- Purpose & Scope
This policy is to inform those persons or entities desiring information on the EU-U.S. Privacy Shield Framework (“Privacy Shield”) and iCardiac Technologies, Inc.’s (“iCardiac”) compliance therewith. Further, it is to affirm the seven (7) principles, with which we, as a self-certifying entity under the Privacy Shield must comply, as well as to proclaim our commitment to safeguarding the personal information iCardiac receives, processes and/or manages as a result of its global business operations. Lastly, this policy establishes the remedial measures that one may seek to resolve an inquiry or complaint.
This policy applies to all personal information of iCardiac employees collected by Human Resources and all personal information received from clinical trial operations.
- Principles of Privacy Shield
Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure. Note, however, that this principle does not require iCardiac to provide notice where it is contracted by a Sponsor of a clinical trial to collect, process and/or report data. Notification is provided to study subjects and all interested regulatory entities in the Sponsor-supplied Protocol, released clinical trial supporting materials and clinical trial trainings, and these, in iCardiac’s discretion, are sufficient notifications under the Privacy Shield framework.
Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive personal information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual. Choice is not offered when iCardiac has been contracted by a Sponsor of a clinical trial to collect, process and/or report data. In such foregoing cases, iCardiac is not authorized or in control of the interactions between clinical trial subjects and the clinical site, and as it is an entity which has no such interactions cannot verify identity. Notwithstanding the above, in all contracts for clinical trial testing, iCardiac undertakes the responsibility for the security of the data collected, that it is tamper-proof; and that furthermore such data is password protection, and, where possible, encrypted.
Accountability for Onward Transfer (Transfers to Third Parties): In the event of a disclosure of information to a third party, iCardiac applies the notice and choice principles and shall only transfer information to a third party where it has provided iCardiac with adequate assurances that it will protect the information in accordance with this policy. In such event where iCardiac determines that the third party is processing information contrary to this policy, iCardiac shall take reasonable steps to cease all information transfers until the situation has been remedied.
Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. In this spirit, iCardiac shall provide citizens and individuals residing in the EU access to their own Personal Information and, where applicable, Sensitive Information, upon written request, and subject to any exemptions allowable under law or written agreement. Such Information may be reviewed by an employee from time to time by submitting a review request to firstname.lastname@example.org.
Security: iCardiac meets or exceeds the Privacy Shield standard that a self-certifying entity take “reasonable precautions” to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Further, iCardiac’s global operations comply with the requirements set forth in HIPAA, the US law pertaining to personal health information (PHI). All employees and consultants must acknowledge (via signature) adherence to stringent confidentiality, and must sign an “acceptable use” statement.
Data Integrity and Purpose Limitation: Personal information must be relevant for the purposes for which it is to be used. iCardiac meets or exceeds this Privacy Shield standard that a self-certifying entity take “reasonable steps” to ensure that data is reliable for its intended use, accurate, complete, and current.
Recourse, Enforcement, and Liability: Privacy Shield requires each self-certifying entity have (a) a readily available and affordable independent recourse mechanism so that each individual’s complaints and disputes can be investigated and resolved and damages awarded, where the applicable law or private sector initiatives so provide; (b) procedures for verifying that our commitment to adhere to the Privacy Shield principles have been implemented; and (c) an obligation to remedy problems arising out of a failure to comply with the principles. iCardiac’s internal mechanism regarding enforcement begins at the employee level – where any iCardiac employees working with, or having tangential access to, data are trained to identify a security or privacy breach. Any reported incident involving a potential privacy or security breach is investigated by the Quality and Regulatory Department and its findings are sent for review by iCardiac’s Security Council. The Security Council, which is a group comprised of the Vice President of Technology, the Director of Quality, the Director of Information Technology and the Deputy General Counsel, shall evaluate, report and resolve these incidents as necessary and as applicable. iCardiac acknowledges that all incidents reported may or may not be a breach. However, in the event a breach cannot be resolved through this internal process, further remedies are available as set forth in the Section below entitled “Dispute Resolution”.
- Policy Statement
In addition to the foregoing, iCardiac declares that it will collect, use, and disclose only the minimum amount of Personal and Sensitive Personal Information necessary to conduct business, fulfill legal obligations, and comply with regulatory requirements. Further, iCardiac may share non-personally identifiable information publicly or with our business partners. In accordance with GCP, where clinical records and/or data received by iCardiac reveal patient/subject identity, iCardiac employees will respect the privacy and confidentiality of such information.
iCardiac is a self-certifying organization within Privacy Shield and complies with the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. iCardiac is committed to protecting Information about an individual. iCardiac needs access to Personal and Sensitive Personal Information of its employees and it may receive such Information from others to conduct business and provide services to sponsors.
To learn more about Privacy Shield, and its replacement of the Safe Harbor program, and to view iCardiac’s certification, please visit Privacy Shield
- Inquiries and Dispute Resolution.
We encourage that any inquiries regarding iCardiac’s privacy practices, or its Privacy Shield certification be directed to the Director of Quality and Regulatory Compliance via email to email@example.com, via mail to 150 Allens Creek Road, Rochester, New York 14618, or by phone to 585-295-7610. While iCardiac is subject to the investigatory and enforcement powers of the US Federal Government, a complaint may be referred to your local data protection authority (“DPA”) and iCardiac will seek to resolve the concern with the DPA. In certain circumstances, the Privacy Shield framework provides dispute resolution through binding arbitration, as further described in the “Annex I to the Privacy Shield Principles”.
iCardiac is committed to cooperating with data protection authorities located in the European Union (EU DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) or their authorized representatives regarding the organization’s human resources data. In addition to the remedies provided above, iCardiac uses a third party dispute resolution provider where cases can be submitted.
Personal Information: Identifying information that (1) is recorded in any form; (2) is about or pertains to a specific individual; and (3) can be linked to that individual. Examples include name, initials, home and personal e-mail address, phone number, DOB, DOD, and fingerprints.
Sensitive Personal Information: Financial, legal, and other personal information, such as Social Security Number, credit background race, nationality, sexual orientation, political opinions, religious affiliation, philosophical beliefs, trade union membership, medical records and condition of health.
6.1 Security Council and Management
The Security Council and Management are responsible for enforcing this policy.
6.2 All iCardiac Employees
All iCardiac employees are responsible for following this policy.
6.3 Director of Quality and Regulatory Compliance
The Director of Quality and Regulatory Compliance or a designee is responsible for administering and updating this procedure.
- S.-EU Privacy Shield Framework: A Guide to Self-Certification. Including the full text of the official declaration of the Privacy Shield Privacy Principles, as announced on July 12, 2016; and,
- ICH Guideline for Good Clinical Practice E6 (R1)