the Safe Harbor Principles, provide indication of how compliance is ensured at CRF Health. See the Safe Harbor website for the full language of these principles at http://export.gov/safeharbor/eu/eg_main_018475.asp1.4.1. Notice
Where CRF Health collects personal and/or sensitive information directly from individuals in the EEA, it will inform them about the purposes for which it collects and uses this information about them, the types of non-agent third parties to which CRF Health discloses that information, and the choices and means, if any, CRF Health offers individuals for limiting the use and disclosure of their personal and/or sensitive information.
Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to CRF Health, or as soon as practicable thereafter, and in any event before CRF Health uses or discloses the information for a purpose other than that for which it was originally collected.
Where CRF Health receives personal information from its subsidiaries, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal information relates.1.4.2. Choice
CRF Health will offer individuals the opportunity to choose (opt-out) whether their personal information is
(a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive personal information, CRF Health will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of the information to a non-agent third party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. CRF Health will provide individuals with reasonable mechanisms to exercise their choices.
CRF Health will use personal and/or sensitive information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. CRF Health will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.1.4.4. Transfers to Agents / 3rd Parties
CRF Health will obtain assurances from its agents that they will safeguard personal information consistently with this Policy. Examples of appropriate assurances that may be provided by agents include: a contract obligating the agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), or Swiss Safe Harbor certification by the agent, or being subject to another European Commission adequacy finding. Where CRF Health has knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy, CRF Health will take reasonable steps to prevent or stop the use or disclosure. Disclosure will not occur unless CRF Health is satisfied that this is authorized by the individual to whom the data pertains.1.4.5. Access and Correction
Upon request, CRF Health will grant individuals reasonable access to personal and/or sensitive information that it holds about them. In addition, CRF Health will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.1.4.6. Security
CRF Health will take reasonable precautions to protect personal and/or sensitive information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
This will be achieved via appropriate physical and logical security mechanisms as set out in the Security Policy (QMS 0-1) and related security QMS documents.
Computer systems, equipment, networks, programs, data, and documentation are secured to the extent reasonably possible using existing technology, if not regulated, in the drug and device research industry.
Where electronic information is to be transferred on physical media, the media will be kept away from any means of reading that information and appropriate password protected or encrypted to minimize the risk of unauthorized access to that information.
Further details of security mechanisms for transfer of information electronically and transport by employees of personal and sensitive information is addressed in the applicable security QMS documents.1.4.7. Enforcement
CRF Health will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy as well as continued suitability of this policy and related procedures for assurance of compliance with applicable privacy and data protection legislation. Should gaps or areas for improvement be identified, these will be addressed in accordance with the relevant procedures.
Where there is determined to be wilful violation of this policy by an employee, that employee shall be subject to disciplinary action up to and including termination of employment. Any unsolicited reports or other serendipitous evidence of potential failures of compliance with this policy will be appropriately investigated with actions as commensurate with the result of that investigation implemented.1.4.8. Dispute Resolution
Any questions or concerns regarding the use or disclosure of personal information should be directed to the CRF Health VP Quality Management & Regulatory Affairs at the address given below. CRF Health will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy. For complaints that cannot be resolved between CRF Health and the complainant, CRF Health has agreed to participate in the dispute resolution procedures of the panel established by the European data protection authorities to resolve disputes pursuant to the Safe Harbor Principles.2. Limitation on Application of Privacy Principles
Adherence by CRF Health to these Safe Harbor Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.3. Types of Information Collected
CRF Health collects identifiable and personal sensitive information through clinical trial and general business activities. CRF Health protects the integrity, confidentiality and privacy of that data from the point of initial capture (solicited or unsolicited), ensuring that the data captured is used only for the purpose that it was captured or appropriate action taken where unsolicited confidential data is received to prevent / minimize the risk of recurrence.3.1. Clinical Data
Clinical data is collected in anonymized form (unique trial subject identifier) in accordance with industry standards. Where unsolicited trial subject identifying information is received, appropriate action will be immediately taken to ensure that the information is not stored or disseminated further. See Section 6 for how receipt of unsolicited data is managed.3.2. Other Data
This includes all other identifiable and personal sensitive information other than clinical data. This includes (but may not be limited to) investigator site staff, visitors to the CRF Health website (see QMS 0-0-2, Internet Policy), job applicants and employees, customers and suppliers.4. Modes of Information Capture/Storage
CRF Health captures information via many routes. The term capture shall be taken to encompass both solicited and unsolicited receipt of information.4.1. Web based (Internet and TrialManager Web Portal)
CRF Health sees the Internet and the use of other technologies as valuable tools for communicating and interacting with consumers, employees, healthcare professionals, business partners, and others.
