PSI is committed to respecting the privacy of individuals. PSI values the confidence of those who have entrusted PSI with their personal data: clinical investigators and other healthcare professionals, job applicants, employees, customers, and business partners. PSI has developed procedures and practices to periodically review and monitor the use of personal information to ensure that it is used responsibly and complies with internationally recognized standards of privacy protection. Such international standards include but are not limited to the European Union Data Protection Directive [EC/95/46] and the U.S.-EU Safe Harbor Privacy Principles.
PSI has certified its participation, and compliance with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the transfer of personal data from European Union member countries and Switzerland to the U.S. The principles of Safe Harbor compliance are notice, choice, onward transfer, security, data integrity, access, and enforcement.
In addition to following these transnational regulations, PSI always strives to collect and use personal data in a manner consistent with the national laws of the countries where PSI does business.
Data Privacy Principles
Internationally recognized standards require that the processing of personal data, both automated and manual, meet the following data protection principles, which principles PSI adheres to:
- Data are collected and processed in a fair, responsible, and lawful manner.
- Data are collected, stored, transferred, processed, analyzed and used in accordance to PSI’s established guidelines and in compliance with local laws/regulations in the territory where those activities occur.
- Data are collected for specified, legitimate purposes and not processed in ways incompatible with those purposes.
- Data are relevant to and not excessive for the purposes for which they are collected and used.
- Data are current and accurate with reasonable steps taken to rectify or delete inaccurate records.
- Data are kept only for as long as it is necessary for the purposes for which they were collected and processed.
- Appropriate organizational, physical, administrative and technical measures are taken to prevent unauthorized access, unlawful processing, and unauthorized or accidental loss, destruction, or damage to data.
- Data subjects will have an opportunity to review, correct and update their personal information maintained by PSI to the extent permitted under applicable law.
- Data are not transferred to third parties unless adequate level of data protection exists.
Purposes Of Data Processing
PSI processes personal data for specific, limited, and legitimate purposes, which data subjects are informed about whenever such data are requested from them. Examples of such purposes include, but are not limited to:
- Investigator data processed by PSI to be able to identify and contact individual investigators to ascertain their interest in participating in clinical trials in accordance with their experience, specialty, availability, and other factors. Investigators selected to conduct clinical trials may also be required to provide additional information to facilitate reimbursement for their participation in clinical trials.
- Personal data of job applicants processed by PSI to enable screening, selection and hiring of candidates and communication with them.
- Personal data of employees to manage payroll and benefits, make decisions regarding employment (promotion, salary reviews, discipline), and for other human resource administration and management purposes.
- Personal data of potential customers processed by PSI to enable prompt responses to requests for information.
Prior to processing personal data, PSI will provide notice to data subjects in a clear and conspicuous language. Depending on the type of data processing, notice may be given in person, by e-mail, post, or telephone, as well as posted on the PSI Website.
Categories of personal data collected for one of the purposes described in the previous section include contact information, company information and job application information. For example, name address, phone number, e-mail address, company name, position, resume, desired compensation, names of employees’ dependents (for employee benefit administration purposes) and/or “cookie" information may be collected for processing external requests.
Sensitive personal data is defined under local data privacy law, and includes information relating to a data subject’s racial or ethnic origin, nationality, political opinion, religious and philosophical beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health conditions, biometric or genetic data, sex or sexual life, commission or alleged commission of any offense or any proceedings for any offense committed or alleged to have been committed by a data subject, the disposal of such proceedings or the sentence of any court in such proceedings. PSI generally does not collect sensitive personal data.
Every effort is made to ensure that the information is accurate and current, and all communications with individuals provide easy means of validating, correcting, and updating data.
Rights Of Data Subjects
All processing of personal data is done by consent, for the purposes listed above, and under the supervision of PSI, the data controller. Individuals have the right to:
- Have their personal data processed only for the purpose for which it was collected.
- Have their personal data retained by PSI for as long as it is required by law, or as is relevant for the purposes for which it was collected.
- Gain access to their personal data.
