ClinRec collects, holds, uses, discloses and processes personal information (data) related to clinical trial participants, patients, individuals registering on our study participant database, clients, suppliers, vendors and employees. The information collected by ClinRec may be accessed by staff members or other individuals engaged by ClinRec who may be required to use the information in the process of their standard clinical trial or business activities.
ClinRec acts as a data controller in that we define how and why personal data is processed in order to provide services to our customers and to fulfil our business activities.
ClinRec understands the importance of protecting the privacy of an individual’s personal information including the protection and security of health information obtained from clinical trial participants. Our data controlling and processing activities are regulated by national and applicable international privacy laws and by national and global industry specific regulations including but not limited to ICH Good Clinical Practice and Australian NHMRC National Statement.
This policy sets out how ClinRec aims to protect the privacy of an individual’s personal information, their rights in relation to their personal information controlled by ClinRec and the way ClinRec collects, holds, uses, discloses and processes personal information.
In controlling and handling personal information, ClinRec will comply with the Privacy Act 1988 (Cth) which includes the Australian Privacy Principles (APPs), and the Health Records and Information Privacy Act 2002 (NSW), which includes the Health Privacy Principles (HPPs). ClinRec will comply with the APPs (in regard to all personal information) and the HPPs (in regard to all health information) and any other applicable privacy and data protection laws to the extent such laws apply to ClinRec.
This policy applies to all ClinRec employees and contractors (individuals or an entity) who have access to personal information that is handled and controlled by ClinRec.
Data Controller – is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files.
Data Processor – processes personal data only on behalf of the controller usually an external third party.
Personal Information (Data) – means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not. Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.
Sensitive Information – is a type of personal information and includes but is not limited to information about an individual’s health (including predictive genetic information), racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, biometric information that is to be used for certain purposes, biometric templates.
In this Policy reference to “Personal Information/Data” incudes the meaning of “Sensitive Information unless stated otherwise.
Unsolicited Personal Information – is information received by ClinRec where the ClinRec has taken no active step to collect the information. This usually happens by unauthorized disclosure of a third party (e.g. information sent in a misdirected email).
Exempted from the requirements of the Privacy Act is the collection, holding, use or disclosure of personal information that is considered a ClinRec employee record, which contains personal information related to the employment of an employee, and which is held by ClinRec. These records may include the employee’s health information, information about the engagement, training, performance, termination, terms and conditions of the employment (Act 7B3).
Access and management of employee records is supervised and managed by ClinRecs CEO. Authorised ClinRec employees who are working in a human resource capacity have access to employee record and ensure these records are handled in a confidential manner and only for purposes related to current or former employment relationship.
[1] In the context of this document, personal information and personal data are interchangeable.
The kind of personal information ClinRec may collect and hold depends on the nature of the individual’s relationship with ClinRec. Examples include but are not limited to:
Clinical Trial Participant or Patient:
Client and Sponsors:
Supplier, Vendor and other Service Providers:
Candidate Seeking Employment:
Employee:
Participants can actively revoke consent/request withdrawal from database (if never screened/participated) – please email info@clinrec.com
Generally, ClinRec collects personal information directly from the individual, through an interaction or exchange in person or by way of telephone, facsimile, email or post, communication technologies (e.g. instant messaging, voice chat, file sharing platforms), or through completion of a form or questionnaire.
The use of ClinRecs website does not require to submit personal information, however, individuals interested in participating in a clinical study may complete an on-line registration to be contacted by ClinRec staff and to be added to ClinRecs study participant database.
There may be occasions when ClinRec collects personal information from other sources such as:
Generally, ClinRec will only collect personal information from sources other than an individual if it is unreasonable or impracticable to collect the relevant personal information through direct contact.
Before or at the time, or if this is unreasonable or impractical as soon as feasible after personal information is collected, an individual is informed or made aware relevant privacy notices including but not limited to:
ClinRec will obtain freely given consent from individuals to handle and process their information during the time the information is under control of ClinRec. The ability to withdraw consent at any time unless required by law will be documented. Where personal information is directly provided by an individual to ClinRec, and the individual was provided with a relevant privacy notice at the time of collection, consent will be inferred.
Specific informed consent to process sensitive information is required from clinical trial participants and described in detail in the Participant Information and Consent Form (PICF).
The purpose for which ClinRec collects, holds, uses and discloses Personal Information (refer to Section 4 for more details) where it is reasonably necessary includes but is not limited to:
ClinRec may also use personal information for purposes related to the above purposes and for which one would reasonably expect ClinRec to do so in the circumstances, or where an individual has consented or the use is otherwise in accordance with law.
Where personal information is used or disclosed, ClinRec takes steps reasonable in the circumstances to ensure it is relevant to the purpose for which it is to be used or disclosed. Individuals are under no obligation to provide their personal information to ClinRec. However, without certain information, ClinRec may not be able to provide its services.
ClinRec discloses an individual’s personal information for the purpose for which ClinRec collects it. That is, generally, ClinRec will only disclose personal information for a purpose set out at Section 7. This may include disclosing your personal information to those who have an operational need or who have legislative authority, such as:
ClinRecs disclosures of an individual’s personal information to third parties are on a confidential basis or otherwise in accordance with law. ClinRec may also disclose personal information with the individual’s consent or if disclosure is required or authorised by law.