All employees are individually responsible for all electronic mail sent from their account and for the appropriate handling of personal identifiable and sensitive information received into their account. Care will always be taken to evaluate whether e-mail is the most appropriate method for dissemination of sensitive information. Further detail is provided in the relevant security procedures and company handbook in relation to use of email.4.3. Telephone
Where communication of information is by telephone, care will always be taken to evaluate whether this is the most appropriate method for discussion and / or dissemination of personal identifiable and / or sensitive information.4.4. Paper based Information
Paper based information is more vulnerable than information stored and protected electronically. Paper based information that is current and required for ongoing study and/or general business activities are maintained, wherever possible, in locked cupboards or otherwise restricted areas. When information ceases to be required, it is destroyed confidentially, by shredding. Wherever appropriate and possible, printers that are not general access printers will be used to print such information. QMS 7-2-1 (Asset Control) further supports appropriate maintenance and security measures in respect of confidential and sensitive documents via its information asset classification system.5. Receipt of unsolicited Personal Identifying and/or Sensitive Information
The possibility of receipt of unsolicited personal identifiable and/or information is acknowledged by CRF Health. By definition, being in receipt of and storing or further dissemination or processing by other means of such data is not consistent with the Safe Harbor Principles of CHOICE and INTEGRITY, since this information should not be in CRF Health possession and the individual (data subject) may not be aware of the dissemination of that information to CRF Health. It is CRF Health policy, on receipt of such data to take all necessary actions to halt further processing or dissemination of that data and to prevent the risk of recurrence of same.
The individual receiving such data will, on receipt (and without further sharing the data, including to Quality Management) notify the VP, Quality Assurance and raise an NCR (taking care not to capture any of the data in the NCR) that personal identifying data has been received, providing relevant information regarding the supplier of the data, circumstances of receipt and project (if applicable). At the same time, the data in question will be destroyed and the supplier notified that they have made an errant transfer of personal data (this may be achieved via the Sponsor or CRA for Investigator Sites). If the transmission contained other, non-identifiable data that is required by CRF Health, the supplier should be requested to re-supply without the personal identifiers. CRF Health Quality Assurance will monitor NCRs for any trends in unsolicited data to permit escalations as appropriate for repeated occurrences.6. Access to Personal and Sensitive Information
Access to information and systems is restricted to appropriate staff. For data held on the CRF Health network, this is managed via the Security Policy (QMS 0-1) and related IT and Security QMS documents.
In accordance with national and International laws, data subjects (individuals or groups to whom the personal information pertains) have the right of access to any of the information CRF Health holds on them at any time to ensure that it is accurate and up-to-date, to have the ability to request it’s correction/modification or to request deletion of all or part of that information if it is inaccurate.
This is notwithstanding any legal compulsion restricting adherence to the privacy principles set out in Section 2 (see Section 3 – Limitation on Application of Privacy Principles).7. Retention and Archiving of Information
CRF Health does not keep personal and sensitive information any longer than necessary to meet the business purpose for which it was collected, unless legal or regulatory reasons require that the information not be deleted.
Where it is required that information is not deleted, CRF Health will retain that information for the minimum period required by law or regulation. QMS 6-1 (Documentation) provides a records retention schedule.
In the case of clinical data, on transfer of ownership of information back to a Sponsor or Investigator, it shall be deemed that the new owner becomes responsible for assuring the confidentiality and security of the information.8. Training and Awareness
Training in Privacy and Data Protection is mandatory for employees of CRF Health. In addition, all employees, regardless of contract type (permanent, temporary, etc) are provided with access to this Policy and must acknowledge this policy within the Quality Management System Tool.9. EEA Country / EU Member State and non-EEA / non-US Privacy Regulation
The EU Data Protection Directive (Directive 95/46/EEC) requires transposition into Member State Regulation. As part of this transposition, a Member State my incorporate stricter requirements based upon the Directive e.g., the requirement in the United Kingdom for Data Controllers to register with the UK Information Commissioner’s Office (ICO) as Data Controllers. CRF Health implements this policy based upon the core requirements set out via Safe Harbor and the Data Protection Directive, recognizing additional elements / requirements may be set out in individual Member States.
CRF Health does not transfer personal information or sensitive information outside of the EEA or United States and as such, there is not a current need to determine the adequacy of data protection in those countries / territories. CRF Health may receive personal information or sensitive information from outside of the EEA or US. Typically, this would be from customer or suppliers and this policy would be applied in respect of personal and / or sensitive information, unless stricter local requirements, as identified with the information supplier or via contract superseded. See Section 11 in relation to trial subject data.10. Clinical Trial Subject Data Obligations
Where trial subject data is processed by CRF Health (this would be anonymized as standard but may contain e.g., a date of birth), this will be processed in line with this policy, although the responsibility for ensuring that the trial subject is duly consented to processing of their data in accordance with applicable regulation lies with Investigator site in obtaining that informed consent using the Ethics / IRB approved consent documents.11. Contact Information
Questions or comments regarding this Policy should be submitted to the CRF Health VP of Quality Assurance by mail as follows:
VP Quality Assurance
4000 Chemical Road
Plymouth Meeting, PA 19462