The Regulatory & Clinical Research Institute, Inc. (RCRI) is a contract research organization that provides regulatory affairs and clinical research consulting services to medical product manufacturers (hereinafter termed as “Sponsor”). As such, it enters into contractual relationships that specify the terms and conditions under which RCRI will assist in the design, implementation, data storage, analysis, and report generation of the outcomes of clinical research projects performed under the sole authority of the Sponsor. The Sponsor typically holds all title, rights, and responsibilities for the data provided to RCRI. The RCRI-Sponsor contracts expressly forbid RCRI from uses or disclosures of the Sponsor’s data or other confidential information outside the documented work instructions of the Sponsor, or as required by law.
For purposes of this Privacy Shield Policy, the following definitions apply: “Client” or “Sponsor” means any individual, corporation, or other entity which contracts RCRI to perform services involving the transfer, processing, or reporting of Personal Information on behalf of and under the instructions of said “Client”/“Sponsor”. “Personal Information” or “Information” means information that (1) pertains to a specific individual; (2) can be uniquely linked to that individual (e.g., by name, social security number, driver’s license); (3) originated in an E.U. Member State: and, (4) is provided in any form. Personal Information does not include information that is encoded, stripped of all personal identifiable information, or that is publicly available. “Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns the health or sex life of an individual. RCRI will also treat as Sensitive Personal Information any information received from a Sponsor where that Sponsor treats and identifies the information as sensitive. “Subcontractor” means any individual, corporation, or other entity under written contract with RCRI to assist in fulfilling the responsibilities assigned by the Sponsor.
The following privacy principles are based on the Privacy Shield Principles and the definitions applied therein.
Notice RCRI acts solely as an agent of the Sponsor. In this capacity, RCRI may be assigned the responsibility to collect Personal Information directly from study subjects, study investigators, or other sources in the E.U. or may receive such Personal Information directly from the Sponsor. The latter holds legal authority for conduct of the clinical research. RCRI is contractually forbidden from independently releasing the Personal Information to third parties or using the Personal Information in a manner outside the scope of documented work instructions, or as required by law. The provision of study subjects’ rights for “Notice” as stated in the Principles is under the control of the Sponsor and is implemented via an informed consent process which describes the purposes for which the data are collected and used and to what third parties their data are provided as well as how to contact the Sponsor or RCRI in the event of inquiries or complaints. Should RCRI determine that fulfillment of its responsibilities will require that a study subject’s right of “Notice” be expanded beyond that provided in the Sponsor’s original informed consent process, RCRI will notify the Sponsor and assist the latter in the provision of “Notice” prior to initiating the requested work activities. RCRI may not need to furnish notice where Personal Information disclosure is necessary to respond to a lawful government inquiry, is required /authorized by law, court orders or government regulations.
When RCRI is contractually requested to provide guidance to the Sponsor regarding the informed consent process for study subjects in the E.U., RCRI will recommend incorporation of the provisions pertaining to “Choice”. The Sponsor alone holds the legal authority to provide study subjects the choice to (opt out) whether their Personal Information is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Similarly for Sensitive Personal Information, RCRI is under the legal authority of the Sponsor to give individuals the opportunity to affirmatively or explicitly choose (opt in) to allow the disclosure of their Sensitive Personal Information for a purpose other than the purpose for which it was originally collected or to be disclosed to a third party. In some cases, even if an individual opts-out of disclosures of their Personal Information, RCRI may still disclose such Personal Information if required to do so by law, if disclosure is required to be made to law enforcement authorities, if RCRI believes disclosure is necessary to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.
Accountability for Onward Transfer
EU individuals have a right to access Personal Information about them processed under Privacy Shield. RCRI is contractually prohibited from releasing or otherwise disclosing Personal Information received from or on behalf of the Sponsor without written permission from the Sponsor, or as required by law. All requests for “Access” will be forwarded to the Sponsor for processing and RCRI will abide by any resulting instructions to correct, amend, or delete Personal Information about themselves.
RCRI shall take reasonable steps to protect the Personal Information in its possession from loss, misuse, unauthorized access, unapproved disclosure, erroneous alteration, and unintended destruction. RCRI has implemented appropriate physical, electronic, and quality system procedures to safeguard and secure Personal Information. RCRI cannot guarantee the security or accuracy of Personal Information recorded, transcribed, or processed prior to its receipt or subsequent to its surrender to the Sponsor. RCRI is not responsible for the illegal acts of third parties or the consequences of such acts.
Data Integrity and Purpose Limitation
RCRI is contractually bound to process Personal Information only in a manner that is consistent with the responsibilities assigned to it by the Sponsor. To the extent necessary and appropriate for those purposes, RCRI shall take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use.
Recourse, Enforcement, and Liability
RCRI has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield to the BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by RCRI, please visit the BBB EU PRIVACY SHIELD web site at http://www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. If a complaint cannot be resolved through these or other channels, under limited conditions, EU individuals may invoke binding arbitration before a Privacy Shield Panel of the U.S. Department of Commerce and the European Commission. The Federal Trade Commission has enforcement jurisdiction over RCRI’s compliance with the Privacy Shield. Pursuant to the Privacy Shield, RCRI remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.
This Privacy Shield Policy may be amended from time to time consistent with the requirements of the Privacy Shield Framework. We will post any revised policies on the RCRI website. The U.S. Department of Commerce’s Privacy Shield Website can be found at https://www.privacyshield.gov/
Effective February 2019