VCTC policy documents are designed to provide VCTC’s customers with an understanding of VCTC’s position and policies in relation to regulations and key aspects of our services.
VCTC Privacy Policy
VCTC are committed to protecting and respecting the privacy of subjects, nurses, customers, suppliers and employees, and this includes their personal and health related information
This policy, together with our terms of use, privacy policy and any other documents referred to on it, sets out the basis on which any personal data (or personal information) we collect or that is provided to us, will be processed by us.
As an organisation, the VCTC have a responsibility to safeguard all personal data that it holds. The company is responsible for ensuring compliance with the UK Data Protection Act 2018 (incorporating GDPR) applicable data privacy and data protection regulations with regards to employee data, business information and data concerning trial subjects (patients) i.e. those data required by VCTC to conduct trial visits in the patient’s home.
For VCTC, business information refers to data held about its customers and any third parties that provide support for VCTC services.
VCTC also has an obligation to ensure that organisations who receive/process personal data provided by VCTC e.g. vendors (processors or sub-processors) are also compliant with current data protection regulations and data processing agreements should be in place between VCTC and the third party. VCTC has a number of internal policies, procedures and processes for safeguarding personal information and these conform to GDPR and HIPAA principles. To ensure personal data receives an adequate level of protection when transferred between the various parts of VCTC’s organisation, VCTC has put in place Standard Contractual Clauses to ensure personal data is treated by all of its offices in a way which is consistent with and respects the EU and UK laws in data protection.
VCTC Employee Data
VCTC acts as Data Controller as it retains control over the purposes for processing personal data about its employees and the manner in which it does this.
Customer Data
VCTC acts as a Data Controller as we hold a database of individual business contacts and this data is used to send updates and news to them on a regular basis. VCTC can only store this data if the individual has consented (“opted in”).
Trial Subject Data
VCTC acts as a Data Processor where clinical trial data is concerned. VCTC processes personal information that is needed in order to perform in-home protocol visits to trial subjects. VCTC only uses personal information to conduct homecare visits. Whilst the trial Sponsor and the principal investigator are the data controllers, VCTC does take responsibility for how it processes the information internally and takes responsibility for the manner by which it provides information to any approved subcontractors to whom it might utilize to actually perform the in-home protocol visits.
All documents used by VCTC and its subcontractors in the provision of the service are reviewed and approved by the trial Sponsor, or their delegate.
Third Party Study Personnel
VCTC acts as both a Data Controller and a Data Processor where third parties supporting trials are concerned. In order to perform our services and to conform to ICH-GCP, VCTC is obliged to confirm that individuals from any third parties are suitably qualified and competent to do so. As such, VCTC holds CV’s/resumes and forwards these on to customers. Furthermore, we may also store contact details of healthcare professionals who support our Services. VCTC are required to obtain consent from these individuals as the records are stored by VCTC and forwarded to sites. Under ICH-GCP, VCTC are also required to store and archive information relating to our services so that the trial can be recreated in the future.
In summary, only required personal data should be held, is secured and protected against loss, and only kept for as long as is necessary.
VCTC only process personal data in accordance with the above principles. This includes Human Resources and Line Managers for employee data and all relevant project staff for trial subject data.
VCTC provides a service to the clinical research community, thereby falling under the regulations of this industry however, in doing so, VCTC also provides a healthcare service and as such must comply with professional standards.
Informing Trial Subjects of Access to and Collection of Personal Data
All trial subjects must be made aware of what happens to the personal data collected about them during a trial and also who has access to it. Reference to the release of their information to VCTC will be made in the Patient Information Sheet and Informed Consent (PIS/IC) or assent form, signed by individual trial subjects. VCTC take responsibility for requesting from their client the version of the PIS/IC that will be used in a trial and reviewing it to ensure that information is contained in the document with regards to 3rd party access. If it is not possible to incorporate this in the principal version, a specific PIS/IC will need to be submitted for ethics review and approval and signed by all trial subjects.
Home nursing teams receive training by VCTC on their responsibilities for the handling and management of personal data.
VCTC Access to Trial Subject Data
Within VCTC, access to personal data is limited to only those personnel who are assigned to a specific trial within VCTC.
All documents used as part of VCTC’s service that do not require personal subject details use a unique identifier (number) instead of the subject’s name provided by the trial site and used VCTC – this is typically the number of the trial site and a unique number assigned to each participating trial subject.
E-mail streams, particularly between sites and VCTC resources must refer to a trial subject by their unique trial number only. VCTC employees take responsibility for ensuring that no e-mail concerning a patient is forwarded to an e-mail address of an unknown party unless suitable security provisions are made.
It is expected that telephone conversations between VCTC and homecare nurses will relate to specific trial subjects. VCTC employees concerned are responsible for ensuring that they have an awareness of who is within the vicinity of a call when in the office and take precautions to not disclose personal or sensitive data.
Individuals have the right to request the nature of personal data that is held by VCTC. These rights are enhanced as a result of GDPR and include:
Individuals can be anyone whose personal data is held by VCTC and includes employees, trial subjects, nurses and customers.
On receipt of a request, VCTC staff are required to notify the Data Privacy Committee (DPC) immediately in writing providing details of the request (email dataprivacycommittee@theVCTC.co.uk). The DPC will provide the information in a clear, concise and intelligible format in a reasonable timeframe, but no later than within 30 days of receipt of the request. The format will be determined by the DPC.
Finally, VCTC has an obligation to inform individuals if the purpose of the collection of their personal data changes in any way.
VCTC appointed a Data Privacy Committee to take on the responsibilities of a DPO. The primary responsibilities of the VCTC DPC are:
The DPC is comprised of individuals who represent all functions across the business and is chaired independently from the operating Board.
VCTC is required to report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of a breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
VCTC’s DPC will determine if a breach has occurred and will inform the appropriate authorities and customers in accordance with local requirements.
SUMMARY
All VCTC staff are trained on the management of personal data within VCTC and understand the safeguards and processes that are employed to ensure that VCTC maintains confidentiality at all times, in accordance with the appropriate regulations.
In the event that any individual or organisation has a complaint with regard to how VCTC has handled their personal information, please contact the VCTC Data Privacy Committee in the first instance by emailing dataprivacycommittee@theVCTC.co.uk.