Summary
A series of questions we often see from customers during vendor selection processes. Typically, but not always, geared towards assessing compliance with the European Union (EU) General Data Protection Regulation (GDPR) 2016 - https://en.wikipedia.org/wiki/General_Data_Protection_Regulation.
Definitions
Personal Data
Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
When specifically addressing GDPR, a natural person is a citizen of the EU.
Special Categories of Personal Data
Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data or biometric data uniquely identifying a natural person; data concerning health or sex life and sexual orientation.
Processing
Means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Users
Users of ClinSpark. This will include our customers (licensees) and may include third party users such as CRAs / monitors or other representatives of a trial sponsor or other approved third parties involved in the management, oversight, analysis and conduct of a trial and related services.
Customers are responsible for the access provisioning, management and control of all users of their ClinSpark instances, with the exception of IQVIA superadministrator, support and engineering staff.
These classes of users are provisioned and managed by IQVIA.
Will your company process any Personal Data on behalf of our organisation?
Yes.
If yes, identify the categories of Personal Data processed
Employee and third party user Information
All ClinSpark users must have an account. Most customers will require their users to have a ClinSpark account which may include their email address, first name and last name and assigned Roles within the system. Optionally, ClinSpark can store user title’s (Dr, Mr, Ms etc.), cell phone numbers and other information pertaining to their use of ClinSpark.
IQIVIA uses standard business systems for interacting with and providing services to its customers. This would include, but not be limited to, email, messaging, CRM and service desk platforms. These platforms are likely to collect, store and use customer names, email addresses and other contact and / or location details.
Trial Participant Information
It is generally expected that customers will configure ClinSpark to collect and store personal information and personal health information concerning their prospective, current and past trial participants.
If yes, list any Special Categories of Personal Data processed by your company
ClinSpark was designed to collect and store the following Personal Data:
race and ethnicity
It would not normally be expected for customers to configure ClinSpark to collect and store:
political opinions, religious or philosophical beliefs, or trade union membership
Customers may configure ClinSpark to collect and store:
genetic data or biometric data uniquely identifying a natural person; data concerning health or sex life and sexual orientation.
If yes, describe the categories of data subjects whose Personal Data will be processed by your company
Customer employee and third-party users
Clinical trial participants
If yes, describe the nature and purpose of the processing and the processing operations undertaken by your company
We develop, support and host ClinSpark, a Software-as-a-Service platform for supporting automation and eSource in clinical trials.
Early Phase customers are provided with single-tenant ClinSpark instances to configure and manage in support of the conduct of their clinical trials.
Does your company have a privacy policy, formal guidelines or standard operating procedures for the processing of Personal Data related to the services?
Yes.
If yes, provide a list of all applicable policies, guidelines and standard operating procedures.
QCP_CP_IGP0003 Protection of Personally Identifiable Information
CS_WI_BPI0002 R&DS Privacy Incident Reporting and Management
Does your company ensure users and viewers of Personal Data have a specific and legitimate business reason to access such data?
Yes. Only qualified and trained users are provided access to systems containing Personal Data.
Does your company provide privacy awareness training to all the individuals involved in the processing of Personal Data?
Yes. Annual privacy training is provided.
Does your company have processes in place for ensuring that Personal Data is deleted or securely destroyed once it is no longer needed?
Not applicable.
If yes, describe the process(es) and identify any relevant formal policies, guidelines and standard operating procedures governing such process(es).
This is not usually required for the scope of typical service offerings.
ClinSpark does offer a feature to support a natural person’s ‘right to be forgotten’ under GDPR.
Will non-company employees have physical or logical access to Personal Data?
Yes.
If yes, describe
IQVIA uses some contractors for ClinSpark development and support purposes. The numbers are small. Such contractors are onboarded and managed in the same way as employees and subject to the same training requirements.
Will your company be utilising vendors or subcontractors to process any Personal Data in the provision of the services?
Yes.
If yes, describe the processing activities to be performed utilising vendors or subcontractors
We use class leading SaaS providers for hosting and customer support.
If yes, identify the vendors or subcontractors your company intends to use for this purpose
We use AWS to host ClinSpark and Atlassian’s Jira Service desk to provide support.
Is Personal Data processed for specific and legitimate purposes only and processed by fair and lawful means?
Yes.
Does your Company identify the minimum Personal Data elements that are relevant and necessary to accomplish the purpose of data collection?
No. For ClinSpark this is determined by the customer.
Do you maintain records of data processing where required by applicable law? (e.g., General Data Protection Regulation [GDPR] Article 30)
We comply with all contractually agreed requirements.
Where required by law, is there a process for the company to allow individuals’ access to Personal Data for verification and correction or deletion purposes?
Yes.
If yes, provide details
In general, this will not apply as the customer will be responsible for such requests.
Where it should apply, we have a procedure to address this:
CS_WI_BPI0001 R&DS Data Subject Rights Request Management
If applicable to the services you will provide, does your company comply with Health Insurance Portability and Accountability Act (HIPAA)?
In general, our customers are not HIPAA covered entities and are conducting research that is HIPAA exempt.
Where HIPAA applies we have a procedure to address this:
QFP_FAP_PRIV0002 HIPAA Policy for Handling Protected Health Information
If applicable to the services you will provide, does your company comply with GDPR?
Yes.
Please refer to https://www.iqvia.com/about-us/privacy/gdpr-at-iqvia
Who at your company is responsible for data protection and privacy compliance?
Our Privacy Officer can be contacted at PrivacyOfficer@IQVIA.com
Does your company have an establishment in the EU, or a Data Protection Representative established in the EU?
Yes.
Does your company have a Data Protection Officer (DPO)?
Yes.
If yes, provide their contact details
Our Data Protection Officer can be contacted at eu.dpo@iqvia.com
Does your company transfer or receive personal data from inside the EU to those outside of the European Economic Area (EEA)?
This will depend on nature of our contractual relationship with our customer.
Some customers require us to host ClinSpark outside of the EU/EEA. For these customers, this does not apply.
Some customers require us to host ClinSpark within the EU/EEA but have global business operations whereby they themselves will access data hosted in the EU from outside of the EU.
Similarly, to support customers with ClinSpark hosted in the EU, we may require access by engineers and other specialists that are outside of the EU. Such access and support may require the viewing and extraction of PII of EU natural persons.
If yes, what safeguards are in place to cover the transfer of personal data outside of the EEA?
IQVIA has a Data Privacy Framework Policy (“Policy”) that…
applies to IQVIA Inc. and its U.S. operating subsidiaries (including those entities listed in Exhibit A) (collectively referred to as “IQVIA,” “Company,” “we” or “our”) when Personal Information is received from or about Individuals in the European Economic Area (EEA), United Kingdom (UK), or Switzerland in any format including electronic, paper or verbal.