CLN-POL-0000049 Global Data Protection Policy
Policy
CLN-POL-0000049 Global Data Protection Policy
Effective Date: 14-Feb-2023
Version Number: 01
Author
Title:
Signature:
Date:
Hannah
Jones
Legal Counsel
31-Jan-2023 | 3:44 PM GMT
Reviewer | Title: | Signature: | Date: | ||||||||
Mark | Director of | 31-Jan-2023 | 3:45 PM GMT | |||||||||
Ashton- | Audit & ESG | ||||||||||
Blanksby | Programme | ||||||||||
Management | |||||||||||
Quality | Title: | Signature: | Date: | ||
Approver | |||||
Najma Ali | Responsible | 31-Jan-2023 | 3:47 PM GMT | |||
Person and | |||||
Quality | |||||
Manager | |||||
If this Policy is a printed copy it shall be considered an uncontrolled copy
Page 1 of 10
CLN-POL-0000049 Global Data Protection Policy
Version Number: 01
TABLE OF CONTENTS | ||
1. | Executive Summary | 3 |
2. | Purpose | 3 |
3. | Scope | 3 |
4. | Abbreviations and Definitions | 3 |
5. | Data Protection Principles | 4 |
6. | Policy Compliance and Maintenance | 8 |
7. | Contact | 8 |
8. | ANNEX A | 9 |
9. | Document History | 10 |
If this Policy is a printed copy it shall be considered an uncontrolled copy
Page 2 of 10
CLN-POL-0000049 Global Data Protection Policy
Version Number: 01
1. Executive Summary
Clinigen Limited and any company, partnership or other person which directly or indirectly is controlled by Clinigen Limited ('Clinigen') processes personal data relating to patients, healthcare practitioners (including physicians and pharmacists), customers, clients, contractors, reporters of adverse events, employees/former employees/recruitment applicants/consultants ('Employees') and suppliers (referred to as 'Data Subject(s)').
Clinigen is committed to protecting the privacy of data subjects' Personal Data. Clinigen has, therefore, implemented a global data protection compliance program to ensure high standards for Clinigen's Data Processing of Personal Data. This Policy sets out the basis of this program and how Employees should manage Clinigen's data subjects' Personal Data.
2. Purpose
This Policy outlines our approach to data protection and the rights of data subjects in relation to their Personal Data. The Policy sets out the commitment made by Clinigen to:
- manage Personal Data;
- comply, and evidence on-going compliance, with applicable data protection laws, in the countries in which Clinigen operates;
- ensure that Personal Data is processed in accordance with data subjects' rights.
3. Scope
This Policy applies to all Clinigen Personal Data, regardless of whether it is in paper or electronic format. All Clinigen Employees are required to adhere to this Policy.
Clinigen shall comply with applicable Personal Data protection laws and requirements in the territories within it operates. This Policy applies to Clinigen globally, as well as certain additional requirements for territories Clinigen operates within where there is additional or differing data protection laws; please see the Territory Requirementsfor more information.
4. Abbreviations and Definitions
Key terms used within this Policy are defined in the table below:
Terms | Definition |
Data Breach | An actual or suspected breach of security leading to the accidental or unlawful |
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. | |
This includes breaches that are the result of both accidental and deliberate causes. | |
Data | The person or organisation that determines when, why and how personal data is Data |
Controller | Processed. The Data Controller is responsible for establishing practices and policies in |
accordance with data protection law. | |
Data | Any natural or legal person, public authority, agency or other body which Data |
Processor | Processes on behalf of a Data Controller. |
Data | Any activity that involves the use of personal data. It includes obtaining, recording or |
Processing, | holding the personal data, or carrying out any operation or set of operations on such |
Data | data including organising, amending, retrieving, using, disclosing, erasing or destroying |
Processed or | it. Data Processing also includes transmitting or transferring Personal Data to third |
Data Process | parties. In brief, it is anything that can be done to personal data from its creation to its |
destruction, including both creation and destruction. | |
If this Policy is a printed copy it shall be considered an uncontrolled copy
Page 3 of 10
CLN-POL-0000049 Global Data Protection Policy
Version Number: 01
Terms | Definition |
DPIA | Data Protection Impact Assessment. |
Data subject(s) | Has the meaning given in paragraph 1 of this Policy. |
Employee(s) | Has the meaning given in paragraph 1 of this Policy. |
Personal Data | Any information relating to an identified or identifiable natural person. |
ROPA | Record of Processing Activities |
5. Data Protection Principles
5.1 Principles
Clinigen uses the following high-level principles to establish its practices for processing Personal Data:
- Fairness: Clinigen shall process Personal Data in a fair, lawful, legitimate, and transparent manner.
