Privacy

Effective Date: 13 August 2020

Glossary/Definitions

CTSdatabase (CTSd): A clinical trial subject database/registry that tracks partial identifiers of individuals across sites and sponsors for the purpose of reducing the effect of duplicate or professional subjects on the outcome of clinical trials. Personally Identifiable Information (PII):  Any information which, by itself or in combination, can be used to identify or locate a specific individual. Partial Identifiers: Unlike full identification, such as complete social security number (SSN) or full name, CTSd uses partial identifiers, such as last four of SSN or initials, to help protect the identity of the potential subject. Potential subject/ Individual: Refers to the individual who wishes to participate in a clinical trial.

 Subject: An individual who signs informed consent and participates in a clinical trial, either as a recipient of an investigational product(s) or as a control. Duplicate subject: A subject who has been identified as participating in another clinical trial or has very recently participated in another study.

Professional Subject:  A subject who goes to multiple sites, possibly falsifying or omitting information, for the purpose of collecting multiple stipends.

Clinical Trial Subject Database Authorization (Authorization): The Clinical Trial Subject Database Authorization is an Institutional Review Board (IRB) approved consent form which provides information to the potential subject about the purpose of CTSd and what information will be collected from them. No information can be entered into CTSd without this signed authorization from a potential subject.

 Principal Investigator (PI): A person responsible for the conduct of the clinical trial at an investigative site. If a trial is conducted by a team of individuals at a site, the investigator is the responsible leader of the team.

 Investigative Site (Site): A clinic or office where a clinical trial is conducted.

 Pharmaceutical Sponsor (Sponsor): An individual, company, institution, or organization that takes responsibility for the initiation, management, and/or financing of a clinical trial.

 Third Party:  An entity other than the individual or CTSd, which is not directly affiliated with the individual or CTSd . Third parties include principal investigators, pharmaceutical sponsors and sites.

Encryption: The translation of data into a secret code. Encryption is the most effective way to achieve data security.

 Firewall: A system designed to prevent unauthorized access to or from a public or private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private portions of public networks.

Your privacy is our utmost concern. This privacy policy applies to the data collection practices of CTSdatabase LLC (“CTSdatabase”, “CTSd”, “Us”, “We”) via the Authorization process and on our website, www.ctsdatabase.com.  This privacy policy describes how CTSd collects and uses the personally identifiable information and partial identifiers provided to us during the Authorization process and the choices available to users of our website regarding the use of personally identifiable information and how it can be accessed and updated.

 CTSdatabase and Investigative Sites are Independent Data Controllers. You may contact CTSdatabase for general data protection queries by e-mailing support@ctsdatabase.com, or in writing to the Data Protection Officer, Adnan Shawkat: 4835 Van Nuys Blvd., Ste. 104, Sherman Oaks, CA 91403. Please advise us of as much detail as possible to comply with your request. For further information about CTSdatabase please visit www.ctsdatabase.com.

Our EU Representative is Thomas McNamara with ApexPrivacy based in Dublin, Ireland. You may contact our EU Representative for any EU data privacy and protection queries by e-mail at tom@apexprivacy.com.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

1. Authorization
I. What Information is Collected
The information collected is clearly discussed in the Authorization. CTSd uses partial identifiers to maintain as much anonymity as possible.

 These identifiers include your:

     Initials

     Gender

     Date of birth

     Height and weight

     The last four digits of your passport number or national ID.

 While the last four digits of SSN, for example, are not as specific as the complete SSN, potential subjects can be comfortable that their full identifiers are never collected and therefore cannot be recovered or hacked.

This lack of specificity, however, may create a rare event where an individual may be identified as duplicating another individual with similar partial identifiers.

The e-mail address and business contact information of the Investigative site users can be found in the Authorization and in the informed consent statement of the study.

Any site user information collected on the website is not shared with third parties and is maintained in a secure, encrypted fashion.

I. Special Categories of Information

Under the GDPR, special category data is personal data concerning health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, biometric data, and data concerning someone’s sex life or orientation.

We collect information about your medical indication or diagnosis, based on the area of research in the study that you are entering. This information allows us to assess your suitability to enter into a study

We process this data with your explicit consent, as captured in the Authorization.

II. What is this information used for

An authorized site user will enter the subject authorized partial identifiers to potentially determine previous (or current) study participation. This information is used to protect the safety of study participants and the integrity of study data and to make sure appropriate study participants are included in clinical research. The information may exclude you from participating in a study, but this data is never used or sold for purposes outside of clinical trials.

III. Lawful Basis

We process your PII using different lawful bases.

Consent: where you provide us with explicit permission to process your data through completing the Authorization.

