Introduction

ClinRec collects, holds, uses, discloses and processes personal information (data) related to clinical trial participants, patients, individuals registering on our study participant database, clients, suppliers, vendors and employees. The information collected by ClinRec may be accessed by staff members or other individuals engaged by ClinRec who may be required to use the information in the process of their standard clinical trial or business activities.

ClinRec acts as a data controller in that we define how and why personal data is processed in order to provide services to our customers and to fulfil our business activities.

ClinRec understands the importance of protecting the privacy of an individual’s personal information including the protection and security of health information obtained from clinical trial participants. Our data controlling and processing activities are regulated by national and applicable international privacy laws and by national and global industry specific regulations including but not limited to ICH Good Clinical Practice and Australian NHMRC National Statement.

1. Purpose and Scope of this Policy 

This policy sets out how ClinRec aims to protect the privacy of an individual’s personal information, their rights in relation to their personal information controlled by ClinRec and the way ClinRec collects, holds, uses, discloses and processes personal information.

In controlling and handling personal information, ClinRec will comply with the Privacy Act 1988 (Cth) which includes the Australian Privacy Principles (APPs), and the Health Records and Information Privacy Act 2002 (NSW), which includes the Health Privacy Principles (HPPs). ClinRec will comply with the APPs (in regard to all personal information) and the HPPs (in regard to all health information) and any other applicable privacy and data protection laws to the extent such laws apply to ClinRec.

This policy applies to all ClinRec employees and contractors (individuals or an entity) who have access to personal information that is handled and controlled by ClinRec.

2. Definitions

Data Controller – is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files.

Data Processor – processes personal data only on behalf of the controller usually an external third party.

Personal Information (Data) – means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not. Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.

Sensitive Information – is a type of personal information and includes but is not limited to information about an individual’s health (including predictive genetic information), racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, biometric information that is to be used for certain purposes, biometric templates.

In this Policy reference to “Personal Information/Data” incudes the meaning of “Sensitive Information unless stated otherwise.

Unsolicited Personal Information – is information received by ClinRec where the ClinRec has taken no active step to collect the information. This usually happens by unauthorized disclosure of a third party (e.g. information sent in a misdirected email).

3. Personal Information that is exempted from the APP

Exempted from the requirements of the Privacy Act is the collection, holding, use or disclosure of personal information that is considered a ClinRec employee record, which contains personal information related to the employment of an employee, and which is held by ClinRec. These records may include the employee’s health information, information about the engagement, training, performance, termination, terms and conditions of the employment (Act 7B3).

Access and management of employee records is supervised and managed by ClinRecs CEO. Authorised ClinRec employees who are working in a human resource capacity have access to employee record and ensure these records are handled in a confidential manner and only for purposes related to current or former employment relationship.

[1] In the context of this document, personal information and personal data are interchangeable.

4. What Kind of Information Does ClinRec Collect?

The kind of personal information ClinRec may collect and hold depends on the nature of the individual’s relationship with ClinRec. Examples include but are not limited to:

Clinical Trial Participant or Patient:

  • contact and identification information such as your name, title, address, telephone number, email address, date of birth, sex/gender, driver’s licence number and expiry date, Medicare care number;
  • sensitive information including physical or mental health information, disability status, racial or ethnic origin, cultural background or culturally sensitive issues, details relating to past and present health issues;
  • bank account information (for reimbursement)
  • details related to lifestyle factors such as smoking status, use of drugs (prescribed, over-the-counter and illicit), consumption of alcohol;
  • details related to body height, weight and other physiological measurements (e.g. heart rate, blood pressure, etc.);

Client and Sponsors:

  • name, address, email address, contact telephone number

Supplier, Vendor and other Service Providers:

  • name, address, email address, contact telephone number
  • business records, professional information, qualification, confidential information on goods and services
  • billing information

Candidate Seeking Employment:

  • name, address, email address, contact telephone number
  • qualifications and resume
  • relevant sensitive information and additional information required for visa application if required

Employee:

  • name, address, email address, contact telephone number, emergency contacts
  • resume and qualifications
  • taxation and bank and other payment details
  • date of birth, medical history and other health information
  • training, performance, termination, terms and conditions
  • additional information required for visa application if required

Participants can actively revoke consent/request withdrawal from database (if never screened/participated) – please email info@clinrec.com

5. How Does ClinRec Collect Personal Information

Generally, ClinRec collects personal information directly from the individual, through an interaction or exchange in person or by way of telephone, facsimile, email or post, communication technologies (e.g. instant messaging, voice chat, file sharing platforms), or through completion of a form or questionnaire.

The use of ClinRecs website does not require to submit personal information, however, individuals interested in participating in a clinical study may complete an on-line registration to be contacted by ClinRec staff and to be added to ClinRecs study participant database.

There may be occasions when ClinRec collects personal information from other sources such as:

  • an information services provider, an agency;
  • a publicly maintained record or other publicly available sources of information including social media and similar websites; or
  • if for recruitment purposes, an external recruitment or background screening services provider.

