App & Patient Portal Privacy Notice
Cisiv Limited, a limited liability company located at 12th Floor, CI Tower, St George`s Square, New Malden, KT3 4HG, United Kingdom, hereinafter referred to as “Cisiv”.
Cisiv Ltd (“Cisiv“) respects your right to privacy. This Privacy Notice explains who we are, how we collect, share and use personal information about you, and how you can exercise your privacy rights. This Privacy Notice only applies to personal information that we collect through your use of our app, Baseline Patient (“App“) and Web Portal (“Portal”), hereinafter both referred to as Application.
For information on the collection of personal information via our website, please see our website privacy notice above.
About us and our Application
Cisiv provides this Application (as a supplement to our Baseline Plus technology) to support research into licensed medicines that happen after approval of a drug. Our Application can only be used by patients who are participating in a post-approval study. It provides the opportunity for patients to input their own health information in order to contribute to the study.
Your doctor will ask you if you wish to participate and will give you a unique registration code which will allow you to download and register on the Application
What information does Cisiv collect via our Application
Cisiv complies with the principle of minimisation: we collect only the personal data that is needed.
- Information you provide during the registration process
When you register to use our Application, we will collect your registration code given to you by your doctor as well as your name and email address. We will ask you to choose a unique password. We will also be able to identify which study you are participating in based on your registration code.
- Information we collect automatically
When you use our Application, we may automatically collect device-related information, such as your device’s unique ID, performance data and configuration data (such as crash logs) to assess the use and performance of our Application and other aggregate or statistical information related to your usage of the Application.
- Information specific to our Application, including that provided during your use of the Application
When you use our Application, we will also collect any information you input into the Application on behalf of our customer in response to the post-approval study questions. This information will include current health information and information about your adherence to the regime prescribed by your doctor. You may also be asked to input demographic information as part of the study. We carry out analytics on the data you provide in order to share charts and statistics with you based on your own data.
What do we use this information for?
We collect registration data in order to allow you to use the Application. The purpose of this personal data processing is to conduct medical research. Refer to the Informed Consent Form (ICF) or your doctor for the precise purpose of the personal data processing.
We collect and store other information on behalf of the pharmaceutical company carrying out the post-approval study (our customer) as part of our Baseline Plus service, providing statistical analysis to users of their own data and for any other purposes as instructed by our customer. We act as a processor for our customers and do not use the health data you provide with respect to the post-approval study for our own purposes.
We may also use your contact information to send you service or application-related announcements, trouble shooting and technical support. In addition, any data we collect automatically we may use for product performance or improvement purposes.
Legal basis for processing
As you may know, under data protection law, personal data can only be collected, used or otherwise processed if this is permitted by law (this is sometimes called a “legal basis”) and there is an obligation to tell individuals what these legal bases are for each processing activity. In relation to most of the personal data collected through the Application, where that is processed for your doctor or the study sponsor / pharmaceutical company, it will be your doctor, or the pharmaceutical company, that are responsible for providing you with information about their legal bases for collecting and using the data as part of the relevant post-approval study. You will have been asked for your informed consent with respect to the collection and sharing of personal data. You can withdraw your consent at any time, without reason. The withdrawal of your consent will not affect the validity of any processing carried out prior to your withdrawal.
Cisiv is known as the Data Processor for your healthcare data and processes your personal data on the instructions of SPONSOR known as the Data Controller.
We are responsible (the “controller”) for some of the data collected; namely, registration data and certain information we collect automatically. In relation to registration data, we collect this in order to allow you to use the Application (this is “performance of a contract”).
Where we collect information from your device automatically, or where we use your contact details to provide you with technical support we do so in reliance on our legitimate interests. These interests are to operate our Application effectively and to communicate with you as necessary to provide you with support, and for our legitimate commercial interest to improve our Application.
Your personal data might be reused by SPONSOR for medical research for a similar purpose. Refer to the informed consent form or your doctor for the potential reuse of your personal data.
Sharing your personal data
Your personal data will be shared with the SPONSOR.
Your data will be stored with our hosting provider based in Ireland and Netherlands that we have carefully selected. Such external company is bound by contract to comply with the data privacy laws mentioned above and is acting as a Data Sub-Processor. Your data is encrypted to prevent the hosting provider from accessing the data.
We may share your contact information or technical information obtained automatically from your device with our third party service providers in order to provide technical support with respect to the Application.
In addition, we may be required to disclose information to the following categories of recipients:
- to the clinical site, a Contract Research Organisation, monitoring CRAs appointed by the sponsor, by auditors, or by inspectors from local authorities.
- to any law enforcement body, regulatory, government agency, court or other third party, where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- to any actual or potential buyer (and its agents and advisors) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice;
- to any other person with your consent to the disclosure.
Your personal information is transferred to or processed and stored in the EU, the UK and other countries where our third party service providers and partners are located, including the U.S.. Any transfer between these countries will be in accordance with applicable law and, where required, we have taken appropriate safeguards to require that your personal data will remain protected. You can obtain a copy of such safeguards by contacting the Data Protection Officer of Cisiv, see contact details below.
Cisiv understands the importance of protecting the personal information we store on behalf of our customers and has an ISO 27001 certification. We implement technical and organizational measures to protect your personal information including through use of encryption.
We will retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy Notice and in accordance with the instructions of our customer, unless a longer period is required or permitted by applicable law.
Your data protection rights
For all information you provide relating to the post-approval study, the relevant pharmaceutical company (our customer) will be the controller of this information and you will need to contact them directly or through your doctor if you wish to exercise any of your data protection rights. We will then assist our customer with such requests where possible and in accordance with our contractual agreement with them.
Where you wish to exercise any of your data protection rights (access, rectification, portability, erasure or restriction, as well as any withdrawal of consent) in relation to your Application “account” or any of the technical information we obtain from your device, you can contact us directly using the contact information below. You also have a right to complain to the Information Commissioner’s Office.
Updates to this Privacy Notice
We may update this Privacy Notice from time to time to ensure it is up to date with applicable law and any developments of the Application itself. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. You can see when the Privacy Notice was last updated by checking the “Last Updated” date at the top of this Privacy Notice.
As explained above, generally your doctor or the pharmaceutical company conducting the post-approval trial will be your main point of contact. However, if you have any questions or concerns about our processing of your personal information, please do contact our Data Protection Officer by email at firstname.lastname@example.org or by post mail at DE-Q2C Ltd, Data Protection Officer for Cisiv, 6 Edison Village, Nottingham Science & Technology Park, Nottingham, United Kingdom, NG7 2RF.
The EU Data Protection representative for Cisiv is Mr Nikolay Kirilov, 105 D Tcherkovna Str., 3rd floor, ap. 12, 1111 Sofia, Bulgaria.
Refer to the informed consent form or your physician for the name and postal address of the Sponsor, and also its Data Protection Representatives in the EU and in the UK if relevant and how to contact its Data Protection Officer.