MeDiNova has designed internal policies, procedures and training programs to support compliance with the General Data Protection Regulation 2016/679, the US Health Insurance Portability and accountability Act of 1996, and local data protection and privacy laws in the countries we operate, and we are also bound by the privacy and confidentiality requirements of ICH Good Clinical Practice.
Who Are We?
MeDiNova Limited and its subsidiary companies (“MeDiNova”, “we”, “our”, “us”) is a leading global site network who provides patient recruitment services and conducts ethically approved clinical research trials on behalf of pharmaceutical companies (“Sponsor”), clinical research organisations and other research companies. We may also from time to time provide private healthcare services and procedures to members of the public.
As an employer and clinical research company we act as Data Controller over the personal data and healthcare information you provide to our business. If you participate in one of our clinical trials, it’s important that you know that MeDiNova may share the responsibility of Data Controller with the Sponsor, taking into account our respective roles in processing the personal data. For example, in respect to coded clinical trial data provided to Sponsor, the MeDiNova network site and Sponsor are both considered controllers for the processing of the personal data and will both act in accordance with the applicable data protection law.
Types of Information We Process
Medinova collects clinical and medical information in preparation for and during the performance of clinical trials. Furthermore, we may also collect this information for the performance of private medical procedures or when we provide health or screening services to local communities.
We also collect and process personal data from applicants seeking employment with our company, including appropriate background checks relating to qualifications, job history, professional disbarment and criminal history, where permissible by law. MeDiNova also collects personal and sensitive personal information on employees for the purpose of administering their employment and we may process similar information relating to consultants, contractors and other third parties engaged under contract to provide services.
In relation to our clients and vendors, then the information we collect may include information relating to your director/s, employees and representatives’ names, business address, contact information (including email address), financial details, relevant commercial information and this information when provided, will be saved onto MeDiNova systems for the purpose of contacting you and managing our commercial relationship.
It’s important that you know, information will only be collected on a ‘need to know’ basis and used for the purposes specified at time of collection. The above may include your personal data which means personal details from which you can be identified or are identifiable, for example:
- Contact information (full name, postal address, email address, telephone numbers, etc)
- Date of Birth
- Contact preferences;
- Information about studies and services you have expressed an interest in (including clinical trials you may have participated in and services you may use);
- Images of you in areas of our clinics/premises covered by CCTV;
- Behavioural data/online identifiers (eg IP address, cookies etc – please see our separate Cookies Policy)
- Information about next of kin or other people (where you provide information about other people, please make sure you have their permission to do so or that you can speak on their behalf, for example, in the case of children or an elderly relative);
Employees and patients are also likely to provide certain types of sensitive information. We are conscious that this type of information could cause harm if improperly processed so sensitive information is stored securely with restricted access and handled with the greatest respect for your privacy. Examples of sensitive personal data we collect include:
- Healthcare information (eg physical & mental health or conditions, medical records, disabilities, sexual orientation;
- National Insurance number
- Race/ethnicity/religious beliefs
- Voice recordings
- Bank account details
- Identification information (eg passports, drivers licenses or national identity cards, utility statements)
- Dispute resolution information
- Biometric data; genetic data.
- Employee performance records;
- Alleged commission of any offence;
- Any proceeding for any committed or alleged offence;
- Image; and
- Employee trade union membership.
When / How we Collect your Information
There are various data points at which we collect your information but importantly, we will always tell you when we collect your information and provide a fair processing notification, so you know who we are, what purpose we will use that information and your rights in respect of the information. Examples of the points at which we collect your personal information include when you:
- Contact us to enquire about one of our services (eg via telephone, reply slip, email, and text);
- Visit our website;
- Fill in one of our online or offline registration forms;
- Visit one of our clinics and use our services;
- Interact with us in online forums, by email, text, telephone, or on social media;
- Post reviews of your interaction with us; and
- Complete our market research/patient/employee/vendor/customer surveys.
How we Use Your Information
The reason we use your information will often be obvious from the way you interact with us. For example, if you contact us to express an interest in one of our clinical trials and volunteer for study screening, attend a patient interest visit, or undertake private procedures with us, your personal and medical information will be held by Medinova and used to contact you, assess suitability of the service/procedure for you, arrange appointments, undertake our service (eg participation in the clinical trial, conduct a private healthcare procedure, etc), inform you of the results, and we may need to contact you to follow up for whatever reason.
