Effective Date: 13 May 2020
CTSdatabase (CTSd): A clinical trial subject database/registry that tracks partial identifiers of individuals across sites and sponsors for the purpose of reducing the effect of duplicate or professional subjects on the outcome of clinical trials. Personally Identifiable Information (PII): Any information which, by itself or in combination, can be used to identify or locate a specific individual. Partial Identifiers: Unlike full identification, such as complete social security number (SSN) or full name, CTSd uses partial identifiers, such as last four of SSN or initials, to help protect the identity of the potential subject. Potential subject/ Individual: Refers to the individual who wishes to participate in a clinical trial.
Subject: An individual who signs informed consent and participates in a clinical trial, either as a recipient of an investigational product(s) or as a control. Duplicate subject: A subject who has been identified as participating in another clinical trial or has very recently participated in another study.
Professional Subject: A subject who goes to multiple sites, possibly falsifying or omitting information, for the purpose of collecting multiple stipends.
Principal Investigator (PI): A person responsible for the conduct of the clinical trial at an investigative site. If a trial is conducted by a team of individuals at a site, the investigator is the responsible leader of the team.
Investigative Site (Site): A clinic or office where a clinical trial is conducted.
Pharmaceutical Sponsor (Sponsor): An individual, company, institution, or organization that takes responsibility for the initiation, management, and/or financing of a clinical trial.
Third Party: An entity other than the individual or CTSd, which is not directly affiliated with the individual or CTSd . Third parties include principal investigators, pharmaceutical sponsors and sites.
Encryption: The translation of data into a secret code. Encryption is the most effective way to achieve data security.
Firewall: A system designed to prevent unauthorized access to or from a public or private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private portions of public networks.
EU-U.S. and Swiss-U.S. Privacy Shield
CTSdatabase participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List.
CTSdatabase is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. CTSdatabase complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, CTSdatabase is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at Under certain conditions, more fully described on the Privacy Shield website you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
I. What Information is Collected
The information collected is clearly discussed in the Authorization. CTSdusespartial identifiers to maintain the as much anonymity as possible. While last four of SSN, for example, are not as specific as the complete SSN, potential subjects can be comfortable that their full identifiers are never collected and therefore cannot be recovered or hacked. This lack of specificity, however, may create a rare event where an individual may be identified as duplicating another individual with similar partial identifiers. Investigative site users also provide e-mail addresses and business contact information. Any site user information collected on the website is not shared with third parties and is maintained in a secure, encrypted fashion.
II. How an Individual Agrees to Participate
An individual who wishes to participate in a clinical trial at a site utilizing CTSdatabase by carefully reviewing the Authorization and signing and dating it if (s)he still wishes to participate in the study. The potential subject has the option to not share their partial identifiers and not participate in a study. If they do not agree to the Authorization, PII will not be entered or stored in the database. Consent to participate in a study may be withdrawn (i.e. “Opt-out”) at any time. Upon receipt of the subject’s wish to withdraw their consent, the subject’s partial identifiers will be removed and no longer stored. However, previous matches that occurred with the subject’s previously authorized information can not be undone.
III. Third Party Involvement, Potential Disclosure of PII
If there is a government or judicial audit, subpoena or warrant, data may be disclosed by CTSdatabase. If CTSdatabase merges with or is acquired by a Third Party, it is possible that PII may be disclosed, in which case you will be notified of any changes in ownership or uses of your PII, as well as any choices you may have regarding your PII. However, since full identifiers are never entered into the system, there is no foreseeable way for fully identifying information to be disclosed. Investigative sites will enter the partial identifiers you authorize into CTSd. Once entered, PIs, sites and pharmaceutical companies will have access only to subject number and the subject authorized partial identifiers that do not contain PII. Unencrypted information will never be released to any outside parties.
IV. Individual access to information
As the partial identifiers are encrypted, an individual (or a sponsor or an investigator or site) cannot have direct access to their information. If they are notified by an investigator that they duplicate another subject at another site, and they believe this is in error, they may contact the investigator or site personnel and request a review of the data entered by the CTSdatabase Director of IT. The IT Director can then work with the site to assure that an entry error has not been made. In the unusual event where a data entry error has led to a false positive duplicate subject, CTSdatabase will eliminate the error from the database in a timely fashion (usually 48 hours). If an individual still feels that there is a problem with their identifying information, CTSdatabase can be contacted via their
website, , under Help.