Legitimate interest: where it’s in our legitimate interest to do so, we may use your PII, for example, to assist study investigators and pharmaceutical companies by increasing patient safety and promoting data integrity in their clinical trials.

IV. How an Individual Agrees to Participate
An individual who wishes to participate in a clinical trial at a site utilizing CTSdatabase by carefully reviewing the Authorization and signing and dating it if (s)he still wishes to participate in the study. The potential subject has the option to not share their partial identifiers and not participate in a study. If they do not agree to the Authorization, PII will not be entered or stored in the database. Consent to participate in a study may be withdrawn (i.e. “Opt-out”) at any time. Upon receipt of the subject’s wish to withdraw their consent, the subject’s partial identifiers will be removed and no longer stored. However, previous matches that occurred with the subject’s previously authorized information can not be undone.

V. Third Party Involvement, Potential Disclosure of PII
If there is a government or judicial audit, subpoena or warrant, data may be disclosed by CTSdatabase.

CTSdatabase may be required to disclose your PII in the good faith belief that such action is necessary to:

     Comply with a legal obligation

     Protect and defend the rights of CTSdatabase

     Prevent or investigate possible wrongdoing in connection with the Authorization

     Protect the personal safety of individuals or the public

     Protect against legal liability

 If CTSdatabase merges with or is acquired by a Third Party, it is possible that PII may be disclosed, in which case you will be notified of any changes in ownership or uses of your PII, as well as any choices you may have regarding your PII. However, since full identifiers are never entered into the system, there is no foreseeable way for fully identifying information to be disclosed.

Investigative sites will enter the partial identifiers you authorize into CTSd. Once entered, PIs, sites and pharmaceutical companies will have access only to subject number and the subject authorized partial identifiers that do not contain PII. Unencrypted information will never be released to any outside parties.

VI. International Transfer of Data

If you are an EU resident, your information will be stored, accessed, and processed by employees in the US. Your acceptance of this Privacy Policy by submission of such information represents your agreement to that transfer.

We transfer data to the US under Standard Contractual Clauses, and take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. We ensure that there is no transfer of your data to an organization or country unless there are adequate controls in place, including the security of your data.

VII. Individual access to information
As the partial identifiers are encrypted, an individual (or a sponsor or an investigator or site) cannot have direct access to their information. If they are notified by an investigator that they duplicate another subject at another site, and they believe this is in error, they may contact the investigator or site personnel and request a review of the data entered by the CTSdatabase Director of IT. The IT Director can then work with the site to assure that an entry error has not been made. In the unusual event where a data entry error has led to a false positive duplicate subject, CTSdatabase will eliminate the error from the database in a timely fashion (usually 48 hours). If an individual still feels that there is a problem with their identifying information, CTSdatabase can be contacted via their
website, 
www.ctsdatabase.com, under Help.

VIII. Security measures to Protect PII
The database itself is housed on the RackSpace Cloud Platform. The Cloud platform provides 99.999% guaranteed uptime as well as industry standard backup and recovery procedures. Access to the database is provided using a HTTPS encrypted protocol. A 2048 bit SSL encryption certificate is maintained with VeriSign to make sure that all data sent between the client’s web browser and the database on the Cloud is encrypted. Only the Database Administrator (DBA) has direct access to the backend database. System passwords are changed every 180 days and accessible only by the DBA and the President. Passwords must have a minimum length of 8 characters with at least one number or symbol and none of the previous 3 passwords may be used. In case of Data Breach, affected Sponsors and Site Users will be notified within one week. Site users will be instructed to notify affected study subjects, if applicable.

IX. How long we retain your data

We retain Partial Identifiers in our database for 50 years. This is necessary to ensure that the investigators have a complete understanding of a subject’s previous study participation to protect the safety of subjects and the integrity of the study data.

X. GDPR Compliance
You, as a research subject located in the EU, whose data has been entered by research site staff, have rights as listed here:

1. The right to be informed; This means anyone processing your personal data must make clear what they are processing, why, and who else the data may be passed to.
2. The right of access; this is your right to see what data is held about you by a Data Controller or Processor. A study subject can contact the investigator at the site where the information was first authorized/entered and instruct them to contact us in order to see the data that is held. A study subject may also contact CTSdatabase directly to request a copy of the information that we hold about you.
3.The right to rectification; the right to have your data corrected or amended if what is held is incorrect in some way.
4.The right to erasure; under certain circumstances you can ask for your personal data to be deleted. This is also called ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or your consent for the processing of that data has been withdrawn, or the personal data has been unlawfully processed.
5.The right to restrict processing; this gives the Data Subject the right to ask for a temporary halt to processing of personal data, such as in the case where a dispute or legal case has to be concluded, or the data is being corrected.
6.The right to data portability; a Data Subject has the right to ask for any data supplied directly to the Data Controller by him or her, to be provided in a structured, commonly used, and machine-readable format.
7.The right to object; the Data Subject has the right to object to further processing of their data which is inconsistent with the primary purpose for which it was collected, including profiling, automation, and direct marketing.
8.Rights in relation to automated decision making and profiling; Data Subjects have the right not to be subject to a decision based solely on automated processing. Data Retention: This encoded information will remain in the database for 50 years an indefinite period of time, even after your potential participation in this research study is completed.