We explain how we will use your information at the point of collecting it. However, our uses of your information may not always be so obvious. You can find out more below. There are a number of legal grounds that enable us to process your data - It’s quite complicated but below are the most relevant grounds you should be aware of:
· With your Consent: In cases where we need your consent to process your information, we will ask you to make a positive indication (eg to tick a box, sign a document, provide confirmation) that you agree to the processing. By actively providing consent, you are stating that you have been informed as to the type of personal information that will be processed, the reasons for such processing and how it will be used and for how long it will be kept and who else has access to it. For example, where we want to send you marketing messages by email, we would usually ask your permission first and you could opt-out at any time by clicking on the unsubscribe link on the email or updating your preferences.
· To Fulfil a Contract: We may process personal information in order to fulfil a contract we have with you.
· For a Legitimate Interest: Sometimes we may use your information to help achieve our business objectives but only where that activity doesn’t negatively affect your rights. For example, we might use your information to analyse therapeutic trends and gather anonymised geographic statistics. You can object to us relying on our legitimate interest to use your personal data in these ways at any time by getting in touch with us using the contact details below.
· To Comply with Legal Obligations: There may be situations where we need to use your information to comply with legal obligations. For example, we are required by law to keep certain records for specific periods of time or in case there is an emergency, so we can make sure you’re safe.
Personal information will be shared within MeDiNova and its subsidiaries and affiliated companies on a “need to know basis” and to meet the stated purposes provided at the point of collection.
For those participating in clinical trials, it’s important that you know that Sponsor shall refrain from tracing and/or identifying any Clinical Trial Subject. In the event any Clinical Trial Subject, for whatever reason, becomes identifiable to the Sponsor, the Sponsor and their representatives will preserve, at all times, the confidentiality of information pertaining to such Clinical Trial Subjects.
MeDiNova may disclose personal information regarding employees, vendors and customers to a buyer or other successor in the event of a merger, restructure, reorganisation or other transfer of some or all of MeDiNova assets.
We may also provide customers, vendors and partners with information about the effectiveness of marketing campaigns they run and to help determine the potential reach of future campaigns by providing aggregated reports of responses to campaigns.
MeDiNova does not collect, sell, rent, or otherwise distribute email addresses or any other personal information. We also do not solicit or collect any emails unless you make a request for information via this method. All discussions by email or phone are completely confidential to MeDiNova unless we obtain your consent to treat them otherwise.
We also sometimes use your information for reasons that we think you might want a bit more detail on, so to help we have added more information to these below.
In addition to sending you general healthcare information, information on our services you may have used (product communications), where we have your permission, or where we are relying on our legitimate interest, we may send you direct marketing communications about our clinical trials, private healthcare services, events and patient surveys.
Direct marketing communications may be sent by post, email, telephone, SMS and MMS, through social media (such as WhatsApp, Instagram, Twitter, and Facebook), including push text notifications to your mobile devices, and via other electronic means, such as when you visit our websites. This may also include any websites and apps of our partners who support us with advertising.
We may send you direct marketing while you have an ongoing relationship with us and for a reasonable time after you have enquired about or participated in one of our clinical trials or used one of our or services where we feel we have a legitimate interest.
You will be able to opt-out of direct marketing by following the instructions in the communications you receive or contacting us below. Alternatively, you can contact a member of clinical research team who will be able to update your marketing preferences.
Disclosures required by law
Your information will be disclosed where we are obliged by law to do so. We may also disclose your information where we are allowed by law to protect or enforce our rights or the rights of others and for the detection and prevention of crimes, such as fraud.
If you post or send offensive or inappropriate content anywhere on or to any of our websites or apps, or otherwise engage in disruptive behaviour on any of our websites or apps, we may use the information that is available to us about you to stop such behaviour. This may involve responding to or informing relevant third parties and law enforcement agencies about the content and your behaviour.