Generally, ClinRec will only collect personal information from sources other than an individual if it is unreasonable or impracticable to collect the relevant personal information through direct contact.

6. Privacy Notices and Consent

Before or at the time, or if this is unreasonable or impractical as soon as feasible after personal information is collected, an individual is informed or made aware relevant privacy notices including but not limited to:

  • the purpose for which ClinRec collected the information;
  • if ClinRec has collected information from someone else than the individual;
  • the consequences if information or some of the required information is not collected by ClinRec;
  • third parties to which ClinRec is likely to disclose the information;
  • if ClinRec may disclose the personal information to overseas recipients and the likely counties;
  • how long ClinRec will keep the personal information collected;
  • this privacy Policy and their rights regarding their personal information.

ClinRec will obtain freely given consent from individuals to handle and process their information during the time the information is under control of ClinRec. The ability to withdraw consent at any time unless required by law will be documented. Where personal information is directly provided by an individual to ClinRec, and the individual was provided with a relevant privacy notice at the time of collection, consent will be inferred.

Specific informed consent to process sensitive information is required from clinical trial participants and described in detail in the Participant Information and Consent Form (PICF).

7. The Use of Personal Information

The purpose for which ClinRec collects, holds, uses and discloses Personal Information (refer to Section 4 for more details) where it is reasonably necessary includes but is not limited to:

  • the conduct of clinical trials and clinical research including investigating and developing medicines, biomedical equipment, devices and other procedures and treatments in order to improve healthcare outcomes for patients;
  • to provide healthy subjects and patients with information related to participating in a clinical trial;
  • to match potential study participants with clinical trials;
  • to establish and maintain a database of potential candidates willing to participate in clinical trials;
  • study participant and patient management
  • client service management;
  • vendor and supplier management;
  • business relationship management;
  • promotion and marketing of our services or selected third parties;
  • human resource, employee management and training;
  • assessing applications for employment with ClinRec or for engaging contractors or consultants; and
  • meeting any legal and regulatory requirements ClinRec is subject to, or that may be imposed upon ClinRec.

ClinRec may also use personal information for purposes related to the above purposes and for which one would reasonably expect ClinRec to do so in the circumstances, or where an individual has consented or the use is otherwise in accordance with law.

Where personal information is used or disclosed, ClinRec takes steps reasonable in the circumstances to ensure it is relevant to the purpose for which it is to be used or disclosed. Individuals are under no obligation to provide their personal information to ClinRec. However, without certain information, ClinRec may not be able to provide its services.

8. Disclosure of Personal Information

ClinRec discloses an individual’s personal information for the purpose for which ClinRec collects it.  That is, generally, ClinRec will only disclose personal information for a purpose set out at Section 7.  This may include disclosing your personal information to those who have an operational need or who have legislative authority, such as:

  • sponsors of a clinical trial;
  • vendors processing data collected in clinical trials;
  • regulatory authorities;
  • the Human Research Ethics Committee (HREC) involved in a clinical trial;
  • people or entities considering acquiring an interest in ClinRecs enterprise or assets;
  • ClinRecs professional advisors, contractors, consultants and related bodies corporate, including auditors, certifying authorities or ethics committees, including the HREC;
  • insurance providers; and
  • regulatory bodies (such as the Office of the Australian Information Commissioner, the Australian Taxation Office, the Australian Federal Police) where disclosure is required or authorised by law.

ClinRecs disclosures of an individual’s personal information to third parties are on a confidential basis or otherwise in accordance with law. ClinRec may also disclose personal information with the individual’s consent or if disclosure is required or authorised by law.

ClinRec will de-identify personal information prior to disclosure where the purpose of the disclosure can be satisfied by the provision of de-identified data e.g. in clinical trials by the use of a participant or patient identification number (“pseudonyms”).

9. Overseas disclosure

ClinRec may disclose personal information to overseas recipients in order to provide its services and for administrative purposes. Recipients of such disclosures may be located in North America, Europe and Asia, and may also be located in other countries. ClinRec will de-identify your personal information prior to disclosure where the purpose of the disclosure can be satisfied by the provision of de-identified data.

Overseas recipients may have different privacy and data protection standards. However, before disclosing any personal information to an overseas recipient, ClinRec takes steps reasonable in the circumstances to ensure the overseas recipient complies with the Australian Privacy Principles or is bound by a substantially similar privacy scheme unless you consent to the overseas disclosure or it is otherwise required or permitted by law. If you have any queries or objections to such disclosures, please contact ClinRecs Privacy Officer on the details set out in Section 15.

10. Direct Marketing

ClinRec may use and disclose personal information in order to inform of services that may be of interest to an individual.  In the event that the recipient does not wish to receive such communications, they can opt-out by contacting ClinRec via the contact details set out in Section 14 or through any opt-out mechanism contained in relevant marketing communication.

