Privacy Policy

VCTC policy documents are designed to provide VCTC’s customers with an understanding of VCTC’s position and policies in relation to regulations and key aspects of our services.

VCTC Privacy Policy

VCTC are committed to protecting and respecting the privacy of subjects, nurses, customers, suppliers and employees, and this includes their personal and health related information
This policy, together with our terms of use, privacy policy and any other documents referred to on it, sets out the basis on which any personal data (or personal information) we collect or that is provided to us, will be processed by us.

As an organisation, the VCTC have a responsibility to safeguard all personal data that it holds. The company is responsible for ensuring compliance with the UK Data Protection Act 2018 (incorporating GDPR) applicable data privacy and data protection regulations with regards to employee data, business information and data concerning trial subjects (patients) i.e. those data required by VCTC to conduct trial visits in the patient’s home. 

For VCTC, business information refers to data held about its customers and any third parties that provide support for VCTC services.

VCTC also has an obligation to ensure that organisations who receive/process personal data provided by VCTC e.g. vendors (processors or sub-processors) are also compliant with current data protection regulations and data processing agreements should be in place between VCTC and the third party. VCTC has a number of internal policies, procedures and processes for safeguarding personal information and these conform to GDPR and HIPAA principles. To ensure personal data receives an adequate level of protection when transferred between the various parts of VCTC’s organisation, VCTC has put in place Standard Contractual Clauses to ensure personal data is treated by all of its offices in a way which is consistent with and respects the EU and UK laws in data protection.

1. VCTC acts as a Data Controller for the following types of Personal Data:

VCTC Employee Data

VCTC acts as Data Controller as it retains control over the purposes for processing personal data about its employees and the manner in which it does this.

Customer Data

VCTC acts as a Data Controller as we hold a database of individual business contacts and this data is used to send updates and news to them on a regular basis. VCTC can only store this data if the individual has consented (“opted in”).

2. VCTC acts as a Data Processor (and sometimes Sub-Processor) for the following types of Personal Data:

Trial Subject Data

VCTC acts as a Data Processor where clinical trial data is concerned. VCTC processes personal information that is needed in order to perform in-home protocol visits to trial subjects. VCTC only uses personal information to conduct homecare visits. Whilst the trial Sponsor and the principal investigator are the data controllers, VCTC does take responsibility for how it processes the information internally and takes responsibility for the manner by which it provides information to any approved subcontractors to whom it might utilize to actually perform the in-home protocol visits.
All documents used by VCTC and its subcontractors in the provision of the service are reviewed and approved by the trial Sponsor, or their delegate.

Third Party Study Personnel

VCTC acts as both a Data Controller and a Data Processor where third parties supporting trials are concerned. In order to perform our services and to conform to ICH-GCP, VCTC is obliged to confirm that individuals from any third parties are suitably qualified and competent to do so. As such, VCTC holds CV’s/resumes and forwards these on to customers. Furthermore, we may also store contact details of healthcare professionals who support our Services. VCTC are required to obtain consent from these individuals as the records are stored by VCTC and forwarded to sites. Under ICH-GCP, VCTC are also required to store and archive information relating to our services so that the trial can be recreated in the future.

3. Data protection is centred around a number of key principles and Article 5 of the General Data Protection Regulation (GDPR) stipulates that personal data shall be:
4. a) processed lawfully, fairly and in a transparent manner in relation to individuals;
5. b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
6. c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
7. d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
8. e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
9. f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

In summary, only required personal data should be held, is secured and protected against loss, and only kept for as long as is necessary.

VCTC only process personal data in accordance with the above principles. This includes Human Resources and Line Managers for employee data and all relevant project staff for trial subject data.

4. Home Trial Support (HTS) Service

VCTC provides a service to the clinical research community, thereby falling under the regulations of this industry however, in doing so, VCTC also provides a healthcare service and as such must comply with professional standards.

Informing Trial Subjects of Access to and Collection of Personal Data

All trial subjects must be made aware of what happens to the personal data collected about them during a trial and also who has access to it. Reference to the release of their information to VCTC will be made in the Patient Information Sheet and Informed Consent (PIS/IC) or assent form, signed by individual trial subjects. VCTC take responsibility for requesting from their client the version of the PIS/IC that will be used in a trial and reviewing it to ensure that information is contained in the document with regards to 3rd party access. If it is not possible to incorporate this in the principal version, a specific PIS/IC will need to be submitted for ethics review and approval and signed by all trial subjects.

Home nursing teams receive training by VCTC on their responsibilities for the handling and management of personal data.

VCTC Access to Trial Subject Data

Within VCTC, access to personal data is limited to only those personnel who are assigned to a specific trial within VCTC.

All documents used as part of VCTC’s service that do not require personal subject details use a unique identifier (number) instead of the subject’s name provided by the trial site and used VCTC – this is typically the number of the trial site and a unique number assigned to each participating trial subject.

5. Email Communication

E-mail streams, particularly between sites and VCTC resources must refer to a trial subject by their unique trial number only. VCTC employees take responsibility for ensuring that no e-mail concerning a patient is forwarded to an e-mail address of an unknown party unless suitable security provisions are made.

6. Telephone Conversations

It is expected that telephone conversations between VCTC and homecare nurses will relate to specific trial subjects. VCTC employees concerned are responsible for ensuring that they have an awareness of who is within the vicinity of a call when in the office and take precautions to not disclose personal or sensitive data.

7. Data Subject Access Rights

Individuals have the right to request the nature of personal data that is held by VCTC. These rights are enhanced as a result of GDPR and include:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

Individuals can be anyone whose personal data is held by VCTC and includes employees, trial subjects, nurses and customers.

On receipt of a request, VCTC staff are required to notify the Data Privacy Committee (DPC) immediately in writing providing details of the request (email dataprivacycommittee@theVCTC.co.uk). The DPC will provide the information in a clear, concise and intelligible format in a reasonable timeframe, but no later than within 30 days of receipt of the request. The format will be determined by the DPC.

Finally, VCTC has an obligation to inform individuals if the purpose of the collection of their personal data changes in any way.

8. Data Privacy Committee (DPC)

VCTC appointed a Data Privacy Committee to take on the responsibilities of a DPO. The primary responsibilities of the VCTC DPC are:

• Maintain an in-depth knowledge of GDPR/data privacy regulations and an understanding of EU and national laws where it relates to VCTC and its services;
• Have a good understanding of the pharmaceutical sector and of VCTC’s processing operations;
• Report directly to the VCTC Operating Board and is independent of the processing functions & decision-making structure;
• Monitors GDPR compliance across all VCTC functions;
• Advises on data privacy issues;
• Educates and trains employees;
• Cooperate with ICO and other data processing authorities, especially with regard to personal data breaches;
• Track and respond to data privacy enquiries and subject access requests;
• Advise on the performance of Data Protection Impact Assessments;
• Be involved in future developments of VCTC services where personal data is processed.

The DPC is comprised of individuals who represent all functions across the business and is chaired independently from the operating Board.

9. Personal Data Breaches

VCTC is required to report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of a breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

VCTC’s DPC will determine if a breach has occurred and will inform the appropriate authorities and customers in accordance with local requirements.

SUMMARY

All VCTC staff are trained on the management of personal data within VCTC and understand the safeguards and processes that are employed to ensure that VCTC maintains confidentiality at all times, in accordance with the appropriate regulations.

In the event that any individual or organisation has a complaint with regard to how VCTC has handled their personal information, please contact the VCTC Data Privacy Committee in the first instance by emailing dataprivacycommittee@theVCTC.co.uk.