Melanoma UK APP Privacy NOTICE
Vitaccess Limited (“we” or “us“) is conducting a study into the impact of melanoma and drug treatment in the real world (the “study“), and has created the Melanoma UK application for participants in the study to use (the “app“). The protocol for the study has been approved by a duly constituted body, Salus IRB in accordance with best practice for ethics reviews.
This notice provides information to participants (referred to as “you“) about how and why we use your personal data in relation to the study and the app.
We may update this notice from time to time. It was last updated on 22 June 2018.
The following summarises key points within this notice. For more detail on any particular matter, please refer to the later sections as indicated.
Vitaccess Limited controls the use of your data for the purposes of the study. We have appointed a data protection officer (contactable at: email@example.com), who is responsible for overseeing use of personal data by us. See section 2.
We may initially collect your contact details when you complete a survey indicating an interest in the study. We will also collect information about you (known as personal data) from your use of the app, including as part of registration, participation in surveys and use of condition management features. See section 3.
We use your personal data in order to operate the study, to provide you with app features, and to manage our business and our relationship with you. See section 3.
The personal data we use includes sensitive details, including health information relating to your condition (which we need in order for you to participate in the study), and your ethnic origin (which is useful for the study to understand how epidemiology varies by ethnicity). See section 3.7.
Our app’s features also allow you to upload other information, such as documents and audio recordings. Please inform other relevant individuals before you upload information relating to them (such as recordings of their voice). See section 3.4.
You may also see data about other participants in the study, which they will have consented to display in the relevant features. Please respect the confidentiality and privacy of other people’s data.
The study’s Principal Investigator, Melanoma UK, the Scientific Executive Board and Salus IRB may also access your personal data for the purposes of the study, though this will usually be in a form from which they cannot identify you personally. In exceptional circumstances (such as to protect your health or for ethics reviews), Melanoma UK, Salus IRB, clinicians or other appropriate parties may also use your contact details and other personal data (including health data and contact details). See sections 3.3 and 4.
Your data will be aggregated and anonymised before it is shared with researchers or other subscribers to the research portal for the study, or used in presentations or publications. See section 4.5.
We seek your specific consent to most of our uses of your personal data in accordance with data protection and ethics requirements. However, some records are kept for other legitimate interests or legal requirements. See section 5.
Our activities take place within the European Union but data will be transferred to countries outside the European Union under both the EU–US and Swiss–US Privacy Shield frameworks. See section 6.
You have certain rights in relation to our use of your data, including the right to obtain a copy of the data we hold, and to request that we do not use your data for direct marketing purposes. See section 9.
The remainder of this notice is set out in the following sections:
2. Who we are
3. What data we collect and how we use it
4. Sharing your information and our relationship with other parties
5. Consents and legal basis for use of your data
6. International data transfers
7. Retaining your information
8. Security of your data
9. Your legal rights, including your right to access a copy of the data we hold
10. Data Protection Officer contact details
2. WHO WE ARE
Vitaccess Limited is a company registered in England and Wales with company number 10642948. We are registered with the Information Commissioner’s Office (the UK data protection regulator) under number ZA251794 (although registration requirements are due to change in May 2018).
It is primarily us who will collect and use your personal data as part of this study, and we are the ‘controller’ for the purposes of data protection laws. This means we will determine how and why your data is collected and used. However, we are working in collaboration with Melanoma UK (“MUK“), and other parties are also involved with the study and use of your data – see section 4 below.
We have appointed a data protection officer, who is responsible for overseeing use of personal data by Vitaccess Limited. You may contact the data protection officer with any queries or concerns about our use of your data, and to exercise your data protection rights (see section 9 below). Contact details set out at section 10 below.
3. WHAT DATA WE COLLECT AND HOW WE USE IT
Online survey and initial communication
You may complete an online survey about participation in the study (in response to MUK’s marketing of the study or otherwise). You may access this survey via a link on MUK’s website: melanomauk.org.uk/registry. The details we collect at this stage are: name and email address, gender, age range and stage of melanoma.
These details are used by us to send you an email inviting you to participate in the study, and for initial eligibility checks for the study. If you respond indicating that you do wish to participate, you will be invited to install the app. If we do not hear back from you, we may send you a reminder email.
If you respond indicating that do not wish to participate or otherwise do not register for the app within one month, we will not contact you further about the study.
Installation of the app, eligibility and registration
When you install the app, you will be asked to register with us and provide us with information to enable us to assess your eligibility for participation in the study, including to check that you are over 18 and a genuine melanoma patient. The information we collect for these purposes include:
Your name and contact details, which we use to contact you in relation to the study (by email or SMS).
Your NHS number
Date of birth
Information about your condition, including the type and stage of melanoma, your oncologist and the hospital you are treated at.
Once you have completed this information, if you have entered valid details, we will send you a username and password for the app by email. We will also assign you with a respondent ID, which we will use for the purposes of administering your use of the app and the information you provide. If you have not provided valid details or are not eligible to participate (which we may assess before or after the username and password have been sent), we will let you know, and will remove your details from our systems within a reasonable period – see section 7 below.
We conduct surveys using the app, to assist with the study and aimed at understanding about participants living with melanoma, and investigating adverse events, symptoms and health-related quality of life in the real-world setting.
You will first be asked to answer some background questions requesting further information about you, such as your general health (e.g. diet, smoking, alcohol intake, exercise) date of diagnosis, stage of disease and current treatment. They include a question about your ethnic origin (which is optional to complete) – your response will assist us to better help understand how epidemiology varies by ethnicity.
We will also ask you to designate a friend or family member to contact us in the event of your death – please check with this person that they are happy for us to hold their details.