- Purpose Limitation: Clinigen shall only create or collect Personal Data for a specific, explicit, and legitimate purpose(s). Any subsequent processing shall be compatible with such purpose(s), unless Clinigen has obtained the individual's consent, or the processing is otherwise permitted by law.
- Proportionality: Clinigen shall only process Personal Data that is adequate, relevant, and not excessive for the purpose(s) for which it is processed.
- Data Integrity: Clinigen shall keep Personal Data accurate, complete, and up to date as is reasonably necessary for the purpose(s) for which it is processed.
- Data Retention: Clinigen shall keep Personal Data in a form that is personally identifiable for no longer than necessary to accomplish the purpose(s), or other permitted purpose(s), for which the Personal Data was obtained.
- Data Security: Clinigen shall implement appropriate and reasonable physical, technical, and organisational measures to safeguard Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, use, or access.
- Individual Rights: Clinigen shall process Personal Data in a manner that respects data subjects' rights under applicable Personal Data protection laws.
- Accountability: Clinigen shall implement appropriate governance, policies, processes, controls, and other measures necessary to enable it to demonstrate that its processing of Personal Data is in accordance with this Policy and applicable Personal Data protection laws.
5.2 Clinigen's Responsibilities
5.2.1 Related Policies, Procedures and Notices
In its role as Data Controller and/or Data Processor, Clinigen has established related policies and procedures in order to comply with data protection laws and regulations, which include:
- Territory Requirements;
- Employee Privacy Notice;
- Clinigen Corporate Website Privacy Policy;
- Website Cookies Policy;
- Privacy Statement for Pharmacovigilance Data;
- Information Security Policy;
- Global Data Protection Governance Framework; and
- Global Data Breach Management Procedure.
If this Policy is a printed copy it shall be considered an uncontrolled copy
Page 4 of 10
CLN-POL-0000049 Global Data Protection Policy
5.2.2 Training
Version Number: 01
All Employees are required to read this Policy and the related policies, procedures and notices listed in paragraph 5.2.1 above. Certain Employees are required to complete competency training to enable them to comply with data protection requirements. Training completion rates will be monitored centrally.
5.2.3 Third Party Data Processors
When Clinigen is a Data Controller, Clinigen retains responsibility and oversight of all Data Processing activities, even when Data Processing is carried out by a third party, on behalf of Clinigen. Where applicable, Data Processing activities conducted by a third party Data Processor are recorded in Clinigen's ROPAs.
5.2.4 Record Keeping
Clinigen maintains ROPAs, using a data protection compliance platform called "ROBUS". The ROPAs are reviewed at least annually and will be reviewed more frequently in the event of any significant organisational or Data Processing activity changes to Clinigen, to ensure that the ROPAs accurately reflect Data Processing activities.
If a ROPA deems a Data Processing activity to be high risk, Clinigen shall complete a risk assessment called a DPIA (these are also known as 'Personal Information Impact Assessments' or 'Privacy Impact Assessments' in some jurisdictions). A DPIA describes the purpose of the Data Processing, and includes an assessment of:
- the necessity and proportionality of the Data Processing;
- the potential risk to data subjects, as a result of the Data Processing; and
- any risk-mitigation to reduce the risks identified for data subjects.
Employees should complete a risk assessment as a pre-requisite to any new process or project that involves Data Processing and/or any significant change to an existing process or project involving Data Processing. DPIAs are completed using ROBUS and are approved by a member of the Data Protection Compliance Board. Please see the Global Data Protection Governance Framework and/or any applicable Territory Requirements for further information.
5.3 Sensitive Personal Data and Children's Data
Clinigen recognises that some personal data requires additional protection, because it is particularly sensitive in nature. Any processing of sensitive personal data should be documented in a ROPA(s) and a risk assessment completed in ROBUS by the relevant Employee that owns the process utilising the sensitive personal data.
5.3.1 Sensitive personal data
Personal Data regulations and laws often refer to 'special category' or 'sensitive' personal data which is a form of personal data which is sensitive in nature. Examples of sensitive personal data are:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data or biometric data (for the purposes of identification);
- Health information; and
- Information regarding an individual's sex life or sexual orientation.
If this Policy is a printed copy it shall be considered an uncontrolled copy
Page 5 of 10
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
Clinigen Group plc published this content on 10 March 2023 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 10 March 2023 14:34:04 UTC.