PRIVACY notice FOR CMT&ME APP
Pharnext SA ("Pharnext"), based in France, is sponsoring an international observational study (the "study") of patients living with type 1A ("CMT-1A") Charcot-Marie-Tooth disease ("CMT"). In order to facilitate the study, Pharnext has appointed Vitaccess Limited ("Vitaccess", "we" or "us"), in particular to provide a technology platform, and the 'CMT&Me' application to be used by participants involved in the study (the "app"). The protocol for the study has been approved by a duly constituted body, Salus IRB (www.salusirb.com) in accordance with best practice for ethics reviews.
As at the date of this notice, Pharnext and Vitaccess are both subject to the European Union General Data Protection Regulation 2016/679 ("GDPR") in their access and/or use of your personal data. In implementing the study on behalf of Pharnext, Vitaccess will collect, store and analyse personal data of participants as a subcontractor of Pharnext.
Pursuant to the GDPR, as Pharnext is the sponsor of the study determining the purposes for which and means by which the personal data is processed, Pharnext is a data controller of participant data. Vitaccess is acting solely as the data processor in relation to the services being carried out for Pharnext. Pharnext has funded the development and management of the App for the purposes of the study and hopes to publish aggregated data from this study and present it at scientific meetings. Because of the sensitivity of the personal data collected via the App, Pharnext does not itself receive that personal data and has requested Vitaccess to determine and implement measures to comply with that purpose. In particular, personal data collected by the App is anonymised and aggregated by Vitaccess to inform the statistical analysis performed by Pharnext as part of the study. In addition, the Scientific Advisory Board has been established as an independent body to protect participants’ interests and provide advice on research related requests to access the data provided by the study database.
This notice provides information to participants (referred to as "you") about how and why we use your personal data in relation to our services to Pharnext.
We may update this notice from time to time. It was last updated on 8 October 2018.
The following summarises key points within this notice. For more detail on any particular matter, please refer to the later sections as indicated.
(a) Pharnext controls the use of your data for the purposes of the study, and therefore has primary responsibility for use of your data as part of the study, including ensuring that you are aware of how both Pharnext and Vitaccess use your personal data. Vitaccess processes your personal data on behalf of Pharnext, and provides this notice to assist Pharnext with its responsibilities. See section 2.
(b) Vitaccess has appointed a data protection officer (contactable at: firstname.lastname@example.org), who is responsible for overseeing use of personal data by us within the study and compliance with applicable laws. See section 2.
(c) We use your personal data in order to operate the study and provide the app on behalf of Pharnext, to provide you with app features, and to assist Pharnext in managing its relationship with you. In limited circumstances, we may use your data to protect our own business interests. See section 3.
(d) The personal data we use includes sensitive details, including health information relating to your condition (which we need in order for you to participate in the study), and your ethnic origin (which is useful for the study to understand how CMT varies by ethnicity). See section 3.7.
(e) Our app's features also allow you to upload other information, such as documents and audio recordings. Please inform other relevant individuals before you upload information relating to them (such as recordings of their voice). See section 3.3.
(f) You may choose to share some of your data with other participants in the study as part of some future app features, and should review and set your options for doing this. Similarly, other participants may choose to share some of their data with you. Please respect the privacy of other participants and the confidentiality and sensitivity of their data. See sections 3.3 and 4.8.
(g) Pharnext, as the controller of your data, could have access to your personal data for the purposes of the study, and is responsible for determining the purposes for which it may be used. However, Pharnext is generally relying on Vitaccess to handle your personal data on its behalf, and seeks to use aggregated and pseudonymised data for its research purposes, and for use in presentations and publications. See sections 2.2, 3.2 and 4.1.
(h) Salus IRB and other accrediting agencies may inspect and study findings and the procedures we have followed, which may include access to your personal data. The Scientific Advisory Board and the study investigator may also access your personal data for the purposes of the study, though this will usually be in a form from which he cannot identify you personally. See sections 4.2 to 4.4.
(i) Your data will be aggregated and anonymised before it is shared with researchers or other subscribers to the research portal for the study, or used in presentations or publications. See section 4.5.
(j) We seek your specific consent (on behalf of Pharnext) to most of our uses of your personal data in accordance with data protection and ethics requirements. However, some records are kept for other legitimate interests or legal requirements. See section 5.
(k) As the study is an international project, your data may be transferred to a different country to that in which you are based. This includes transfers to Pharnext in France, to Vitaccess in the UK, to Salus IRB in the United States, which is outside the European Economic Area, and to the systems of Vitaccess's technology providers (which are located within the US, the UK and the European Union). See section 6.
