Clause 6: Data Protection Clause Samples

Clause 6: Data Protection. The mCTA includes general provisions related to compliance with the relevant data protection laws. It is noted that in addition to compliance with legislation, Sponsors (and CROs) are also required to comply with NHS specific data protection guidance. Oversight of this compliance is provided through the clinical trials approval process which includes a review of the mechanisms for protecting personal data. It is noted that in order for personal data to be collected and processed, the legal basis for such collection must be established. With respect to the personal data of the Principal Investigator and any Sub-Investigators, the collection and processing of personal data is often based on the consent of each individual. The mCTA determines a clear principle that it is the responsibility of the Sponsor (or CRO, as applicable) to collect the consent of the Principal Investigator and all Sub-Investigators participating in the Clinical Trial. Sponsors (and CROs) are strongly encouraged to use the Clinical Trial delegation log to collect consent from the Principal Investigator and Sub- Investigators for the processing of their personal data. General guidance with respect to the consent process is set out in the Schedule to this Guidance. While acknowledging the responsibility of the Sponsor (or CRO) to obtain consent from the Principal Investigator and all Sub-Investigators, both the Sponsor (and CRO, where applicable) and the representatives of the Participating Organisation are encouraged to take a practical approach and to provide mutual assistance to facilitate the consent process. A failure to obtain consent in a timely manner can result in delays to the start of a Clinical Trial. A Sponsor or CRO request to assist in obtaining a signed form from someone who is on annual leave would be reasonable. Requesting that the representatives of the Participating Organisation take responsibility for collating all signatures would not be reasonable, as this is burdensome and takes NHS staff away from their day to day duties.
View Source
Clause 6: Data Protection. The mCTAs include general provisions related to compliance with the relevant data protection laws and guidance. The definition of the term “Data Protection Laws and Guidance” includes “legally enforceable NHS requirements, Codes of Practice or Guidance issued by the Information Commissioner’s Office, in each case in force from time to time in England, Northern Ireland, Scotland and/or Wales”. Oversight of this compliance is provided through the clinical trials approval process, which includes a review of the mechanisms for protecting personal data. Clause 6 is explicitly concerned with Personal Data as defined in the agreement, that is, only personal data of Clinical Trial Subjects, or potential Clinical Trial Subjects. The Personal Data of the Principal Investigator or Personnel are not dealt with in the template and requests to modify the template to change this will not be accepted. Sponsors are encouraged to fulfil their transparency obligations for processing the personal data of the PI and Personnel via their signature and delegation log, as per the example provided in IRAS. Clause 6.2, when taken together with the clinical trial protocol, constitutes a GDPR Article 28(3) compliant data processing agreement between Sponsor, as controller of Personal Data processed for the purpose of the clinical trial, and the Participating Organisation, as processor of the Sponsor for this purpose. (a) explicitly references GDPR Article 28(1) and gives “obligations as an NHS organisation” as the guarantee that the sponsor should take in accordance with 28(1). NHS organisations are held to high standards of data protection in each of the four UK nations. Sponsors should therefore take assurance that the measures taken by the NHS are appropriate when relying upon existing NHS processes, systems, etc. for the processing of personal data (as opposed to when study specific provisions are required by the sponsor, such as Electronic Case Report Forms (eCRF), where the requirements of the sponsor should be clearly set out in, for example, the protocol, eCRF manual or other relevant document).
View Source
Clause 6: Data Protection. The mCTAs include general provisions related to compliance with the relevant data protection laws and guidance. It is noted that in addition to compliance with legislation, Sponsors (and CROs) are also required to comply with NHS-specific data protection guidance. Oversight of this compliance is provided through the clinical trials approval process which includes a review of the mechanisms for protecting personal data. Clause 6.2 constitutes a GDPR Article 28(3)-compliant data processing agreement between Sponsor, as controller of Personal Data processed for the purpose of the clinical trial, and the Participating Organisation, as processor of the Sponsor for this purpose. Clause 6.2.6 should set out the position of the Sponsor on the use of Participant Identification Centres (PICs) in the clinical trial and, where their use is permitted, whether the Participating Organisation may engage PICs under the general written authorisation of the agreement or only with specific written authorisation from, or on behalf of, the Sponsor. Clause 6.3 provides for the sharing of Personal Data and or the pseudonymised data of data subjects and provides the Participating Organisation with assurances as to safeguards enacted by, and/or on behalf of, the Sponsor to protect this data and handle it in an appropriate manner.
View Source

Related to Clause 6: Data Protection

  • Data Protection All personal data contained in the agreement shall be processed in accordance with Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the EU institutions and bodies and on the free movement of such data. Such data shall be processed solely in connection with the implementation and follow-up of the agreement by the sending institution, the National Agency and the European Commission, without prejudice to the possibility of passing the data to the bodies responsible for inspection and audit in accordance with EU legislation (Court of Auditors or European Antifraud Office (▇▇▇▇)). The participant may, on written request, gain access to his personal data and correct any information that is inaccurate or incomplete. He/she should address any questions regarding the processing of his/her personal data to the sending institution and/or the National Agency. The participant may lodge a complaint against the processing of his personal data with the [national supervising body for data protection] with regard to the use of these data by the sending institution, the National Agency, or to the European Data Protection Supervisor with regard to the use of the data by the European Commission.

