Privacy Policy SOP-031

Similar documents
Privacy Procedure SOP-031. Version: 04.01

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Pickens Savings and Loan Association, F.A. Online Banking Agreement

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

2

Privacy Values and Privacy by Design Annie I. Antón

Client s Statement of Rights & Responsibilities*

1 SERVICE DESCRIPTION

Ocean Energy Europe Privacy Policy

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

Analysis of Privacy and Data Protection Laws and Directives Around the World

DNVGL-CG-0214 Edition September 2016

SATELLITE NETWORK NOTIFICATION AND COORDINATION REGULATIONS 2007 BR 94/2007

AT&T INDIANA GUIDEBOOK. PART 2 - General Terms and Conditions 1st Revised Sheet 1 SECTION 9 - Connections

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

(Non-legislative acts) DECISIONS

Product Guide Verizon Delaware LLC. Section 31 Delaware LLC Original Sheet 1. Connection With Certain Facilities of Others

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

Robert Bond Partner, Commercial/IP/IT

Protection of Privacy Policy

Primary IVF Conditions for Registration For Assisted Reproductive Treatment Providers under the Assisted Reproductive Treatment Act 2008

Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)

The European Securitisation Regulation: The Countdown Continues... Draft Regulatory Technical Standards on Content and Format of the STS Notification

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

Supplemental end user software license agreement terms

THE UNIVERSITY OF AUCKLAND INTELLECTUAL PROPERTY CREATED BY STAFF AND STUDENTS POLICY Organisation & Governance

Guidelines for the Stage of Implementation - Self-Assessment Activity

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

Loyola University Maryland Provisional Policies and Procedures for Intellectual Property, Copyrights, and Patents

DISPOSITION POLICY. This Policy was approved by the Board of Trustees on March 14, 2017.

Legislative and Regulatory Update. Diane Bowers, CASRO President CASRO Data Collection Conference November 19, 2009

AGREEMENT on UnifiedPrinciples and Rules of Technical Regulation in the Republic of Belarus, Republic of Kazakhstan and the Russian Federation

Whatever Happened to the. Fair Information Practices?

IET Guidelines for Volunteers: Data Protection

GDPR Implications for ediscovery from a legal and technical point of view

ICC POSITION ON LEGITIMATE INTERESTS

UW REGULATION Patents and Copyrights

KKR Credit Advisors (Ireland) Unlimited Company PILLAR 3 DISCLOSURES

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Data Anonymization Related Laws in the US and the EU. CS and Law Project Presentation Jaspal Singh

Notice of Privacy Practices

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C. ) ) ) ) )

NEWMONT MINING CORP /DE/

Public Art Network Best Practice Goals and Guidelines

(1) Patents/Patentable means:

EU-GDPR The General Data Protection Regulation

Wireless Sensor Networks and Privacy

California State University, Northridge Policy Statement on Inventions and Patents

Building TRUST Literally & Practically. Philippe Desmeth World Federation for Culture Collections

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

[Definitions of terms that are underlined are found at the end of this document.]

What does the revision of the OECD Privacy Guidelines mean for businesses?

Cash Converters Financial Services Guide

European Union General Data Protection Regulation Effects on Research

Service Level Agreement

POLICY ON INVENTIONS AND SOFTWARE

SHARED TENANT SERVICE (STS) ARRANGEMENTS

Details of the Proposal

UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C FORM SD SPECIALIZED DISCLOSURE REPORT FACEBOOK, INC.

Rules of the prize game Sa Zaba karticama dobivam više!

Policy on Patents (CA)

ART COLLECTION POLICY

Violent Intent Modeling System

TERMS AND CONDITIONS. for the use of the IMDS Advanced Interface by IMDS-AI using companies

510 Data Responsibility Policy

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

International Sculpture Garden Relationship Statement

Continuing Healthcare Patient Choice and Resource Allocation Policy

Paola Bailey, PsyD Licensed Clinical Psychologist PSY# 25263

New York University University Policies

ORBIT/SPECTRUM ALLOCATION PROCEDURES REGISTRATION MECHANISM

CODE OF CONDUCT. STATUS : December 1, 2015 DES C R I P T I O N. Internal Document Date : 01/12/2015. Revision : 02

Christina Narensky, Psy.D.