11. Security and Integrity of Personal Information

ClinRec takes steps reasonable in the circumstances to ensure that the personal information it holds is protected from misuse, interference and loss and from unauthorised access, modification or disclosure. ClinRec holds personal information in both hard copy and electronic forms in secure databases on secure premises, accessible only by authorised staff.

ClinRec will destroy, anonymise or return (as applicable) personal information in circumstances where it is no longer required, unless ClinRec is otherwise required or authorised by law to retain the information.

12. Privacy Data Breach

ClinRec take every step to secure personal information from unauthorised access, modification or loss.

ClinRec will ensure that third party service providers processing information on behalf of ClinRec have appropriate controls and are obligated to promptly report any data breach to ClinRec in its capacity as the data controller.

ClinRec will take any required step to take measures to mitigate the any breach and to prevent reoccurrence if possible.

ClinRec will document any data breach regardless of its severity and will manage and report the breach (as required) and in compliance with the APP, the Office of the Australian Information Commissioner (OAIC) and other applicable international privacy and data breach policies.

ClinRec will inform an individual without undue delay should a data breach seems likely to result in a high risk of harm to an individual.

When notified of the receipt of unsolicited personal information, then ClinRec will determine if it could have collected the information in line with APP. ClinRec will destroy the information if it could not have reasonably obtained this information.

13. Access and Correction of Personal Information ClinRec Holds

ClinRec takes steps reasonable in the circumstances to ensure personal information it holds is accurate, up-to-date, complete, relevant and not misleading.  Under the Privacy Act, an individual has a right to access and seek correction of their personal information that is collected and held by ClinRec.  If at any time an individual would like to access or correct the personal information that ClinRec holds about you, or you would like more information on ClinRecs approach to privacy, please contact ClinRecs Privacy Officer on the details set out in Section 14 below.

ClinRec will grant access to the extent required or authorised by the Privacy Act or other law and take steps reasonable in the circumstances to correct personal information where necessary and appropriate.

To obtain access to your personal information:

  • you will have to provide proof of identity to ensure that personal information is provided only to the correct individuals and that the privacy of others is protected;
  • ClinRec requests that you be reasonably specific about the information you require; and
  • if ClinRec refuses your request to access or correct your personal information, ClinRec will provide you with written reasons for the refusal and details of complaint mechanisms. ClinRec will also take steps reasonable in the circumstance to provide you with access in a manner that meets your needs and the needs of ClinRec.

Individuals may request deletion or object processing of their personal data ClinRec is controller of e.g. in cases where the individual withdraws consent and/or the information is no longer required (as per Section 11).

However, whereas clinical trial participants can withdraw form a trial at any time, their data will be retained as per applicable regulatory requirements and information collected prior to withdrawal of consent will be controlled and processed as defined in the relevant information and consent documentation.

Individuals registered on ClinRec Study Participant Database may request to have their personal data deleted upon request only if they have not been screened and/or enrolled in any clinical study (including screening). If they have been screened and/or enrolled in any clinical study, however, they still may request to opt-out from any further communication e.g. information of upcoming studies.

ClinRec will endeavour to respond to your request to access or correct your personal information within 30 days from your request. Third parties (processors) receiving deletion or processing objections are required to notify ClinRec in a reasonable time and/or according to their agreement if applicable.

14. Contacts

For further information or enquiries regarding your personal information/data, or to opt-out of receiving any promotional or marketing communications, please contact ClinRecs Privacy Officer at: info@clinrec.com

15. Privacy Complaints

Please direct all privacy complaints to ClinRecs Privacy Officer.  At all times, privacy complaints:

  • will be treated seriously;
  • will be dealt with promptly;
  • will be dealt with in a confidential manner; and
  • will not affect your existing obligations or affect the commercial arrangements between you and ClinRec.

ClinRecs Privacy Officer will commence an investigation into your complaint.  You will be informed of the outcome of your complaint following completion of the investigation.  In the event that you are dissatisfied with the outcome of your complaint, you may refer the complaint to the Office of the Australian Information Commissioner.

16. Additional Information and Resources

This Policy may be updated from time to time. The current version is available on ClinRecs website together with additional privacy notices. Electronic forms of this Policy may be requested from the Privacy Officer (see Section 14).

References and additional resources:

Integrated Addendum to ICH E6(R1): Guideline for Good Clinical Practice E6(R2), 9 Nov 2016 (or current updated version) – annotated with TGA comments (https://www.tga.gov.au/publication/note-guidance-good-clinical-practice)

National Statement on Ethical Conduct in Human Research 2007 (Updated 2018). The National Health and Medical Research Council, the Australian Research Council and Universities Australia. Commonwealth of Australia, Canberra (https://www.nhmrc.gov.au/guidelines-publications/e72)

For information on the Australian Privacy Act (1988) and the Australian Privacy Principles visit the website of the Office of the Australian Information Commissioner (https://www.oaic.gov.au/)