If you would like to action any of these rights, or would like further information, you may contact our EU Representative, Thomas McNamara, by e-mail at tom@apexprivacy.com.

2. Website

I. What Information is Collected
On our website, we collect contact information such as name and email address. We also collect the contents of any inquiries or contact that you have with us.

We use this information to:

     respond to requests for a demo of our service,

     answer miscellaneous inquiries about our service, and

     provide customer support.

II. Information Sharing
We will only share your personally identifiable information with our cloud provider, investigative site users and study sponsors or governmental agencies, if required in the ways that are described in this privacy policy. We do not sell your personally identifiable information to third parties.

In certain situations, CTSdatabase may be required to disclose personal data:

      in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

     as required by law, such as to comply with a subpoena, or similar legal process

     when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request

     to any other third party with your prior consent to do so

If CTSdatabase is involved in a merger, acquisition, or sale of all or a portion of its assets; you will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your personally identifiable information, as well as any choices you may have regarding your personally identifiable information to companies that provide services to help is with our business activities. These companies are authorized to use your personally identifiable information only as necessary to provide these services to us.

III. International Transfers of Data

If you are located in the EU, your information will be accessed and processed by employees in the US. Your acceptance of this Privacy Policy by submission of such information represents your agreement to that transfer.

We transfer data to the US under Standard Contractual Clauses, and take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. We ensure that there is no transfer of your data to an organization or country unless there are adequate controls in place, including the security of your data.

IV. User Access and Choice
Upon request from your research investigator, CTSdatabase will provide you with information about whether we hold, or process on behalf of a third party, any of your personal information. If your personally identifiable information changes, or if you want it to be deleted from our system, you or your research investigator may contact us Here or by telephone or postal mail using the contact information listed below. We will respond to your inquiry within 30 days.

V. How Long Do We Keep Your Data

We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

VI. Lawful Basis for Processing

We process your data based on various lawful bases:

Consent: where you provide us with explicit permission to process your data, such as when you sign up to a mailing list.

Legitimate interest: where it’s in our legitimate interest to do so, we may use your PII, for example, for the defense of a legal claim against us.

VII. Security measures to Protect PII
The security of your personally identifiable information is important to us. We follow generally accepted standards to protect the personally identifiable information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.

VIII. Links to 3rd Party Sites
Our Site includes links to other Web sites whose privacy practices may differ from those of CTSd. If you submit personally identifiable information to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any Web site you visit.

IX. GDPR Compliance

Under European data protection laws, you may have the right to access the PII about you that CTSdatabase processes. You may request information from us about:

     The personal data we hold about you

     The purposes and processing of your personal data

     Details regarding whom your personal data has/will be disclosed to or the criteria for the disclosure

     How long we will retain your personal data

     In cases where your data was not collected directly from you, information regarding the source of the data.

You may also request that we:

     Delete your personal data

     Update any inaccurate or incomplete data about you

     Make your personal data portable.

You also have the right to object to our processing of your data.

You may request any actions under the listed rights by contacting our EU representative at tom@apexprivacy.com.

To ensure that your data is not accessed by unauthorized entities, if you request to exercise your rights, we will require you to verify your identity before we can respond to your request.

If you have any concerns about how your data has been processed, you have the right to complain to a supervisory authority. Please click here (https://edpb.europa.eu/about-edpb/board/members_en) to find your local supervisory authority. If possible, please contact our team prior to lodging a complaint to see if we can solve your problem in-house.

X. Notification of changes in privacy policy
We may update this privacy policy to reflect changes to our information practices. If we make any material changes we will notify you by email (sent to the e-mail address you provided) or by means of a notice on this Site prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

XI. Cookie Policy
The CTSdatabase website (www.ctsdatabase.com) does not use any cookies.

How to contact us:
CTSdatabase, LLC.
4835 Van Nuys Blvd, Suite 104
Sherman Oaks, CA 91403
Ph: 855 CTS-CTSd (855 287-2873)