2018 / Photography & Video Bell Lane Primary School & Children s Centre

SPONSORSHIP AND DONATION ACCEPTANCE POLICY

MINISTRY OF HEALTH STAGE PROBITY REPORT. 26 July 2016

UK Research and Innovation Conflicts of Interest Policy

Safety of Toys Implementing Regulation

Preparing for the new Regulations for healthcare providers

APEC PRIVACY FRAMEWORK

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Recast de la législation européenne et impact sur l organisation hospitalière

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

The following draft Agreement supplements, but does not replace, the MOU by and between the Bureau of Land Management (BLM) and the California

Privacy, Ethics, & Accountability. Lenore D Zuck (UIC)

4.1. Accurate: The information is a true reflection of the original observation.

UK Broadband Ltd Spectrum Access Licence Licence Number: Rev: 4: 11 January 2018

MEDICINE LICENSE TO PUBLISH

EFRAG s Draft letter to the European Commission regarding endorsement of Definition of Material (Amendments to IAS 1 and IAS 8)

IMPLEMENTING AGREEMENT NON-NUCLEAR ENERGY SCIENTIFIC AND TECHNOLOGICAL CO-OPERATION

Intellectual Property

BioTrade and the Implementation of the Nagoya Protocol

ASSEMBLY - 35TH SESSION

Guidelines to Consign in Artist s Den Gallery

Kryptonite Authorized Seller Program

Transcription:

SOP-031 Version: 2.0 Effective Date: 18-Nov-2013

Table of Contents 1. DOCUMENT HISTORY...3 2. APPROVAL STATEMENT...3 3. PURPOSE...4 4. SCOPE...4 5. ABBREVIATIONS...5 6. PROCEDURES...5 6.1 COLLECTION OF PII...6 6.2 USE AND MAINTENANCE OF PII...6 6.3 ACCIDENTAL EXPOSURE OF PII...6 6.4 RIGHTS OF INDIVIDUALS...6 6.5 MAINTAINING APPROPRIATE SECURITY...7 6.6 DISCLOSURE OF PII...7 6.7 TRAINING AND MONITORING...7 6.8 COMPLIANCE AND WAIVERS...7 6.9 COMMUNICATION OF ISSUES...7 File: 9980105-SOPS-031-02.00 Privacy Policy Page 2 of 7

3. Purpose The purpose of this document is to define Foresight s policy towards processing, storing and distribution of Personally Identifiable Information (PII) or Individually Identifiable Health Information (Protected Health Information, PHI). This policy is written in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Background; the Standards for Privacy of Individually Identifiable Health Information; Final Rule (45 CFR Part 160 and Subparts A and E of Part 164) as part of HIPAA; the Federal Policy for the Protection of Human Subjects and the FDA s human subject protection regulations (21 CFR Part 50 and 56). PII might be processed or accessed in a variety of business and commercial context that include (i) sales and marketing, (ii) human resources and employee management and (iii) Foresight client applications. Foresight does not, per se, create or collect sensitive personal information in client applications. Foresight may create or collect personal information as part of its business of implementing, validating and hosting global drug safety and risk management systems, and Foresight will be exposed to such information collected and processed by its clients. Foresight will therefore apply with all the necessary global requirements and applicable law protecting such data and will take any necessary precautions to prevent accidental disclosure of such data. By entering the EU/Switzerland Safe Harbor Agreement, Foresight is bound by the respective regional and national laws. Where local laws or regulations governing PII impose more stringent protections than arise under this policy, Foresight must comply with such laws and regulations. 4. Affirmative Statement Foresight Group International AG ( Foresight ) complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Foresight has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Foresight s certification, please visit http://www.export.gov/safeharbor/. 5. Scope Personally Identifiable Information (PII) refers to information that identifies, or could be used to identify, an individual. For purpose of this policy, PII shall include Sensitive Personally Identifiable Information (SPII) and its subset Protected Health Information (PHI) and exclude information that Foresight cannot reasonable attribute to a particular individual without a disproportionate amount of time, effort or expense. File: 9980105-SOPS-031-02.00 Privacy Policy Page 4 of 7

This policy applies to all Foresight legal entities worldwide, all Foresight staff and all third parties processing or accessing PII on Foresight s behalf. 6. Abbreviations Abbreviation Definition CFR FDA HIPAA PHI PII SOP SPII (United States) Code of Federal Regulations (United States) Food and Drug Administration Health Insurance Portability and Accountability Act Protected Health Information, subset of PII relating to health information. Personally Identifiable Information, information that identifies or could be used to identify an individual. Standard Operating Procedure Sensitive Personally Identifiable Information, subset of PII relating to an individual s race or ethnicity, political opinions, religious or philosophical beliefs, trade union memberships, commission of criminal offenses, health, sex life or sexual orientation, government issued identification numbers, credit or debit card details or any other PII whose unauthorized acquisition, use, modification, loss or disclosure presents a greater risk of harm to the relevant individual. 7. Procedures Each Foresight member is individually responsible for the confidentiality and security of PII and for complying with this policy when processing or accessing PII in connection with their normal work activities. Each Foresight member is also responsible for ensuring that third party members who process or access PII on behalf of Foresight comply with this policy. This SOP defines the procedures that are designed to assure that collection, use and maintenance, incident reporting are in compliance with all applicable laws and defines the procedures for training, monitoring compliance and waivers. Security of PII is covered in SOP 9980105-SOPS-018 Foresight Security Policy. Foresight Partners and Senior Membership are responsible for enforcing compliance with this policy by all members and third party suppliers. The Foresight Privacy Officer is responsible for implementing additional policies, procedures, practices or forms as may be required to comply with this policy. Each Foresight member shall promptly notify local Foresight management if it appears that this policy conflicts with any local legal or regulatory obligations. If local Foresight management verifies that a conflict exists, they shall subsequently notify the Foresight Privacy Officer. File: 9980105-SOPS-031-02.00 Privacy Policy Page 5 of 7

