PRA Health Sciences (“PRA”) is a global organization that collects and utilizes different types of Data to conduct business. Due to our global presence, PRA is subject to a variety of data privacy laws and regulations that set forth requirements when handling different Data types. PRA is committed to adhering to these requirements, and has developed a comprehensive, data privacy compliance program designed to respect and protect the privacy and security of Data entrusted to us.
Feedback is a critical element of continual improvement. To provide feedback on this Policy, please utilize Change Management > Document Change Requests in the QMS.
3.0 To Whom Does This Policy Apply?
While the Data Privacy Office, led by PRA’s Chief Privacy Officer, is charged with monitoring compliance with applicable data privacy laws and regulations, all employees and third-parties handling Data on behalf of PRA have a responsibility for ensuring the privacy and security of the Data entrusted to PRA in accordance with this Policy. Therefore, this Policy applies to all employees of PRA. In addition, it applies to other personnel working within PRA or with Data provided to PRA, including temporary resources, contractors, consultants, agents and similar third-party service providers.
4.0 Definitions/ Notes
5.0 PRA’s Privacy Principles
PRA is a global organization which is subject to data privacy laws and regulations across the world. PRA takes a uniform approach to ensuring compliance with data privacy laws and regulations. This is accomplished through the following Privacy Principles:
- Data Classification Standards, as set forth in section 5.1, which will enable PRA to assess Data sensitivity, the level of protection that should be assigned to the Data, and how long the Data should be stored.
- Fair Information Principles, as set forth in section 5.2, which are a core set of privacy principles, established by the Organization for Economic Cooperation and Development (OECD), that are practiced globally regardless of industry.
- European Data Privacy Considerations, as set forth in section 5.3, which consider the EuropeanUnion General Data Protection Regulation (EU GDPR). The EU GDPR hopes to set the standardfor privacy and contains strict documentation and process requirements.
The application of these three Privacy Principles will create a uniform approach for applicable global privacy laws and regulations to which PRA is subject.
PRA’s Privacy Principles apply to Data collected or received by PRA in any format, including electronic, paper, or verbal. This Policy sets minimum standards for employees to adhere to when handling Data. In addition, some Data sources may be subject to more stringent privacy safeguards as required by current Good Practices (cGxP), other national and/or international requirements, and/or contractual obligations.
5.1 Data Classification Standards
PRA classifies Data as one of the following: Highly Restricted, Confidential, or Public, as defined in the table below. Depending on the classification, Data may require different levels of controls and security measures, which may include adhering to regulatory requirements.
5.2 Fair Information Principles
As PRA is a global organization and is subject to data privacy laws and regulations around the world, PRA has developed the following principles applicable to Personal Data to ensure we are in compliance regardless of jurisdiction.
Where PRA collects Personal Data directly from Data Subjects, the company will notify those Data Subjects about how the information will be processed and used. Notice will be provided in full in clear and conspicuous language when Data Subjects are first asked to provide Personal Data to PRA, or as soon as practicable thereafter. If PRA seeks to use the information for a purpose other than that for which it was originally collected, PRA will request the prior consent of the Data Subject. Where PRA receives Personal Data from other entities, it will use such information in accordance with the notices provided by such entities and the choices made by the Data Subjects to whom such Personal Data relates.
Where PRA receives Personal Data, such information is to be used in accordance with its intended use and the choices made by the Data Subjects to whom such Personal Data relates.
PRA provides Data Subjects with reasonable mechanisms to exercise their rights and make choices, including the opportunity to withdraw consent. As required by regulation, PRA provides Data Subjects with mechanisms to exercise their rights to request ending the Processing of their Personal Data at any time. This also applies to how Personal Data may be used beyond the original intended uses.
5.2.4 Data Integrity
PRA takes reasonable steps to ensure that Personal Data is accurate, complete, current, and is relevant to its intended use. PRA only collects the necessary amount of Personal Data that is required for the business.
5.2.5 Onward Transfers
PRA may seek to share a Data Subject’s information with agents, contractors or third-party service providers of PRA in connection with services that these individuals or entities perform for, or with, PRA. PRA may, for example, provide an individual's Personal Data to a service provider for hosting an employee benefit, for Processing contracted clinical trial services, or to send to that individual the information that he or she requested. In such cases, PRA provides notice of onward transfers.
Due to the global nature of PRA’s business, the onward transfers may include a geographic transfer of Personal Data from the Data Subject’s own country to, for example, the U.S. where the computer server or service provider hosting or handling the Data may be located. For such transfers, PRA uses the most appropriate method for the legal transfer of such Personal Data in full accordance with all relevant and applicable local and international legislation and regulations.
