...
We use AWS to host ClinSpark and Atlassian’s Jira Service desk to provide support.
If yes, how do you assure the security and protection measures that your sub-processors undertake to protect personal data?
These sub-processors (identified above) are approved suppliers to IQVIA.
They both participate in comprehensive assurance programmes that can be reviewed here:
Is Personal Data processed for specific and legitimate purposes only and processed by fair and lawful means?
...
No. For ClinSpark this is determined by the customer.
Can any of this data be anonymised?
Generally, for recruiting participants into clinical trials, it is important to know actual details about participants in order to communicate with them and enrol them into your trials.
Thus the ‘volunteer database’ is expected to contain PII and associated PHI.
Can any of this data be pseudonymised?
Generally, in the conduct of clinical trials, participants are referred to by screening and / or enrolment numbers. It is possible to configure ClinSpark to hide additional personal information such as DOB and initials, in data collection and data review screens, which might allow identification. Exported or reported datasets are expected to identify participants with screening and / or enrolment numbers. Some standard reports will include identifying information, but these are capable of being restricted on a ‘need to know’ basis.
Do you maintain records of data processing where required by applicable law? (e.g., General Data Protection Regulation [GDPR] Article 30)
...
QFP_FAP_PRIV0002 HIPAA Policy for Handling Protected Health Information
Do you have an online privacy notice available for the general public?
Yes.
https://www.iqvia.com/about-us/privacy
If applicable to the services you will provide, does your company comply with GDPR?
...
Does your company have an establishment in the EU, or a Data Protection Representative established in the EU?
Yes.
Does your company have a Data Protection Officer (DPO)?
...