Last updated 01/04/2021
MRN (Medical Research Network) policy documents are designed to provide MRN’s customers with an understanding of MRN’s position and policies in relation to regulations and key aspects of our services.
Medical Research Network are committed to protecting and respecting the privacy of subjects, nurses, customers, suppliers and employees, and this includes their personal and health related information
As an organisation, the MRN have a responsibility to safeguard all personal data that it holds. The company is responsible for ensuring compliance with the UK Data Protection Act 2018 (incorporating GDPR) applicable data privacy and data protection regulations with regards to employee data, business information and data concerning trial subjects (patients) i.e. those data required by MRN to conduct trial visits in the patient’s home (Home Trial Support HTS). Note, MRN nurses working on site (site nurse support) in health institutions must comply with local regulations and policies in force at the institute in which they are operating.
For MRN, business information refers to data held about its customers and any third parties that provide support for MRN services; in practice this means that we require consent from individual nurses and customers whose personal data is held by MRN.
MRN also has an obligation to ensure that organisations who receive/process personal data provided by MRN e.g. vendors (processors or sub-processors) are also compliant with current data protection regulations and data processing agreements should be in place between MRN and the third party.
MRN has a number of internal policies, procedures and processes for safeguarding personal information and these conform to GDPR and HIPAA principles. To ensure personal data receives an adequate level of protection when transferred between the various parts of MRN’s organisation, MRN has put in place Standard Contractual Clauses to ensure personal data is treated by all of its offices in a way which is consistent with and respects the EU and UK laws in data protection.
1. MRN acts as a Data Controller for the following types of Personal Data:
MRN Employee Data
MRN acts as Data Controller as it retains control over the purposes for processing personal data about its employees and the manner in which it does this.
MRN acts as a Data Controller as we hold a database of individual business contacts within Salesforce and this data is used to send updates and news to them on a regular basis. MRN can only store this data if the individual has consented (“opted in”).
2. MRN acts as a Data Processor (and sometimes Sub-Processor) for the following types of Personal Data:
Trial Subject Data
MRN acts as a Data Processor where clinical trial data is concerned. MRN processes personal information that is needed in order to perform in-home protocol visits to trial subjects. MRN only uses personal information to conduct homecare visits. Whilst the trial Sponsor and the principal investigator are the data controllers, MRN does take responsibility for how it processes the information internally and takes responsibility for the manner by which it provides information to any approved subcontractors to whom it might utilize to actually perform the in-home protocol visits.
All documents used by MRN and its subcontractors in the provision of the service are reviewed and approved by the trial Sponsor, or their delegate.
Third Party Study Personnel
MRN acts as both a Data Controller and a Data Processor where third parties supporting trials are concerned. In order to perform our services and to conform to ICH-GCP, MRN is obliged to confirm that individuals from any third parties are suitably qualified and competent to do so. As such, MRN holds CV’s/resumes of nurses who perform HTS and SNS nurses and forwards these on to sites and customers. Furthermore, we may also store contact details of healthcare professionals who support our Services. MRN are required to obtain consent from these individuals as the records are stored by MRN and forwarded to sites. Under ICH-GCP, MRN are also required to store and archive information relating to our services so that the trial can be recreated in the future.
3. Data protection is centred around a number of key principles and Article 5 of the General Data Protection Regulation (GDPR) stipulates that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In summary, only required personal data should be held, is secured and protected against loss, and only kept for as long as is necessary.
MRN only process personal data in accordance with the above principles. This includes Human Resources and Line Managers for employee data and all relevant project staff for trial subject data.
4. Home Trial Support (HTS) Service
MRN provides a service to the clinical research community, thereby falling under the regulations of this industry however, in doing so, MRN also provides a healthcare service and as such must comply with professional standards.
Informing Trial Subjects of Access to and Collection of Personal Data
All trial subjects must be made aware of what happens to the personal data collected about them during a trial and also who has access to it. Reference to the release of their information to MRN will be made in the Patient Information Sheet and Informed Consent (PIS/IC) or assent form, signed by individual trial subjects. MRN take responsibility for requesting from their client the version of the PIS/IC that will be used in a trial and reviewing it to ensure that information is contained in the document with regards to 3rd party access. If it is not possible to incorporate this in the principal version, a specific PIS/IC will need to be submitted for ethics review and approval and signed by all trial subjects using HTS.
By referring a trial subject to MRN the site Principal Investigator (PI) is confirming that the subject has consented to the trial and therefore consents to their personal data being shared with MRN and other third parties. The personal data collected is the minimum required in order for MRN to provide our in-home trial service.
HTS nurses receive training by MRN on their responsibilities for the handling and management of personal data.
MRN Access to Trial Subject Data
Within MRN, access to personal data is limited to only those personnel who are assigned to a specific trial within MRN.
All documents used as part of MRN’s service that do not require personal subject details use a unique identifier (number) instead of the subject’s name provided by the trial site and used MRN – this is typically the number of the trial site and a unique number assigned to each participating trial subject.
5. Email Communication
E-mail streams, particularly between sites and MRN nurses and MRN and sites must refer to a trial subject by their unique trial number only. MRN employees take responsibility for ensuring that no e-mail concerning a patient is forwarded to an e-mail address of an unknown party unless suitable security provisions are made.
6. Telephone Conversations
It is expected that telephone conversations between MRN, sites and homecare nurses will relate to specific trial subjects. MRN employees concerned are responsible for ensuring that they have an awareness of who is within the vicinity of a call when in the office and take precautions to not disclose personal or sensitive data.
7. Data Subject Access Rights
Individuals have the right to request the nature of personal data that is held by MRN. These rights are enhanced as a result of GDPR and include:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Individuals can be anyone whose personal data is held by MRN and includes employees, trial subjects, nurses and customers.
On receipt of a request, MRN staff are required to notify the Data Privacy Committee (DPC) immediately in writing providing details of the request (email firstname.lastname@example.org). The DPC will provide the information in a clear, concise and intelligible format in a reasonable timeframe, but no later than within 30 days of receipt of the request. The format will be determined by the DPC.
Finally, MRN has an obligation to inform individuals if the purpose of the collection of their personal data changes in any way.
8. Data Privacy Committee (DPC)
MRN appointed a Data Privacy Committee to take on the responsibilities of a DPO. The primary responsibilities of the MRN DPC are:
- Maintain an in-depth knowledge of GDPR/data privacy regulations and an understanding of EU and national laws where it relates to MRN and its services;
- Have a good understanding of the pharmaceutical sector and of MRN’s processing operations;
- Report directly to the MRN Operating Board and is independent of the processing functions & decision-making structure;
- Monitors GDPR compliance across all MRN functions;
- Advises on data privacy issues;
- Educates and trains employees;
- Cooperate with ICO and other data processing authorities, especially with regard to personal data breaches;
- Track and respond to data privacy enquiries and subject access requests;
- Advise on the performance of Data Protection Impact Assessments;
- Be involved in future developments of MRN services where personal data is processed.
The DPC is comprised of individuals who represent all functions across the business and is chaired independently from the operating Board.
9. Personal Data Breaches
MRN is required to report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of a breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
MRN’s DPC will determine if a breach has occurred and will inform the appropriate authorities and customers in accordance with local requirements.
All MRN staff are trained on the management of personal data within MRN and understand the safeguards and processes that are employed to ensure that MRN maintains confidentiality at all times, in accordance with the appropriate regulations.
In the event that any individual or organisation has a complaint with regard to how MRN has handled their personal information, please contact the MRN Data Privacy Committee in the first instance by emailing email@example.com.