5.2.6 Access and Correction
Where required by regulation, upon receipt of a written request from a Data Subject, PRA will provide access to Personal Data that PRA holds about that Data Subject. In addition, PRA will take reasonable steps to permit Data Subjects to exercise their Subject Access Rights. Such right may include correction amendment, restriction, deletion or portability (i.e. – taking their Personal Data to correct, amend, restrict, delete or any other applicable right related to their information). Written requests of this nature must state clearly what action is sought along with all relevant information necessary to enable the request to be investigated. PRA will verify the identity of each applicant prior to releasing or correcting the Data.
While PRA grants the Subject Access Rights requested by Data Subjects, not all requests may be fulfilled to the satisfaction of Data Subjects. As PRA operates in a highly regulated environment, it is bound by many laws/regulations. As an example, under the right to be forgotten, PRA may not be able to erase all Data related to a Data Subject due to other laws/regulations that require Personal Data is maintained (e.g. – Adverse Event Reporting).
PRA employs various technical measures, which are safeguards and security practices to protect Personal Data in its possession from loss, misuse, unauthorized or unlawful access, Processing, disclosure, alteration, damage and destruction. PRA recognizes that Special Categories of Personal Data should be afforded additional protection due to their sensitive nature. For Personal Data that requires electronic storage or transmission, PRA either maintains an internal private, secure global network that is monitored for unauthorized access and protected from computer virus infection or engages service providers accountable for ensuring the appropriate technical measures are deployed.
PRA requires assurances from its agents, contractors and service providers that they safeguard Personal Data received from PRA in a manner consistent with this Policy. Appropriate assurance of compliance may be given in a number of ways, which may include contractual terms between the parties or mechanisms of Personal Data transfer that are approved by a Data Protection Authority. Where PRA receives knowledge that an agent, contractor, or service provider is using or disclosing Personal Data in a manner contrary to this Policy, then PRA will employ measures to prevent or stop the use or disclosure in accordance with applicable laws/regulations.
All reported breaches or potential breaches of privacy are investigated by a dedicated investigation team including the Data Privacy Office and function-specific assignees. The team identifies and implements actions as they deem appropriate in the investigation and remediation of the situation in conjunction with appropriate stakeholders, depending on the situational circumstances.
Any employee that is found by PRA to have violated this Policy will be subject to disciplinary action up to and including termination of employment in accordance with local employment legislation, rules and regulations.
Any third-party service provider, including consultants and contractors, that PRA determines is in violation of this Policy will be subject to appropriate action. In the event of criminal or other serious violations of the law, these actions could also be subject to notification by PRA to the appropriate legal and/or regulatory/supervisory body.
5.2.9 Limitation on Application of Fair Information Principles
Adherence by PRA to these Fair Information Principles may be limited to the extent (1) required to respond to a legal or ethical obligation, or (2) disclosure of Data is expressly permitted by an applicable law, rule or regulation, such as Processing Data specifically requested by government agencies for the purpose of medical safety.
5.3 European Data Privacy Considerations
While PRA implements Fair Information Principles, there are principles that are specific to European data privacy regulations. The following key principles apply where PRA is Processing Personal Data of European Union residents regardless of where the Personal Data is stored.
5.3.1 PRA is a Data Processor in Most Situations Involving Clients or Sponsors
In most situations, Sponsors or Clients act as the Data Controller and PRA acts as the Data Processor. Data Controllers determine the purposes and means of the Processing of Personal Data and provide Data Processors with the usage for the Data collected. Sponsors or Clients engage PRA to act on their behalf to handle or process Data in a manner they determine.
5.3.2 PRA Advocates Privacy by Design
Privacy by Design includes proactively embedding privacy into the design of services or solutions that involve the Processing of Personal Data.
Products or services developed by PRA that involve Processing of Personal Data should have the rights and freedoms of Data Subjects integrated into the development process. This means that the principles of access and correction (see section 5.2.6) are built into any product or service used for Processing and Data Subjects have the ability to access and correct their Personal Data.
Where possible and appropriate, PRA de-identifies any Personal Data that is collected, obtained, or used so that data does not identify an individual.
5.3.3 Privacy Impact Assessments
Privacy Impact Assessments (PIA) are the process of identifying and reducing the privacy risks of products or services that involve the Processing of Personal Data and their potential impact on other products or services that also involve the Processing of Personal Data.
PRA will conduct PIAs to determine if there is a high risk of compromising the rights and freedoms of Data Subjects. This is conducted on a case by case basis and involves collaboration between the Data Privacy Office, Information Technology, and the process or business system owner.
5.3.4 Data Breach
Where PRA reasonably believes an unauthorized disclosure of Personal Data has occurred, it will make appropriate and timely notifications to Data Protection Authorities and Data Subjects as required by law, and in accordance with PRA’s Standard Operating Procedures.
6.0 Contact Information
Questions or comments regarding this Policy, along with enquiries regarding the exercise of rights, should be submitted by mail to:
PRA Health Sciences
4130 ParkLake Avenue, Suite 400,
Raleigh, North Carolina 27612
Attn: Chief Privacy Officer