V. Security measures to Protect PII
The database itself is housed on the RackSpace Cloud Platform. The Cloud platform provides 99.999% guaranteed uptime as well as industry standard backup and recovery procedures. Access to the database is provided using a HTTPS encrypted protocol. A 2048 bit SSL encryption certificate is maintained with VeriSign to make sure that all data sent between the client’s web browser and the database on the Cloud is encrypted. Only the Database Administrator (DBA) has direct access to the backend database. System passwords are changed every 180 days and accessible only by the DBA and the President. Passwords must have a minimum length of 8 characters with at least one number or symbol and none of the previous 3 passwords may be used. In case of Data Breach, affected Sponsors and Site Users will be notified within one week. Site users will be instructed to notify affected study subjects, if applicable.
VI. GDPR Compliance
CTSdatabase is a joint Data Controller (along with Site Users who enter the data) and also acts as a Data Processor of the data. You may contact us for general data protection queries by e-mail to , or in writing to the Data Protection Officer, Adnan Shawkat: 4835 Van Nuys Blvd., Ste. 104, Sherman Oaks, CA 91403. Please advise us of as much detail as possible to
comply with your request. For further information about CTSdatabase please visit . You, as a research subject, whose data has been entered by research site staff, have rights as listed here:
1. The right to be informed; This means anyone processing your personal data must make clear what they are processing, why, and who else the data may be passed to.
2. The right of access; this is your right to see what data is held about you by a Data Controller or Processor. A study subject should contact the investigator at the site where the information was first authorized/entered and instruct them to contact us in order to see the data that is held.
3.The right to rectification; the right to have your data corrected or amended if what is held is incorrect in some way.
4.The right to erasure; under certain circumstances you can ask for your personal data to be deleted. This is also called ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or your consent for the processing of that data has been withdrawn, or the personal data has been unlawfully processed.
5.The right to restrict processing; this gives the Data Subject the right to ask for a temporary halt to processing of personal data, such as in the case where a dispute or legal case has to be concluded, or the data is being corrected.
6.The right to data portability; a Data Subject has the right to ask for any data supplied directly to the Data Controller by him or her, to be provided in a structured, commonly used, and machine-readable format.
7.The right to object; the Data Subject has the right to object to further processing of their data which is inconsistent with the primary purpose for which it was collected, including profiling, automation, and direct marketing.
8.Rights in relation to automated decision making and profiling; Data Subjects have the right not to be subject to a decision based solely on automated processing. Data Retention: This encoded information will remain in the database for 50 years an indefinite period of time, even after your potential participation in this research study is completed.
How We Use Your Information: An authorized site user will enter the subject authorized partial identifiers to potentially determine previous (or current) study participation. This information is only used to protect the safety of study participants and the integrity of study data and to make sure appropriate study participants are included in clinical research. The information may exclude youfrom participating in a study, but this data is never used or sold for purposes outside of clinical trials.
I. What Information is Collected
On our website, we collect contact information such as name and email address. We use this information to respond to requests for a demo of our service, answer miscellaneous inquiries about our service and provide customer support.
II. Information Sharing
We may also disclose your personally identifiable information:
In certain situations, CTSdatabase may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. • as required by law, such as to comply with a subpoena, or similar legal process
• when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request
• to any other third party with your prior consent to do so
• if CTSdatabase is involved in a merger, acquisition, or sale of all or a portion of its assets; you will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your personally identifiable information, as well as any choices you may have regarding your personally identifiable information to companies that provide services to help is with our business activities. These companies are authorized to use your personally identifiable information only as necessary to provide these services to us.
III. User Access and Choice
Upon request from your research investigator, CTSdatabase will provide you with information about whether we hold, or process on behalf of a third party, any of your personal information. If your personally identifiable information changes, or if you want it to be deleted from our system, you or your research investigator may contact us Here or by telephone or postal mail using the contact information listed below. We will respond to your inquiry within 30 days. We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
IV. Security measures to Protect PII
The security of your personally identifiable information is important to us. We follow generally accepted standards to protect the personally identifiable information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.
V. Links to 3rd Party Sites
latest information on our privacy practices.
How to contact us:
4835 Van Nuys Blvd, Suite 104
Sherman Oaks, CA 91403
Ph: 855 CTS-CTSd (855 287-2873)