(l) You have certain rights in relation to our use of your data, including the right to obtain a copy of the data held by us (on behalf of Pharnext). Requests should be made to Pharnext. See section 9.
The remainder of this notice is set out in the following sections:
2. About Vitaccess and Pharnext
3. What data we collect and how we use it
4. Sharing your data and relationships with other parties
5. Consents and legal basis for use of your data
6. International data transfers
7. Retaining your information
8. Security of your data
9. Your legal rights, including your right to access a copy of the data held about you
10. Vitaccess and Pharnext contact details
2. ABOUT VITACCESS AND PHARNEXT
Vitaccess Limited is a company registered in England and Wales with company number 10642948. We act as a processor on behalf of Pharnext in our collection and use of your personal data for the purposes of the study, meaning that we act on Pharnext's instructions in our collection and use of your data using our app and technology. In limited circumstances, we may act as a controller and ourselves determine how your personal data is used – see section 3.3 below.
Vitaccess is located in the United Kingdom, and is therefore subject to the GDPR and associated UK data protection laws in relation to its use of your personal data in the context of our activities in providing the app and associated technology for the study.
We have appointed a data protection officer, who is responsible for overseeing use of personal data by Vitaccess. You may contact the data protection officer with queries or concerns about our use of your data (though your primary contact in relation to the study and your data should be with Pharnext).
Contact details for Vitaccess are set out at section 10 below.
Pharnext SA is a company incorporated in France with company number 498 098 425 and address at Immeuble Vivaldi, 11-13 rue René Jacques, 92130 Issy Les Moulineaux, France. It acts as a controller for the purposes of data protection laws, meaning that it determines how and why your data is to be collected and used by Vitaccess, and instructs Vitaccess accordingly. It is also responsible for determining any additional purposes or way in which your personal data may be used (outside the scope of Vitaccess's activities) – please contact Pharnext for further information about this.
Pharnext is located in France and is therefore subject to the GDPR and associated French data protection laws in its use of your personal data in the context of Vitaccess's activities as described in this notice.
The data protection laws of the country in which you are located may also apply in some circumstances. Please contact Pharnext for more information about the specific laws which apply to its use of your personal data.
Contact details for Pharnext are set out at section 10 below.
2.3. Scope of this notice
Vitaccess is providing this privacy notice to assist Pharnext with its responsibilities to make you aware of how your personal data is used by us for the purposes of the study (using our app and associated technology).
3. WHAT DATA WE COLLECT AND HOW WE USE IT
3.1. Installation of the app, eligibility and registration
Installation of the app, eligibility and registration
You may download the app from Android or iOS app stores in response to an email from a CMT patient support group in your country, an invitation or recommendation from a study participant (see section 3.5 below), by seeing marketing materials about the study (e.g. on social media) or word of mouth.
When you install the app, you will be asked to register with us and provide us with information to enable us to assess your eligibility for participation in the study, including to check that you are over 18 a genuine CMT patient. The information we collect for these purposes include:
Your name and contact details, which we use to contact you in relation to the study (by email).
Date of birth.
Information about your condition, including type of CMT.
Once you have completed this information, if you have entered valid details, we will send you a username and password for the app by email. We will also assign you with a respondent ID, which we will use for the purposes of administering your use of the app and the information you provide. If you have not provided valid details or are not eligible to participate (which we may assess before or after the username and password have been sent), we will let you know, and will remove your details from our systems within a reasonable period – see section 7 below.
We conduct surveys using the app, to assist with the study and aimed at understanding participants living with CMT, and investigating symptoms and health-related quality of life in the real-world setting.
You will first be asked to answer some background questions requesting further information about you, such as demographics, diagnosis (including CMT sub-type) and treatment.
The information you provide will be used to create your profile within the app (together with information provided at the eligibility stage – see section 3.1 above). Approximately every six months, we will ask you to update the information that may have changed.
You may then complete the surveys, which involve collecting detailed information about how CMT impacts your daily life, for the purposes of the study.
Your data (including background information and responses to surveys) will be transferred into a database for the purposes of the study, where it will be analysed by Vitaccess on behalf of Pharnext. The data in the database will be pseudonymised, meaning that identifying information will be removed from that dataset but we will separately have access to a key which allows us to re-identify you if needed. Pharnext only intends this key to be used in exceptional circumstances, for example if a clinician has identified a health risk for particular patients arising from the study, and would like to contact you personally to discuss this risk.
