SOP-031 Version: 2.0 Effective Date: 18-Nov-2013
Table of Contents 1. DOCUMENT HISTORY...3 2. APPROVAL STATEMENT...3 3. PURPOSE...4 4. SCOPE...4 5. ABBREVIATIONS...5 6. PROCEDURES...5 6.1 COLLECTION OF PII...6 6.2 USE AND MAINTENANCE OF PII...6 6.3 ACCIDENTAL EXPOSURE OF PII...6 6.4 RIGHTS OF INDIVIDUALS...6 6.5 MAINTAINING APPROPRIATE SECURITY...7 6.6 DISCLOSURE OF PII...7 6.7 TRAINING AND MONITORING...7 6.8 COMPLIANCE AND WAIVERS...7 6.9 COMMUNICATION OF ISSUES...7 File: 9980105-SOPS-031-02.00 Privacy Policy Page 2 of 7
3. Purpose The purpose of this document is to define Foresight s policy towards processing, storing and distribution of Personally Identifiable Information (PII) or Individually Identifiable Health Information (Protected Health Information, PHI). This policy is written in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Background; the Standards for Privacy of Individually Identifiable Health Information; Final Rule (45 CFR Part 160 and Subparts A and E of Part 164) as part of HIPAA; the Federal Policy for the Protection of Human Subjects and the FDA s human subject protection regulations (21 CFR Part 50 and 56). PII might be processed or accessed in a variety of business and commercial context that include (i) sales and marketing, (ii) human resources and employee management and (iii) Foresight client applications. Foresight does not, per se, create or collect sensitive personal information in client applications. Foresight may create or collect personal information as part of its business of implementing, validating and hosting global drug safety and risk management systems, and Foresight will be exposed to such information collected and processed by its clients. Foresight will therefore apply with all the necessary global requirements and applicable law protecting such data and will take any necessary precautions to prevent accidental disclosure of such data. By entering the EU/Switzerland Safe Harbor Agreement, Foresight is bound by the respective regional and national laws. Where local laws or regulations governing PII impose more stringent protections than arise under this policy, Foresight must comply with such laws and regulations. 4. Affirmative Statement Foresight Group International AG ( Foresight ) complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Foresight has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Foresight s certification, please visit http://www.export.gov/safeharbor/. 5. Scope Personally Identifiable Information (PII) refers to information that identifies, or could be used to identify, an individual. For purpose of this policy, PII shall include Sensitive Personally Identifiable Information (SPII) and its subset Protected Health Information (PHI) and exclude information that Foresight cannot reasonable attribute to a particular individual without a disproportionate amount of time, effort or expense. File: 9980105-SOPS-031-02.00 Privacy Policy Page 4 of 7
This policy applies to all Foresight legal entities worldwide, all Foresight staff and all third parties processing or accessing PII on Foresight s behalf. 6. Abbreviations Abbreviation Definition CFR FDA HIPAA PHI PII SOP SPII (United States) Code of Federal Regulations (United States) Food and Drug Administration Health Insurance Portability and Accountability Act Protected Health Information, subset of PII relating to health information. Personally Identifiable Information, information that identifies or could be used to identify an individual. Standard Operating Procedure Sensitive Personally Identifiable Information, subset of PII relating to an individual s race or ethnicity, political opinions, religious or philosophical beliefs, trade union memberships, commission of criminal offenses, health, sex life or sexual orientation, government issued identification numbers, credit or debit card details or any other PII whose unauthorized acquisition, use, modification, loss or disclosure presents a greater risk of harm to the relevant individual. 7. Procedures Each Foresight member is individually responsible for the confidentiality and security of PII and for complying with this policy when processing or accessing PII in connection with their normal work activities. Each Foresight member is also responsible for ensuring that third party members who process or access PII on behalf of Foresight comply with this policy. This SOP defines the procedures that are designed to assure that collection, use and maintenance, incident reporting are in compliance with all applicable laws and defines the procedures for training, monitoring compliance and waivers. Security of PII is covered in SOP 9980105-SOPS-018 Foresight Security Policy. Foresight Partners and Senior Membership are responsible for enforcing compliance with this policy by all members and third party suppliers. The Foresight Privacy Officer is responsible for implementing additional policies, procedures, practices or forms as may be required to comply with this policy. Each Foresight member shall promptly notify local Foresight management if it appears that this policy conflicts with any local legal or regulatory obligations. If local Foresight management verifies that a conflict exists, they shall subsequently notify the Foresight Privacy Officer. File: 9980105-SOPS-031-02.00 Privacy Policy Page 5 of 7