ClinRec will de-identify personal information prior to disclosure where the purpose of the disclosure can be satisfied by the provision of de-identified data e.g. in clinical trials by the use of a participant or patient identification number (“pseudonyms”).
ClinRec may disclose personal information to overseas recipients in order to provide its services and for administrative purposes. Recipients of such disclosures may be located in North America, Europe and Asia, and may also be located in other countries. ClinRec will de-identify your personal information prior to disclosure where the purpose of the disclosure can be satisfied by the provision of de-identified data.
Overseas recipients may have different privacy and data protection standards. However, before disclosing any personal information to an overseas recipient, ClinRec takes steps reasonable in the circumstances to ensure the overseas recipient complies with the Australian Privacy Principles or is bound by a substantially similar privacy scheme unless you consent to the overseas disclosure or it is otherwise required or permitted by law. If you have any queries or objections to such disclosures, please contact ClinRecs Privacy Officer on the details set out in Section 15.
ClinRec may use and disclose personal information in order to inform of services that may be of interest to an individual. In the event that the recipient does not wish to receive such communications, they can opt-out by contacting ClinRec via the contact details set out in Section 14 or through any opt-out mechanism contained in relevant marketing communication.
ClinRec takes steps reasonable in the circumstances to ensure that the personal information it holds is protected from misuse, interference and loss and from unauthorised access, modification or disclosure. ClinRec holds personal information in both hard copy and electronic forms in secure databases on secure premises, accessible only by authorised staff.
ClinRec will destroy, anonymise or return (as applicable) personal information in circumstances where it is no longer required, unless ClinRec is otherwise required or authorised by law to retain the information.
ClinRec take every step to secure personal information from unauthorised access, modification or loss.
ClinRec will ensure that third party service providers processing information on behalf of ClinRec have appropriate controls and are obligated to promptly report any data breach to ClinRec in its capacity as the data controller.
ClinRec will take any required step to take measures to mitigate the any breach and to prevent reoccurrence if possible.
ClinRec will document any data breach regardless of its severity and will manage and report the breach (as required) and in compliance with the APP, the Office of the Australian Information Commissioner (OAIC) and other applicable international privacy and data breach policies.
ClinRec will inform an individual without undue delay should a data breach seems likely to result in a high risk of harm to an individual.
When notified of the receipt of unsolicited personal information, then ClinRec will determine if it could have collected the information in line with APP. ClinRec will destroy the information if it could not have reasonably obtained this information.
ClinRec takes steps reasonable in the circumstances to ensure personal information it holds is accurate, up-to-date, complete, relevant and not misleading. Under the Privacy Act, an individual has a right to access and seek correction of their personal information that is collected and held by ClinRec. If at any time an individual would like to access or correct the personal information that ClinRec holds about you, or you would like more information on ClinRecs approach to privacy, please contact ClinRecs Privacy Officer on the details set out in Section 14 below.
ClinRec will grant access to the extent required or authorised by the Privacy Act or other law and take steps reasonable in the circumstances to correct personal information where necessary and appropriate.
To obtain access to your personal information:
Individuals may request deletion or object processing of their personal data ClinRec is controller of e.g. in cases where the individual withdraws consent and/or the information is no longer required (as per Section 11).
However, whereas clinical trial participants can withdraw form a trial at any time, their data will be retained as per applicable regulatory requirements and information collected prior to withdrawal of consent will be controlled and processed as defined in the relevant information and consent documentation.
Individuals registered on ClinRec Study Participant Database may request to have their personal data deleted upon request only if they have not been screened and/or enrolled in any clinical study (including screening). If they have been screened and/or enrolled in any clinical study, however, they still may request to opt-out from any further communication e.g. information of upcoming studies.
ClinRec will endeavour to respond to your request to access or correct your personal information within 30 days from your request. Third parties (processors) receiving deletion or processing objections are required to notify ClinRec in a reasonable time and/or according to their agreement if applicable.
For further information or enquiries regarding your personal information/data, or to opt-out of receiving any promotional or marketing communications, please contact ClinRecs Privacy Officer at: info@clinrec.com
Please direct all privacy complaints to ClinRecs Privacy Officer. At all times, privacy complaints:
ClinRecs Privacy Officer will commence an investigation into your complaint. You will be informed of the outcome of your complaint following completion of the investigation. In the event that you are dissatisfied with the outcome of your complaint, you may refer the complaint to the Office of the Australian Information Commissioner.
This Policy may be updated from time to time. The current version is available on ClinRecs website together with additional privacy notices. Electronic forms of this Policy may be requested from the Privacy Officer (see Section 14).
References and additional resources:
Integrated Addendum to ICH E6(R1): Guideline for Good Clinical Practice E6(R2), 9 Nov 2016 (or current updated version) – annotated with TGA comments (https://www.tga.gov.au/publication/note-guidance-good-clinical-practice)
National Statement on Ethical Conduct in Human Research 2007 (Updated 2018). The National Health and Medical Research Council, the Australian Research Council and Universities Australia. Commonwealth of Australia, Canberra (https://www.nhmrc.gov.au/guidelines-publications/e72)
For information on the Australian Privacy Act (1988) and the Australian Privacy Principles visit the website of the Office of the Australian Information Commissioner (https://www.oaic.gov.au/)