The Study Investigator and Salus IRB will also have access to this pseudonymised data where needed to perform their role for the purposes of the study. See section 4 below for more information about these parties.
Aggregated and anonymised data sets drawn from the database may be shared with other parties for research purposes using a research portal – see section 4.5 below.
In the event of your death, the data that have been collected continue to be important, and will remain in the central database.
The app may provide you with some condition management features ("CMFs"), such as daily symptom diary, and a knowledge base.
If you use these CMFs, we will therefore also collect and store additional information about you, including information that you provide, and information that we create as part of these features. These are used to provide you with the relevant CMFs.
If you decide to provide information or content which identifies another individual (such as audio records or scans which identify your doctor), please inform that other individual that you are doing so.
Additional features may be added in later versions of the app, which may allow you to display or share some of your personal data with other participants in the study or users of the app. We shall seek your consent before data is displayed or shared in this way, and you should regularly review and set your sharing options within these features. Similarly, other participants in the study may choose to display or share with you some of their personal data. To the extent you view or receive information about other participants or users of the app, please respect the privacy of such individuals and the confidentiality and sensitivity of their data.
Note that if you choose to share data or communicate with other participants or users using systems outside of our app and our platform (such as by email), neither Pharnext nor we have control over such other systems (including their security). See also section 4.8 below.
We may also use metadata about your use of the CMFs (such as information about which features you use and how you use them) to explore possible trends and patterns which may provide further research opportunities. We seek to aggregate and anonymise such data for these purposes.
3.4. Communications about future studies
Subject to obtaining your consent, we may (on behalf of Pharnext) send you information about future studies being run by us or other parties.
3.5. Tell a Friend feature
Our 'Tell a Friend' feature invites you to provide us with another CMT patient's name and email address, for us to contact them to let them know about the study and the app. You must confirm that you have obtained that person's consent to us doing so before providing their details to us.
Your personal data may also be used by us on behalf of Pharnext:
to monitor your use of the app, in order to check that it is being used appropriately, and for the purposes of administration and maintenance of the app and our systems;
if instructed by Pharnext, to analyse your use of the app to improve app functionality, for example by measuring the response rates of the different surveys; and
to assist Pharnext in protecting or enforcing its legal rights, or complying with applicable laws (including data protection law).
Pharnext, as the controller, is responsible for determining any additional purposes for which your personal data may be used, outside the scope of Vitaccess's activities. You should contact Pharnext directly for more information about this – see contact details at section 10 below.
Vitaccess may, in limited circumstances, use your personal data as a controller for our own business purposes. These purposes include protection of our software and intellectual property (and other rights and responsibilities relation to the app and our technology), administering our technology and our relationship with Pharnext, and maintaining appropriate records relating to the same.
3.7. Special categories of data
The activities described above involve collection and use of sensitive categories of data, including as follows:
information about CMT and your condition is fundamental to the study, so is collected and used by us throughout the course of the study and the features provided to you; and
monitoring of our systems and/or other business records may involve or reveal information about criminal matters or other sensitive information.
4. SHARING YOUR DATA AND RELATIONSHIPS WITH OTHER PARTIES
Pharnext has funded the development and management of the App for the purposes of the study and hopes to publish aggregated data from this study and present it at scientific meetings. Because of the sensitivity of the personal data collected via the App, Pharnext does not itself receive that personal data and has requested Vitaccess to determine and implement measures to comply with that purpose. In particular, personal data collected by the App is anonymised and aggregated by Vitaccess to inform the statistical analysis performed by Pharnext as part of the study. In addition, the Scientific Advisory Board has been established as an independent body to protect participants’ interests and provide advice on research related requests to access the data provided by the study database. See further information about its controller status at section 2 above.
4.2. Scientific Advisory Board (“SAB”)
The SAB is an advisory body established to protect participants’ interests and provide advice on research related requests to access data provided by the database. As part of these activities, the SAB and its members may need to access and use participant data. Where this is needed, the SAB will generally only access and use the pseudonymised data from the database, meaning that identifying information will be removed from that dataset. However, we will separately have access to a key which allows us to re-identify you if needed. If the SAB need to contact you personally, they would obtain independent ethics approval to do so.
4.3. Salus IRB and other accrediting agencies
Salus IRB is the body which has approved the study for the purposes of ethics requirements. You may contact it at: email@example.com, if you would like to speak with someone unrelated to the study, have questions, concerns, or complaints regarding the study, or have questions about your rights as a research participant. If you do so, they will use your personal data to assist you with your query.