7.1 Collection of PII Foresight staff must only collect the minimum amount of PII necessary to serve specific, legitimate business purposes, including commercial and legal purposes. Where such purposes allow, Foresight staff must rely on information that does not identify individuals rather than PII. Foresight staff must collect PII by fair and lawful means. Where required or practicable, Foresight staff must furnish information to individuals about the types of PII collected relating to them, the purposes for which PII is used, any rights the individual may have in and to the PII, disclosures of the PII to third parties, and other relevant information. Foresight staff may not need to furnish the above information if all of the following requirements are met: (i) a specific, legitimate business purpose exists, (II) only the minimum amount of PII is collected and (iii) the PII is a matter of public record or is otherwise in the public domain. Foresight must obtain an individual s informed and voluntary consent to process their information where it is necessary or appropriate to do so. 7.2 Use and Maintenance of PII Prior to use of any PII, Foresight staff must ensure that any intended use of the PII serves a specific business purpose and must be in compliance with this policy and applicable law. Foresight staff must maintain the integrity and accuracy of the PII that is processed and correct or amend any PII that it finds incorrect. PII collected for a specific business purpose must not be processed by Foresight staff for subsequent, incompatible purpose without the prior consent of the individual or unless otherwise permitted or required by applicable law. 7.3 Accidental Exposure of PII As part of its business of implementing, validating and hosting global drug safety and risk management systems, Foresight staff might be exposed to PII information collected and processed by its clients. Accidental exposure to PII information, not related to the tasks described above or any accidental loss of such information requires immediate notification of the Privacy Officer. 7.4 Rights of Individuals Where required by law or where practicable, Foresight staff must provide individuals with access to, or information about, PII collected by Foresight related to them, and must allow an individual s request to delete or correct incorrect information. Such requests for information hosted by Foresight, but collected and processed by one of its clients, must be satisfied by the client. Foresight staff must seek a prompt and fair resolution of any complaints brought by individuals related to the processing of PII, as well as cooperate with authorities and regulators resolving such complaints. The Privacy Officer has to be notified about any such complaint. File: 9980105-SOPS-031-02.00 Privacy Policy Page 6 of 7

7.5 Maintaining Appropriate Security Foresight must implement safeguards to prevent the occurrence of Security Incidents involving PII. Safeguards are described in SOP 9980105-SOPS-018 Foresight Security Policy. The safeguards must correspond to the sensitivity of PII (e.g. SPII or PHI require a higher level of security). Foresight staff must ensure that PII is only processed or accessed by authorized Foresight staff or third party suppliers and that such processing or access is consistent with their roles and responsibilities. Foresight staff must promptly report Security Incidents in accordance with SOP 9980105- SOPS-018 Foresight Security Policy. Foresight staff must retain PII as long as necessary to fulfill its specific business purpose and then must delete, destroy or anonymize PII as promptly and securely as possible in compliance with client contracts or SOP 9980105-SOPS-017 Document Retention Policy. 7.6 Disclosure of PII Foresight staff must only disclose PII to other third parties where specifically authorized to do so and in compliance with applicable laws. Foresight staff must not transfer of any Foresight client data containing PII from Foresight premises or data centers without a signed and approved Data Transfer Agreement. Prior to international transfer of PII data, Foresight staff must assure that the protection to PII applies to the laws and regulations in the country of origin, except where the transfer is based on a legal exception found in applicable laws. 7.7 Training and Monitoring Foresight staff must be trained in the proper implementation of this procedure. Periodic reviews must be conducted to ensure compliance with this policy. 7.8 Compliance and Waivers All Foresight staff must sign and comply with the Computer and Information Usage Agreement, form 9990101-FORM-530 Computer and Information Usage Agreement. Any requirement in this policy may be waived conditionally on a case-by-case basis in exceptional circumstances with written authorization form the Privacy Officer. If approved these exceptions must be recorded by the Privacy Officer and communicated to all relevant Foresight staff and third party providers. 7.9 Communication of Issues All questions or concern regarding the implementation of this policy must be directed to local Foresight management or directly to the Privacy Officer. File: 9980105-SOPS-031-02.00 Privacy Policy Page 7 of 7

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback