Effective Date: 27 DECEMBER 2020
CTSdatabase (CTSd): A clinical trial subject database/registry that tracks partial identifiers of individuals across sites and sponsors for the purpose of reducing the effect of duplicate or professional subjects on the outcome of clinical trials. Personally Identifiable Information (PII): Any information which, by itself or in combination, can be used to identify or locate a specific individual. Partial Identifiers: Unlike full identification, such as complete social security number (SSN) or full name, CTSd uses partial identifiers, such as last four of SSN or initials, to help protect the identity of the potential subject. Potential subject/ Individual: Refers to the individual who wishes to participate in a clinical trial.
Subject: An individual who signs informed consent and participates in a clinical trial, either as a recipient of an investigational product(s) or as a control. Duplicate subject: A subject who has been identified as participating in another clinical trial or has very recently participated in another study.
Professional Subject: A subject who goes to multiple sites, possibly falsifying or omitting information, for the purpose of collecting multiple stipends.
Clinical Trial Subject Database Authorization (Authorization): The Clinical Trial Subject Database Authorization is an Institutional Review Board (IRB) approved consent form which provides information to the potential subject about the purpose of CTSd and what information will be collected from them. No information can be entered into CTSd without this signed authorization from a
Principal Investigator (PI): A person responsible for the conduct of the clinical trial at an investigative site. If a trial is conducted by a team of individuals at a site, the investigator is the responsible leader of the team.
Investigative Site (Site): A clinic or office where a clinical trial is conducted.
Pharmaceutical Sponsor (Sponsor): An individual, company, institution, or organization that takes responsibility for the initiation, management, and/or financing of a clinical trial.
Third Party: An entity other than the individual or CTSd, which is not directly affiliated with the individual or CTSd. Third parties include principal investigators, pharmaceutical sponsors and sites.
Encryption: The translation of data into a secret code. Encryption is the most effective way to achieve data security.
Firewall: A system designed to prevent unauthorized access to or from a public or private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private portions of public networks.
CTSdatabase and Investigative Sites are Independent Data Controllers. You may contact CTSdatabase for general data protection queries by e-mailing firstname.lastname@example.org, or in writing to the Data Protection Officer, Adnan Shawkat: 4835 Van Nuys Blvd., Ste. 104, Sherman Oaks, CA 91403. Please advise us of as much detail as possible to comply with your request. For further information about CTSdatabase please visit www.ctsdatabase.com.
The Federal Trade Commission has jurisdiction over CTSdatabase’s compliance with the Privacy Shield.
An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. For additional information, please visit https://www.privacyshield.gov/article?id=ANNEX-I-introduction
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Our EU Representative is Thomas McNamara with ApexPrivacy based in Dublin, Ireland. You may contact our EU Representative for any EU data privacy and protection queries by e-mail at email@example.com.
I. What Information is Collected
The information collected is clearly discussed in the Authorization. CTSd uses partial identifiers to maintain as much anonymity as possible.
These identifiers include your:
● Date of birth
● Height and weight
● The last four digits of your passport number or national ID.
While the last four digits of SSN, for example, are not as specific as the complete SSN, potential subjects can be comfortable that their full identifiers are never collected and therefore cannot be recovered or hacked.
This lack of specificity, however, may create a rare event where an individual may be identified as duplicating another individual with similar partial identifiers.
The e-mail address and business contact information of the Investigative site users can be found in the Authorization and in the informed consent statement of the study.
Any site user information collected on the website is not shared with third parties and is maintained in a secure, encrypted fashion.
I. Special Categories of Information
Under the GDPR, special category data is personal data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, biometric data, and data concerning someone’s sex life or orientation.
We collect information about your medical indication or diagnosis, based on the area of research in the study that you are entering. This information allows us to assess your suitability to enter into a study
We process this data with your explicit consent, as captured in the Authorization.
II. What is this information used for
An authorized site user will enter the subject authorized partial identifiers to potentially determine previous (or current) study participation. This information is used to protect the safety of study participants and the integrity of study data and to make sure appropriate study participants are included in clinical research. The information may exclude you from participating in a study, but this data is never used or sold for purposes outside of clinical trials.
III. Lawful Basis
We process your PII using different lawful bases.
Consent: where you provide us with explicit permission to process your data through completing the Authorization.
Legitimate interest: where it’s in our legitimate interest to do so, we may use your PII, for example, to assist study investigators and pharmaceutical companies by increasing patient safety and promoting data integrity in their clinical trials.
IV. How an Individual Agrees to Participate
An individual who wishes to participate in a clinical trial at a site utilizing CTSdatabase by carefully reviewing the Authorization and signing and dating it if (s)he still wishes to participate in the study. The potential subject has the option to not share their partial identifiers and not participate in a study. If they do not agree to the Authorization, PII will not be entered or stored in the database. Consent to participate in a study may be withdrawn (i.e. “Opt-out”) at any time. Upon receipt of the subject’s wish to withdraw their consent, the subject’s partial identifiers will be removed and no longer stored. However, previous matches that occurred with the subject’s previously authorized information can not be undone.
V. Third Party Involvement, Potential Disclosure of PII
If there is a government or judicial audit, subpoena or warrant, data may be disclosed by CTSdatabase.
CTSdatabase may be required to disclose your PII in the good faith belief that such action is necessary to:
● Comply with a legal obligation
● Protect and defend the rights of CTSdatabase
● Prevent or investigate possible wrongdoing in connection with the Authorization
● Protect the personal safety of individuals or the public
● Protect against legal liability
If CTSdatabase merges with or is acquired by a Third Party, it is possible that PII may be disclosed, in which case you will be notified of any changes in ownership or uses of your PII, as well as any choices you may have regarding your PII. However, since full identifiers are never entered into the system, there is no foreseeable way for fully identifying information to be disclosed.
Investigative sites will enter the partial identifiers you authorize into CTSd. Once entered, PIs, sites and pharmaceutical companies will have access only to subject number and the subject authorized partial identifiers that do not contain PII. Unencrypted information will never be released to any outside parties.
In the context of an onward transfer, CTSdatabase has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. CTSdatabase shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless CTSdatabase proves that it is not responsible for the event giving rise to the damage.
VI. International Transfer of Data
VII. Individual access to information
As the partial identifiers are encrypted, an individual (or a sponsor or an investigator or site) cannot have direct access to their information. If they are notified by an investigator that they duplicate another subject at another site, and they believe this is in error, they may contact the investigator or site personnel and request a review of the data entered by the CTSdatabase Director of IT. The IT Director can then work with the site to assure that an entry error has not been made. In the unusual event where a data entry error has led to a false positive duplicate subject, CTSdatabase will eliminate the error from the database in a timely fashion (usually 48 hours). If an individual still feels that there is a problem with their identifying information, CTSdatabase can be contacted via their
website, www.ctsdatabase.com, under Help.
VIII. Security measures to Protect PII
The database itself is housed on the RackSpace Cloud Platform. The Cloud platform provides 99.999% guaranteed uptime as well as industry standard backup and recovery procedures. Access to the database is provided using a HTTPS encrypted protocol. A 2048 bit SSL encryption certificate is maintained with VeriSign to make sure that all data sent between the client’s web browser and the database on the Cloud is encrypted. Only the Database Administrator (DBA) has direct access to the backend database. System passwords are changed every 180 days and accessible only by the DBA and the President. Passwords must have a minimum length of 8 characters with at least one number or symbol and none of the previous 3 passwords may be used. In case of Data Breach, affected Sponsors and Site Users will be notified within one week. Site users will be instructed to notify affected study subjects, if applicable.
IX. How long we retain your data
We retain Partial Identifiers in our database for 50 years. This is necessary to ensure that the investigators have a complete understanding of a subject’s previous study participation to protect the safety of subjects and the integrity of the study data.
X. GDPR Compliance
You, as a research subject located in the EU, whose data has been entered by research site staff, have rights as listed here:
1. The right to be informed; This means anyone processing your personal data must make clear what they are processing, why, and who else the data may be passed to.
2. The right of access; this is your right to see what data is held about you by a Data Controller or Processor. A study subject can contact the investigator at the site where the information was first authorized/entered and instruct them to contact us in order to see the data that is held. A study subject may also contact CTSdatabase directly to request a copy of the information that we hold about you.
3.The right to rectification; the right to have your data corrected or amended if what is held is incorrect in some way.
4.The right to erasure; under certain circumstances you can ask for your personal data to be deleted. This is also called ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or your consent for the processing of that data has been withdrawn, or the personal data has been unlawfully processed.
5.The right to restrict processing; this gives the Data Subject the right to ask for a temporary halt to processing of personal data, such as in the case where a dispute or legal case has to be concluded, or the data is being corrected.
6.The right to data portability; a Data Subject has the right to ask for any data supplied directly to the Data Controller by him or her, to be provided in a structured, commonly used, and machine-readable format.
7.The right to object; the Data Subject has the right to object to further processing of their data which is inconsistent with the primary purpose for which it was collected, including profiling, automation, and direct marketing.
8.Rights in relation to automated decision making and profiling; Data Subjects have the right not to be subject to a decision based solely on automated processing. Data Retention: This encoded information will remain in the database for 50 years an indefinite period of time, even after your potential participation in this research study is completed.
If you would like to action any of these rights, or would like further information, you may contact our EU Representative, Thomas McNamara, by e-mail at firstname.lastname@example.org.
I. What Information is Collected
On our website, we collect contact information such as name and email address. We also collect the contents of any inquiries or contact that you have with us.
We use this information to:
● respond to requests for a demo of our service,
● answer miscellaneous inquiries about our service, and
● provide customer support.
II. Information Sharing
In certain situations, CTSdatabase may be required to disclose personal data:
● in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
● as required by law, such as to comply with a subpoena, or similar legal process
● when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request
● to any other third party with your prior consent to do so
If CTSdatabase is involved in a merger, acquisition, or sale of all or a portion of its assets; you will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your personally identifiable information, as well as any choices you may have regarding your personally identifiable information to companies that provide services to help is with our business activities. These companies are authorized to use your personally identifiable information only as necessary to provide these services to us.
III. International Transfers of Data
IV. User Access and Choice
Upon request from your research investigator, CTSdatabase will provide you with information about whether we hold, or process on behalf of a third party, any of your personal information. If your personally identifiable information changes, or if you want it to be deleted from our system, you or your research investigator may contact us Here or by telephone or postal mail using the contact information listed below. We will respond to your inquiry within 30 days.
V. How Long Do We Keep Your Data
We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
VI. Lawful Basis for Processing
We process your data based on various lawful bases:
Consent: where you provide us with explicit permission to process your data, such as when you sign up to a mailing list.
Legitimate interest: where it’s in our legitimate interest to do so, we may use your PII, for example, for the defense of a legal claim against us.
VII. Security measures to Protect PII
The security of your personally identifiable information is important to us. We follow generally accepted standards to protect the personally identifiable information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.
VIII. Links to 3rd Party Sites
IX. GDPR Compliance
Under European data protection laws, you may have the right to access the PII about you that CTSdatabase processes. You may request information from us about:
● The personal data we hold about you
● The purposes and processing of your personal data
● Details regarding whom your personal data has/will be disclosed to or the criteria for the disclosure
● How long we will retain your personal data
● In cases where your data was not collected directly from you, information regarding the source of the data.
You may also request that we:
● Delete your personal data
● Update any inaccurate or incomplete data about you
● Make your personal data portable.
You also have the right to object to our processing of your data.
You may request any actions under the listed rights by contacting our EU representative at email@example.com.
To ensure that your data is not accessed by unauthorized entities, if you request to exercise your rights, we will require you to verify your identity before we can respond to your request.
If you have any concerns about how your data has been processed, you have the right to complain to a supervisory authority. Please click here (https://edpb.europa.eu/about-edpb/board/members_en) to find your local supervisory authority. If possible, please contact our team prior to lodging a complaint to see if we can solve your problem in-house.
The CTSdatabase website (www.ctsdatabase.com) does not use any cookies.
How to contact us:
4835 Van Nuys Blvd, Suite 104
Sherman Oaks, CA 91403
Ph: 855 CTS-CTSd (855 287-2873)