When you complete our registration forms or use our services, we may transfer your information to our processors - companies that carry out activities on our behalf, only on our instructions. We try to ensure that all information is kept within the European Economic Area (EEA) however sometimes, information has to be transferred to countries that may not have data protection rules that provide the same level of protection to your personal information as countries in the EEA. In such a case, we will only transfer your information if we have appropriate measures in place to ensure the protection of your information in accordance with applicable data protection legislation. (For example, model contract clauses or Privacy Shield in the case of the USA)
When Sponsors are based outside of the EU, they will appoint a representative within the EU in order to fulfil the duties as a processor. Consent will be obtained from each clinical trial participant and all personal data will be in accordance with the law. The parties will adhere to the principles of medical confidentiality in relation to clinical trial subjects and you are free to withdraw consent at any time. The procedure followed upon a withdrawal of a clinical trial subject’s consent will be in accordance to the instructions in the ethically approved Protocol and the Informed Consent Form and in accordance with the law.
When you give us information about other individuals, you confirm that you have authority to act for them and have made them aware of the potential transfer of their information outside the EEA.
Recording of Calls
If you contact us by phone or on chat the conversation may be recorded and listened to for training and quality purposes and to evidence verbal consents before you attend our clinic to complete a written consent confirming your permission for us to process your personal data.
Sharing with advertising partners
When you visit our websites or apps we may pass information about you and the source of your enquiry to our advertising network partners to enable them to deliver and assess advertising campaigns and plan future marketing campaigns.
How we store and keep your personal data secure
Your personal information is currently stored on a MeDiNova server located within the country you reside in. MeDiNova is a global organisation, therefore employee, vendor and customer information may be transferred to any of our operations throughout the world. Clinical data will reside in the country it was provided, and identifiable personal data will not be shared with our global operations.
Some vendor platforms are used by contractors to process your personal information. However, we generally ensure that the approved vendor processes and stores information on a secure server and that any data centres use all reside within the European Union and are subject to the General Data Protection Regulation.
Access to personal and sensitive personal information is restricted to authorised personnel and vendors on a “need to know” basis – in other words, access to such information, databases and systems containing the information is restricted. Personal information stored on secure electronic systems, is password-protected and within an access controlled, secure environment.
To enhance privacy for clinical trial participants, and consistent with Good Clinical Practice, we do not use names and other direct identifiers attached to records or samples used by Sponsors for clinical research purposes.
We will retain your information for as long as necessary for the uses set out in this Policy or while there is a legitimate business reason for doing so. If you ask us to delete your information before this time, we may not be able to do so for technical, legal, regulatory or contractual constraints.
We will hold your personal information for the purposes of marketing for up to 7 years from the last consent obtained from you. For compliance with legal obligations arising from contracts entered with parties we will hold the data for 7 years from the date of last transaction. If you enrol onto a study, we will hold your data for a period of up to 25 years for safety and verification purposes and as required under law. We will hold applicant and employee information for a period of up to 1 year since last contact, unless legal obligations require us to hold information longer.
Where you wish to be suppressed from our marketing database, we need to retain your information and cross reference it against other marketing databases to ensure we respect your wishes to not receive marketing correspondence from us.
There may be situations where we contract third party companies or individuals to facilitate some of our services and operations. These parties may act as data processors – companies who act on our behalf to collect or process your information. Access to your personal and sensitive information we share with the vendor, or customer or partner is strictly controlled, and use limited to a ‘need to know basis’ and restricted to authorised personnel of that company.
MeDiNova performs appropriate due diligence on all third-party vendors and partners acting on behalf of MeDiNova. The amount of information shared with these parties is limited to what they need to know in order to perform the function/service they provide and we contractually obligate them to not disclose the information, to use it only for the authorised purpose related to performance of the contract, keep it safe and secure and then return or destroy it upon completion of the services. Furthermore, vendors are required to sign confidentiality agreements and contractually commit to obligations regarding the processing personal data and compliance with data protection and privacy laws.
Please note that personal information, where possible, will be minimised or remain anonymised using a unique identifier within the database, including when analysing trends or running reports on demographics. Only names and addresses would be used by contracted third parties for the likes of sending appointment letters or arranging taxi transportation.
The processors we use change. For example, each study may have different processors depending on what is involved. For a full list of contracted third parties who may have access to your information, please make a request to contact below or your local MeDiNova clinic. General examples of the types of contracted third parties we use include:
· Local hospitals who may perform some procedures for us;
· Contracted call centre operatives;
· IT Contractors and business consultants;
· Email management suppliers;
· Website designers and hosts;
· Campaign monitoring analysis companies;
· Mailing houses;
· Survey companies; and
In respect of MeDiNova employees’ personal data, third parties such as payroll companies, pension companies, health companies, legal advisors, health & safety advisors, medical consultants, corporate head office, etc, may be provided with some of your personal and or sensitive personal information. Employees, please feel free to request a full list of 3rd party processors from the Human Resources department.