In addition, Salus IRB and/or (if authorised by Pharnext) other accrediting agencies may inspect and study findings and the procedures we have followed, which may contain your personal data (including your name or other identifying information) within them. This includes, for example, where it investigates any issues relating to misconduct, deviations from the protocol, conflicts of interest, safety issues or adverse events.
4.4. Study Investigator
The Study Investigator is Dr Mark Larkin. His role is to ensure the study is conducted properly and completed within the agreed period. The scope of data shared with the Study Investigator will be determined by Pharnext – please contact Pharnext for further information. He will generally only access and use pseudonymised data.
4.5. Users of the research portal, publications and presentations
Aggregated and anonymised information arising from the study (using your profile information and responses to the surveys) will be used to help researchers to understand what works and what does not, which will improve the treatments that are offered to patients in the future. Access to the research portal will be overseen by the SAB.
These details may also be presented at conferences and published in peer-reviewed journals by Pharnext – please contact Pharnext for further information about this.
4.6. Your clinical team
We do not share your personal data with your GP or clinical team, though you may choose to share with them your personal data within the app.
4.7. Our technology service providers
Our technology service providers may handle your data. They act as sub-processors on behalf of Pharnext (but appointed by us), meaning that Pharnext remains primarily responsible for how they use your data, and we pass on our responsibilities as a processor to such providers within our agreements and arrangements with them. Our providers (as at the date of this notice) provide platforms on which we store your data, and assist us (on behalf of Pharnext) to analyse and anonymise your data.
4.8. Other participants
As part of some CMFs which may be provided in later versions of the app, you may choose, using options within the app, to share some of your information with other participants in the study (see also section 3.3 above). The app may also facilitate you contacting other participants by email or otherwise outside the app and Vitaccess's platform.
Please contact Pharnext or us if you have concerns about the use of your data by other participants. However, note that, whilst we require other users to respect your privacy and the sensitivity of your data within the terms of our app, we do not control how other participants choose to use your data.
We also do not control use of data by third party systems separate to our app and our platform (such as your email). We do not control the security of such systems, and cannot access or remove any personal data which you share or communicate using them.
4.9. Other parties
We may also share your data, where instructed or authorised by Pharnext, with legal authorities or regulatory bodies. For example, other accredited agencies investigating matters reported to the appropriate conduct of this study.
We may share your data with other parties to the extent you have consented to Pharnext or us doing so, or where we or Pharnext are otherwise required or permitted by law to do so.
Pharnext, as the controller, is responsible for determining any additional disclosures of your personal data, outside the scope of Vitaccess's involvement. You should contact Pharnext directly for more information about this – see contact details at section 10 below.
5. CONSENTS AND LEGAL BASIS FOR USE OF YOUR DATA
In accordance with data protection laws, we are informing you of the legal basis for the collection, use and disclosure of your data, as described above. The following apply to our activities.
We collect, use and disclose your information for the purposes of the study and the features of the app with your consent (which is obtained for ethics as well as data protection reasons). The consents we seek (on behalf of Pharnext) include:
(a) Consent to Pharnext and us using your data to confirm your eligibility for the study and to register you for the app and the study – see section 3.2 above.
(b) Consent to use specific data types for the purposes of the study which we obtain by giving you the option whether or not to complete certain fields – see section 3.3 above.
(c) Consent to use of your data within your profile, from background questions and provided as part of surveys for the purposes of the study and for it to be transferred to the pseudonymised database. We will also seek to refresh this consent regularly; generally approximately every six months. See section 3.2 above.
(d) Consent to use of your data to provide you with condition management features. We will also seek to refresh this consent regularly; generally approximately every six months. See section 3.3 above.
(e) Consent to us sending you communications about other studies. See section 3.4 above.
(f) Consent to your data being shared with Salus IRB, the SAB and the Study Investigator, in accordance with section 4 above.
If you do not consent to your data being used for any specific activity (or withdraw any consent previously given) you may not be able to participate with that activity. So, for example:
your participation in the study using our app relies on your consent to use of your eligibility and background information for this purpose, and to the sharing of data with other parties involved in the study, as described above; and
your participation in any survey using our app relies on your consent to inclusion of your survey information in the study database.
However, some consents will not impact your ability to participate (though may affect your level of participation), including:
communications from us about other studies.