  • Cybersecurity; Data Protection To the Company’s knowledge, the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data (collectively, the “Personal Data”)) used in connection with their businesses, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, except in each case as would not reasonably be expected to have a Material Adverse Effect. The Company and its subsidiaries are presently in material compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification.

  • PERSONAL DATA PROTECTION ACT 7.1. PAH is committed to protecting the privacy, confidentiality and security of all personal data to which it is entrusted. It has been our policy to ensure your personal information are protected. With the introduction of the Malaysian Personal Data Protection Act 2010 ("PDPA"), we are even committed to ensure the privacy and confidentiality and security of all personal data are protected in line with the PDPA. We process personal data which you have provided to us voluntarily through our website upon your registration and this includes personal data such as your name, address, NRIC and contact details. In this regards, you have expressly consent to our processing of your personal data. If you give us personal data or information about another person, you must first confirm that he/she has appointed you to act for him/her, to consent to the processing of his/her personal data and to receive on his/her behalf any data protection notices. We may request your assistance to procure the consent of such persons whose personal data is provided by you to us and you agree to do so. You shall indemnify us in the event we suffer loss and damage as a result of your failure to comply with the same. We will only retain your personal data for as long as necessary for the fulfilment of the specified purposes or as legislated 7.2. E-Bidders shall be responsible for the confidentiality and use of password and not to reveal the password to anyone at any time and under any circumstances whether intentionally or unintentionally. 7.3. E-Bidders agree to comply with all the security measures related to safety of the password or generally in respect of the use of the service. In the event that the password is compromised, the E-Bidders shall immediately notify PAH.

  • PERSONAL DATA PROTECTION 7.1 By accessing ESZAM AUCTIONEER SDN BHD website, the E-Bidders acknowledge and agree that ESZAM AUCTIONEER SDN BHD website may collect, retain, or disclose the E-Bidder’s information or any information by the e-bidders for the effectiveness of services, and the collected, retained or disclosed information shall comply with Personal Data Protection Act 2010 and any regulations, laws or rules applicable from time to time. 7.2 ESZAM AUCTIONEER SDN BHD will process E-bidder personal data such as name, address, NRIC and contact number for registration and E-bidding purposes. E-bidders shall be responsible for the username and password of eZ2Bid and not to reveal the password to anyone. 7.3 E-bidders agree to accept all associated risks when using the service in the ESZAM AUCTIONEER SDN BHD website and shall not make any claim for any unauthorized access or any consequential loss or damages suffered. 7.4 E-bidders shall be responsible for the confidentiality and the use of password and not to reveal the password to anyone at any time and under any circumstances, whether intentionally or unintentionally. 7.5 E-bidders agree to comply with all the security measures related to safety of the password or generally in respect of the use of the service. 7.6 E-bidders accept the responsibility that in any event that the password is in the possession of any other person whether intentionally or unintentionally, the E-Bidders shall take precautionary steps for the disclosure, discovery, or the Bidders shall immediately notify ESZAM AUCTIONEER SDN BHD

  • Data Protection Act 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. 7.2 The Contractor shall: 7.2.1 Process the Personal Data only in accordance with instructions from the Department (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the Department to the Contractor during the Term); 7.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; 7.2.3 The Contractor shall employ appropriate organisational, operational and technological processes and procedures to keep the Personal Data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO/IEC 27001 as appropriate to the services being provided to the Department; 7.2.4 Take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; 7.2.5 Obtain prior written consent from the Department in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services; 7.2.6 Ensure that all Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7; 7.2.7 Ensure that none of Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Department; 7.2.8 Notify the Department within five Working Days if it receives: a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to the Department's obligations under the Data Protection Legislation; 7.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: - providing the Department with full details of the complaint or request; - complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; - providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and - providing the Department with any information requested by the Department; 7.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 7.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department) to be used solely for the purposes of this contract and provided that to do so would not be in breach of the Intellectual Property Rights (including Copyright) of a third party; and 7.2.12 Not process Personal Data outside the European Economic Area without the prior written consent of the Department and, where the Department consents to a transfer, to comply with: - the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing -an adequate level of protection to any Personal Data that is transferred; and - any reasonable instructions notified to it by the Department. 7.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of its applicable obligations under the Data Protection Legislation.