- Obtain copies of the records reflecting their personal data to extent required under applicable law.
- Request correction or update of their personal data.
- Prevent processing of their data for direct marketing or any other purposes not stated in the notice.
- Withdraw consent to allow processing of their data.
PSI employs reasonable organizational, physical, administrative and technical safeguards to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration, and destruction. For personal information subject to electronic storage or transmission, PSI maintains a secure network that is protected from computer virus infection and monitored for unauthorized access. Both electronic and paper based records holding personal information are maintained in access controlled facilities.
Release And Transfer Of Data
To the extent necessary, personal information provided to PSI may be made available to the company, all its subsidiaries and, occasionally, entities employed as subcontractors of PSI. Access to personal data and equipment is at all times restricted to appropriately trained and duly authorized staff who have a business need to know the data.
PSI will not trade or sell any personal information. PSI will not release, share, or transfer any personal information for use by any entity outside PSI without the prior consent of the data subject or in a form other than what was disclosed to the data subject at the time the information was collected, unless permitted or required by law.
Under some circumstances PSI may be required to release personal information to law enforcement agencies or judicial authorities.
Companies working as subcontractors of PSI, as well as PSI customers, are required to sign confidentiality agreements or provide other contractual assurance agreeing to handle all personal data, if disclosed to these entities for legitimate reasons, with due care and in accordance with applicable laws and/or confirm, they have certified as being in compliance with the Safe Harbor Principles.
Transfer Of Personal Data
PSI gives data subjects the opportunity to choose not to have his or her personal data transferred to third parties for use in a manner incompatible with the purpose for which it was originally collected. An employee may not opt out of the transfer of his or her personal data which is transferred by PSI to a third party for the purpose of (1) meeting applicable legal requirements or (2) permitting the legitimate interests of PSI in making promotions, appointments, or other employment decisions. For sensitive personal data (which might include race, gender, religion, medical information, etc.), explicit (opt in) choice is sought if the information is to be disclosed to a third party for use in a manner incompatible with the purpose for which it was collected.
Third Party Websites
Cookies And IP Addresses
A “cookie" is a piece of data stored on the hard drive of a computer connected to the Internet. PSI enables temporary cookies (also known as session only cookies) to allow site visitors to easily move from one interactive feature to another, offering visitors a better experience while navigating the PSI Website. However, use of a cookie does not link to or reveal personally identifiable information while on the PSI Website, unless the individual explicitly provides that information to PSI. Furthermore, the cookie will expire after a short period of time and will automatically be removed completely when the Internet browser is closed.
PSI receives IP addresses in the normal course of the operation of the Website. An IP address is a number assigned to each user by the Internet service provider so one can access the Internet. PSI does not use IP addresses to personally identify individuals or disclose them to others.
Children's Privacy Protection
PSI does not collect or keep information from its Website from individuals known to be underage. No part of the PSI Website is designed or structured to attract children.
PSI has provided its employees with appropriate training to ensure that all those who process and/or have access to personal data as part of their regular job functions are fully aware of their individual responsibilities and of management’s objectives with respect to the protection of privacy.
Inquiries, Complaints And Access Requests
All inquiries and complaints, as well as individuals’ requests for accessing their data, should be forwarded electronically for action or response at firstname.lastname@example.org.
Using reasonable effort, PSI will promptly respond to any queries or complaints regarding the protection of privacy. If a complaint, access request or inquiry is not resolved to the data subject’s satisfaction, he/she may report the complaint to the U.S. Federal Trade Commission (“FTC”) or the applicable EU Data Protection Authority (“DPA”). PSI will cooperate with the DPA in investigation and resolution of any complaints brought under this Policy.
PSI reserves the right to modify or amend this Policy. For instance, this Policy may need to be changed as new privacy legislation is introduced or as existing regulations are amended. Changes to this Policy will be posted on the PSI Website.
Copies of this Policy may be printed from psi-cro.com. Additional information about the Safe Harbor principles and certification process can be found at http://www.export.gov/safeharbor.
The Policy was last modified on 30 August 2011.