5.2. Legitimate interests
We collect, use and retain data (including your name, contact details and communications with you), on behalf of Pharnext, which is necessary for Pharnext's legitimate interests in providing the study and the app, for example to manage and administer Pharnext's relationship with you, to check you are using the app and participating in the study appropriately, to maintain records of communications, and to assist Pharnext in protecting or enforcing its legal rights and complying with applicable laws.
Where Vitaccess, in limited circumstances, uses your personal data as a controller for our own business purposes (see section 3.6 above), this is necessary our legitimate interests in protecting our rights (including intellectual property rights) and managing our responsibilities in relation to the app and our technology, and in administering our technology and our relationship with Pharnext.
5.3. Legal obligation
We may (on behalf of Pharnext or directly, where required) collect, use or disclose personal data as is necessary to comply with a legal obligation, such as where law enforcement authorities require us or Pharnext to do so, or to address rights of other individuals under data protection laws.
6. INTERNATIONAL DATA TRANSFERS
As the study is an international project, your data may be transferred to different countries to that in which you are based. This includes:
transfers to Pharnext in France;
transfers to Salus IRB in the United States, which is outside the European Economic Area. Pharnext is responsible for ensuring appropriate safeguards are in place to protect your data in relation to such transfers – please contact Pharnext for further information;
transfers to Vitaccess in the United Kingdom (which, at the date of this notice, is located within the European Union); and
transfers to Vitaccess's technology providers, whose data systems may be located either within the US, the UK or the European Union. As at the date of this notice, this includes technology providers within the United States who have self-certified with the EU-US Privacy Shield framework. Where other providers are based outside the UK or the European Union, we will check that safeguards are in place to protect your data to a similar standard as under UK law.
7. RETAINING YOUR INFORMATION
We will retain your personal data for as long as we are instructed by Pharnext to do so, for the relevant purposes specified above. Further information about retention periods is available on request (see contact details for Pharnext and us at section 10 below).
If you are discontinued or withdraw from the study after we have information about your profile or in response to other surveys, no new study data about you will be collected by Vitaccess. However, all your data that has been collected to date will remain within the study database. If you prefer that your data is removed from the study database, Vitaccess can be contacted using the contact details at section 10 below. Note that your information may still form part of aggregated and anonymised data sets which have already been collated and used for research purposes.
We may also continue to maintain records relating to you (such as your name, contact details, communications with you, and information about how you used the app):
for Pharnext's or our record-keeping purposes, including to comply with its or our legal obligations and to defend its or our legal rights; and
where requested by Pharnext, to assist with app improvement and development.
8. SECURITY OF YOUR DATA
You will be provided with a username and password to access surveys, and will have the chance to change your initial password within the app. We recommend you use a strong password of at least eight characters, including one upper and one lower case letter, and one number.
You are also advised to enable a password-protected screen lock from your device's Settings menu.
Your response to the questions within the app are encrypted before being sent to our systems (operated by us and our service providers – see section 4.7 above). Information within the study database is pseudonymised (see section 3.2 above).
If you would like any further information about our information security measures, please contact us or Pharnext using the contact details at section 10 below.
9. YOUR LEGAL RIGHTS
In accordance with data protection laws, you have a right:
to obtain a copy of the personal data we hold about you, together with other information about how we and Pharnext process it;
to withdraw any consent which you have given relating to our use of your data;
to request rectification of inaccurate or incomplete data, and, in some circumstances, to request Pharnext to erase or restrict our use of your data, or otherwise to object to the processing of your data for direct marketing purposes or for reasons relating to your particular situation;
to receive a copy (in a machine-readable format) of personal data which you have provided to us (otherwise known as the "right to data portability"), to the extent it is processed electronically based your consent (as described in section 5 above);
not to be subject to a decision based solely on automated processing, which significantly affects you, unless additional legal requirements are met; and
to make a complaint about how Pharnext or we handle your data to the French Commission Nationale de l'Informatique et des Libertés (CNIL) or the UK Information Commissioner's Office. Please visit www.cnil.fr or www.ico.org.uk for further information about how to do this.
Note that there are certain limitations and exemptions to these rights which may be applied depending on the circumstances.
Please contact Pharnext (see section 10 below) to make requests to exercise these rights (specifying what you are requesting), or if you would like further information about them.
10. VITACCESS CONTACT DETAILS
For general queries about the study: firstname.lastname@example.org
For data protection queries to Vitaccess:
Data protection officer
The Oxford Centre for Innovation
Oxford, OX1 1BY