7.1 Collection of PII Foresight staff must only collect the minimum amount of PII necessary to serve specific, legitimate business purposes, including commercial and legal purposes. Where such purposes allow, Foresight staff must rely on information that does not identify individuals rather than PII. Foresight staff must collect PII by fair and lawful means. Where required or practicable, Foresight staff must furnish information to individuals about the types of PII collected relating to them, the purposes for which PII is used, any rights the individual may have in and to the PII, disclosures of the PII to third parties, and other relevant information. Foresight staff may not need to furnish the above information if all of the following requirements are met: (i) a specific, legitimate business purpose exists, (II) only the minimum amount of PII is collected and (iii) the PII is a matter of public record or is otherwise in the public domain. Foresight must obtain an individual s informed and voluntary consent to process their information where it is necessary or appropriate to do so. 7.2 Use and Maintenance of PII Prior to use of any PII, Foresight staff must ensure that any intended use of the PII serves a specific business purpose and must be in compliance with this policy and applicable law. Foresight staff must maintain the integrity and accuracy of the PII that is processed and correct or amend any PII that it finds incorrect. PII collected for a specific business purpose must not be processed by Foresight staff for subsequent, incompatible purpose without the prior consent of the individual or unless otherwise permitted or required by applicable law. 7.3 Accidental Exposure of PII As part of its business of implementing, validating and hosting global drug safety and risk management systems, Foresight staff might be exposed to PII information collected and processed by its clients. Accidental exposure to PII information, not related to the tasks described above or any accidental loss of such information requires immediate notification of the Privacy Officer. 7.4 Rights of Individuals Where required by law or where practicable, Foresight staff must provide individuals with access to, or information about, PII collected by Foresight related to them, and must allow an individual s request to delete or correct incorrect information. Such requests for information hosted by Foresight, but collected and processed by one of its clients, must be satisfied by the client. Foresight staff must seek a prompt and fair resolution of any complaints brought by individuals related to the processing of PII, as well as cooperate with authorities and regulators resolving such complaints. The Privacy Officer has to be notified about any such complaint. File: 9980105-SOPS-031-02.00 Privacy Policy Page 6 of 7
7.5 Maintaining Appropriate Security Foresight must implement safeguards to prevent the occurrence of Security Incidents involving PII. Safeguards are described in SOP 9980105-SOPS-018 Foresight Security Policy. The safeguards must correspond to the sensitivity of PII (e.g. SPII or PHI require a higher level of security). Foresight staff must ensure that PII is only processed or accessed by authorized Foresight staff or third party suppliers and that such processing or access is consistent with their roles and responsibilities. Foresight staff must promptly report Security Incidents in accordance with SOP 9980105- SOPS-018 Foresight Security Policy. Foresight staff must retain PII as long as necessary to fulfill its specific business purpose and then must delete, destroy or anonymize PII as promptly and securely as possible in compliance with client contracts or SOP 9980105-SOPS-017 Document Retention Policy. 7.6 Disclosure of PII Foresight staff must only disclose PII to other third parties where specifically authorized to do so and in compliance with applicable laws. Foresight staff must not transfer of any Foresight client data containing PII from Foresight premises or data centers without a signed and approved Data Transfer Agreement. Prior to international transfer of PII data, Foresight staff must assure that the protection to PII applies to the laws and regulations in the country of origin, except where the transfer is based on a legal exception found in applicable laws. 7.7 Training and Monitoring Foresight staff must be trained in the proper implementation of this procedure. Periodic reviews must be conducted to ensure compliance with this policy. 7.8 Compliance and Waivers All Foresight staff must sign and comply with the Computer and Information Usage Agreement, form 9990101-FORM-530 Computer and Information Usage Agreement. Any requirement in this policy may be waived conditionally on a case-by-case basis in exceptional circumstances with written authorization form the Privacy Officer. If approved these exceptions must be recorded by the Privacy Officer and communicated to all relevant Foresight staff and third party providers. 7.9 Communication of Issues All questions or concern regarding the implementation of this policy must be directed to local Foresight management or directly to the Privacy Officer. File: 9980105-SOPS-031-02.00 Privacy Policy Page 7 of 7