Last updated 11 12 2023
Medical Research Network Limited and its group companies (the MRN, the Company, we, us) are committed to protecting and respecting the privacy of clinical trial subjects, health care professionals, customers, website visitors and job applicants, and this includes their personal and health related information.
This policy and any other documents referred to within it, sets out the basis on which any personal data (or personal information) we collect or that is provided to us, will be processed by us.
Any questions about how we process personal data, or if you would like to exercise your data subject rights, please email us at email@example.com.
As an organisation, the MRN have a responsibility to safeguard all personal data that it holds. The Company is responsible for ensuring compliance with applicable international and local data protection laws and regulations, including but not limited to the Data Protection Act 2018 (DPA 2018), the United Kingdom General Data Protection Regulations (UK GDPR), Regulation (EU) 2016/679 (the General Data Protection Regulation) (GDPR), the Act on the Protection of Personal Information (APPI), the Health and Insurance Portability and Accountability Act (HIPAA) and, the privacy and confidentiality requirements of Good Clinical Practice (GCP).
The MRN has a number of internal policies, procedures and processes for safeguarding personal information, and these conform to applicable data protection principles. To ensure personal data receives an adequate level of protection when transferred between the various parts of the MRN’s organisation, the MRN has put in place an Intra Group Data Sharing Agreement and where applicable Standard Contractual Clauses, these together with additional supplementary measures, ensure personal data is treated by all of its offices in a way which is consistent with and respects the EU and UK laws on data protection.
The MRN acts as a Data Controller for the following types of Personal Data:
Job Applicant Data
In this context, the MRN acts as Data Controller as it retains control over the purposes for processing personal data about its job applicants and the manner in which it does this.
The types of personal data requested and ways it is processed are determined by the requirements of the country in which the position is located. Personal data collected directly from you when you apply for a role include name, address, contact information, work and educational history, references, identification documents. We may also collect personal data about you from third parties, such as your references, our employees who interviewed you, publicly available information and employment background checks.
We collect and use your personal data for legitimate human resources and business management reasons including identifying and evaluating candidates for potential employment, as well as for future roles that may become available; record keeping in relation to recruitment; ensuring compliance with legal requirements, including diversity and inclusion requirements and practices; conducting background and criminal history checks as permitted by applicable law.
If we wish to retain your personal data to consider you for future employment, we will seek your consent to do so.
Your personal data may be accessed by recruiters and interviewers in the country where the position for which you are applying is based, as well as by recruiters and interviewers working in different countries within our organisation. Individuals performing administrative functions and IT personnel may also have limited access to your personal data.
If you accept an offer of employment, any relevant personal data collected during your pre-employment period will become part of your employment records.
In this context, the MRN acts as a Data Controller as we hold a database of individual business contacts. We may send you MRN-related marketing communications, as permitted by law. You will have the opportunity to opt in or out of our marketing communications and to change your mind at any time by clicking on the unsubscribe button at the foot of any marketing emails from us.
For individuals sharing personal information with us in order to enquire about our services, we will use such personal information in order to provide the requested information and/or services.
The MRN collects name and contact information from visitors to the MRN website who ask for further information regarding MRN’s services. The MRN uses this contact information to deliver the requested information to these visitors. The MRN also uses IP addresses for tracking virtual identities; for visitors with requests for information, this tracking is linked to real-world personal information.
The MRN acts as a Data Processor or Sub-Processor for the following types of Personal Data:
Trial Subject Data
The MRN acts as a Data Processor OR Sub-Processor of clinical trial data. The MRN processes personal information that is needed in order to perform in-home protocol visits for trial subjects. The MRN uses personal information to conduct homecare visits and to manage the logistics relating to those homecare visits. The MRN takes responsibility for how it processes the information internally and for the manner by which it provides information to any approved subcontractors it might utilize to actually perform the in-home protocol visits.
The personal data and purposes for which trial subjects’ personal data will be used by study sites and Sponsors will be addressed in more detail in the study specific consent documentation. As such, trial subjects should look to that documentation to understand how their personal data is processed.
Depending on the processing activity, the relevant Data Controller may be the study site and/or the Sponsor. The study site is responsible for the medical care of the trial subjects and the Sponsor is responsible for the medical research the study concerns.
Third Party Study Personnel
The MRN acts as both a Data Controller and a Data Processor where third parties supporting trials are concerned. In order to perform our services and to conform to ICH-GCP, the MRN is obliged to confirm that individuals from any third parties are suitably qualified and competent to do so. As such, the MRN holds CV’s/resumes of health care professionals who perform HTS and Site Professional Support (SPS) and forwards these on to sites and customers. Furthermore, we may also store contact details of healthcare professionals who support our Services. Under ICH-GCP, the MRN are also required to store and archive information relating to our services so that the trial can be recreated in the future.