Please note that for patients enrolling onto a clinical trial, your personal information may also be made available to authorised sponsor company representatives and patient information may be made available to regulatory authorities for data verification and inspection purposes.
Furthermore, in the interests of good medical care, with your consent or with legitimate interest, MeDiNova may also share results from medical procedures with your General Practitioner, where appropriate to do so (e.g. any abnormal results or in the situation where you need referral for primary medical care).
No other third parties will be given access to your personal or sensitive personal information without your consent or unless we are required to disclose personal data as required by law, subpoena or other legal process with a legal right to access such information.
MeDiNova Websites and Partner Websites
Where you interact with third parties who promote our clinical trials and/or services for us, these third parties may pass us your information.
When you post comments, reviews, or engage in discussions and polls about our studies and services, we may receive this information from the platform you interacted with or from our partners who monitor how our brands are performing.
We may also obtain information about you from our partners, healthcare professionals and other companies with whom we contract that have your consent to share your information, online and/or offline. For example, we might update our database if we haven’t heard from you in while to check if you have moved home so that we can keep our records up to date.
Our websites may, from time to time, contain links to other websites which are outside of our control and are not covered by this Policy. We do not accept any responsibility or liability for other sites’ privacy policies. If you access other websites using the links provided, please check their policies before submitting any personal information.
The clinical research industry is highly regulated and involves the processing of sensitive and confidential information. There may be restrictions on what information MeDiNova can share and whilst we aim to engage publicly through our websites and social media channels, we remain fully committed to upholding the privacy of our patients, clients, vendors and employees
Access and Control
You have the right to access information we hold about you. At any point you can contact us at below to request details concerning the information we hold about you, why we have that information, who has access to it and where we got the information. In most cases you may be entitled to copies of the information we hold concerning you. One we have received your request we will respond within one calendar month. Please note that this right may be restricted by law where disclosing information may result in the personal information of other individuals being disclosed or it would be unreasonable to do so.
Correct and Updating
If the data we hold about you is out of date, incomplete or incorrect, you can inform your local MeDiNova clinic or contact below and we will ensure that it is updated. For employees please contact your local human resources department. We also regularly cleanse our marketing database using third party vendors who can advise of address changes and other circumstance changes.
Controlling direct marketing
You can change your mind about receiving direct marketing from us or change your preferences by contact your local clinic or contacting below. If you have received electronic marketing, then you will also have the ability to opt-out of any marketing or product communication you have received by unsubscribing on the link provided. following the direction on the communication.
Where we may rely on consent to process your information, you have the right to withdraw that consent for that activity at any time by notifying your local clinic or contacting us below. However, please note we may have the right to rely on an alternative legal basis for the processing activity so that we are able to provide you with the service you have requested or continuation of your involvement in a clinical trial.
You may have the right to object, erase, or restrict our processing of your information or the right to data portability. Where we process your personal information on grounds of legitimate interest, you may object to this. We will carefully consider your request as there may be circumstances which require us to, or allow us to, continue processing your data.
Complaining to your local regulator
If you have any comments, concerns or complaints about our uses of your personal data we ask that you contact us in the first instance, so that we can try and resolve any matter. However, where we are unable to help, you are able to complain to the Information Commissioner’s Office in the United Kingdom or the local data protection regulator in your country of residence, who will be able to liaise with the UK Information Commissioner in the UK. Details for the UK Information Commissioner can be found at https://ico.org.uk/
From time to time we may make changes to this Policy. This might be in relation to changes in the law, best practice, changes to the services we provide or collection and use of your personal information. We will always display clearly when the Policy was last updated and where appropriate, notify you of any major changes.
If you have general enquires about how we process your information, wish to update the personal information we hold or amend marketing preferences then please contact: .
Alternatively, if you have a subject access request or wish to lodge a complaint then please contact us:
By Mail: Group Data Protection Officer
Mount Vernon Hospital
Policy Date: 11th Oct 2018