We may collect information about you:
When you apply for job vacancies.
To provide you with information that you have requested regarding our services.
To initiate and complete commercial transactions with you, or the entity that you represent, for the purchase of services.
To fulfil a contract that we have entered into with you or with the entity you represent. In these circumstances it may be your entity, rather than yourself, that has provided us with your personal data.
To ensure the security and safe operation of our website.
To manage any communication between you and us.
When you visit our offices our CCTV system operates for the security of both visitors and staff.
We endeavour to take all reasonable steps to protect your personal information. Risk assessment, including assessing risks to the rights and freedoms of data subjects is at the heart of our information security management system. We do not, however, have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information.
Data Sharing, International Data Transfers and Data Security
The MRN shares data with processors and sub-processors, as well as third parties where necessary and permitted to perform the tasks the MRN carries out. The MRN is a global organisation and uses appropriate measures, including the Data Sharing Agreement to protect the data that it processes between its entities. Data is encrypted and protected wherever possible and only kept in an identifiable format for as long as necessary. The MRN maintains the confidentiality, integrity and availability of data, and has robust policies for retention, archiving, disaster recovery and data disclosure rules so that the data in its entire life cycle is protected, while in the MRN’s care.
Home Trial Support (HTS) Service
The MRN provides a service to the clinical research community including a healthcare service, both services are regulated and bound by professional standards.
Informing Trial Subjects of Access to and Collection of Personal Data
All trial subjects are made aware of what happens to the personal data collected about them during a trial and who has access to it. Reference to the release of their information to the MRN is set out in the study specific consent documentation signed by or on behalf of individual trial subjects. The MRN check that these signed documents contain information regarding the processing of personal data by third parties.
By referring a trial subject to the MRN, the site is confirming that the subject has consented to the trial and therefore consents to their personal data being shared with the MRN and other third parties. The personal data collected is the minimum required in order for the MRN to provide the in-home trial service.
HTS health care professionals receive regular training by the MRN on their responsibilities for the handling and management of personal data.
Access to Trial Subject Data
Within the MRN, access to personal data is limited to only those personnel who are assigned to a specific trial within the MRN.
All documents used as part of the MRN’s service that do not require personal subject details use a unique identifier (number) instead of the subject’s name.
Data Subject Access Rights
A data subject whose personal information we hold, has certain rights. To exercise any of these rights, please email firstname.lastname@example.org or use the information supplied in the ‘Contact us’ section below. To process a request, we will require the provision two valid forms of identification for verification purposes. Rights are as follows:
As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy notice and any related communications we may send.
You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:
a) The purposes of the processing.
b) The categories of personal data concerned.
c) The recipients to whom the personal data has been disclosed.
d) The retention period or envisioned retention period for that personal data.
e) When personal data has been collected from a third party, the source of the personal data.
If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.
The right to rectification
When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.
The right to erasure (the ‘right to be forgotten’)
Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.
The right to restrict processing
You may ask us to stop processing your personal data. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies, you may exercise the right to restrict processing:
a) The accuracy of the personal data is contested.
b) Processing of the personal data is unlawful.
c) We no longer need the personal data for processing, but the personal data is required for part of a legal process.
d) The right to object has been exercised and processing is restricted pending a decision on the status of the processing.
The right to data portability
You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.
You have the right to object to our processing of your data where:
Processing is based on legitimate interest;
Processing is for the purpose of direct marketing;
Processing is for the purposes of scientific or historic research; or
Processing involves automated decision-making and profiling.
If you are based in the EU, and you wish to exercise your rights under the EU GDPR, or have any queries in relation to your rights or general privacy matters, please email our representative at email@example.com.
Any comments, questions or suggestions about this privacy notice or our handling of your personal data should be emailed to firstname.lastname@example.org.
Alternatively, you can contact us at:
Data Privacy Committee
Medical Research Network Limited
Should you wish to discuss a compliant, please feel free to contact us using the details provided above. All complaints will be treated in a confidential manner.
Should you feel unsatisfied with our handing of your data, or about any complaint that you have made about our handing of your data, you may have rights to file a complaint with a regulator in your jurisdiction. For the UK, this is the Information Commissioner’s Office, which is also our lead supervisory authority. Its contact information can be found at https://ico.org.uk/global/contact-us/.