The information you provide will be used to create your profile within the app (together with information provided at the eligibility stage – see section 3.2 above). Approximately every six months, we will ask you to update the information that may have changed.
You may then take part in a number of other surveys, which involve collecting detailed information about your health and condition, for the purposes of the study.
Your data (including profile information and responses to surveys) will be transferred into a digital registry for the purposes of the study. The data in the digital registry will be pseudonymised, meaning that identifying information will be removed from that dataset, but we will separately have access to a key which allows us to re-identify you if needed. We only intend to use this key in exceptional circumstances, for example if a clinician has identified a health risk for particular patients arising from the study, and would like to contact you personally to discuss this risk.
The Principal Investigator, MUK, the Scientific Executive Board and Salus IRB will also have access to this pseudonymised data where needed to perform their role for the purposes of the study. See section 4 below for more information about these parties.
Aggregated and anonymised data sets drawn from the digital registry may be shared with other parties for research purposes using a research portal – see section 4.5 below.
In the event of your death, the data that have been collected continue to be important, and will remain in the central registry. If provided by your designated friend or family member, we will also include the time and cause of death, as this information is also useful to researchers.
The app may provide you with some condition management features (“CMFs“), such as daily symptom diary, and storing electronic documents.
If you use these CMFs, we will therefore also collect and store additional information about you, including information that you provide, and information that we create as part of these features. These are used to provide you with the relevant CMFs.
If you decide to provide information or content which identifies another individual (such as audio records or scans which identify your doctor), please inform that other individual that you are doing so.
In addition, we may use metadata about your use of the CMFs (such as information about which features you use and how you use them) to explore possible trends and patterns which may provide further research opportunities. We seek to aggregate and anonymise such data for these purposes.
Communications about future studies
Subject to obtaining your consent, we may send you information about future clinical trials or observational studies being run by us or other parties.
Your personal data may also be used by us (or third parties – see section 4 below):
to monitor your use of the app, in order to check that it is being used appropriately, and for the purposes of administration and maintenance of the app and our systems;
to analyse your use of the app to improve app functionality, for example by measuring the most accessed articles and checklist questions within the CMFs;
in exceptional circumstances, to contact you about activities or other matters which may benefit your health;
to maintain appropriate records of our business communications and transactions; and
to protect or enforce legal rights, or for other purposes permitted or required by law (including data protection law).
Sensitive personal data
The activities described above involve collection and use of sensitive categories of data, ncluding as follows:
information about melanoma and your condition is fundamental to the study, so is collected and used by us throughout the course of the study and the features provided to you.
information revealing your racial or ethnic origin is collected in order to assist with the study – see section 3.3 above;
you may choose to provide us with additional information of a sensitive nature, for example when uploading information using a condition management feature of the app; and
monitoring of our systems and/or other business records may involve or reveal information about criminal matters or other sensitive information.
4. SHARING YOUR DATA AND OUR RELATIONSHIP WITH OTHER PARTIES
We are working in collaboration with MUK to provide the study. However, they will not generally access or use your data collected as part of the study, unless needed as part of their role as a sponsor and a member of the Scientific Executive Board (see section 4.2 below). Where access is needed, MUK will generally only access the pseudonymised data from the registry database, meaning that identifying information will be removed from that dataset, though we will separately have access to a key which allows us to re-identify you if needed. MUK may, for example, wish to contact you personally about activities which may benefit your health, such as a leaflet about treatments.
MUK may also be a subscriber to the research portal (see section 4.5 below).
Scientific Executive Board (“SEB”)
The SEB is an advisory body established by Vitaccess to protect participants’ interests and provide advice on research related requests to access data provided by the digital registry. As part of these activities, the SEB and its members may need to access and use participant data. Where this is needed, the SEB will generally only access and use the pseudonymised data from the registry database, meaning that identifying information will be removed from that dataset. However, we will separately have access to a key which allows us to re-identify you if needed. If the SEB need to contact you personally, they would obtain independent ethics approval to do so.
Salus IRB is the body which has approved the study for the purposes of ethics requirements. You may contact it at: firstname.lastname@example.org, if you would like to speak with someone unrelated to the study, have questions, concerns, or complaints regarding the study, or have questions about your rights as a research participant. If you do so, they will use your personal data to assist you with your query.
In addition, Salus IRB and/or other accrediting agencies may inspect and study findings and the procedures we have followed, which may contain your personal data (including your name or other identifying information) within them. This includes, for example, where it investigates any issues relating to misconduct, deviations from the protocol, conflicts of interest, safety issues or adverse events.
Subscribers to the research portal, publications and presentations
Aggregated and anonymised information arising from the study (using your profile information and responses to the surveys) will be used to help researchers to understand what works and what does not, which will improve the treatments that are offered to patients in the future.
Pharmaceutical companies will be able to buy a subscription to access a research portal containing these details, in order for them to understand how well drugs are helping patients with melanoma. These companies will not be given your contact details or any other information to identify you from the data.
These details may also be presented at conferences and published in peer-reviewed journals by us and by other parties.
Your clinical team
We do not share your personal data with your GP or clinical team, though you may choose to share with them your personal data within the app.
Our technology service providers
Our technology service providers may handle your data. They act as processors on our behalf, meaning that we remain primarily responsible for how they use your data. Our providers (as at the date of this notice) provide platforms on which we store your data, assist us to analyse, pseudonymise and anonymise your data, and provide the technology for the research portal.
We may also share your data, to the extent appropriate, with the following parties:
Legal authorities or regulatory bodies. For example, other accredited agencies investigating matters reported to Salus IRB.
Clinicians in exceptional circumstances, for example if a clinician has identified a health risk for particular patients arising from the study, and would like to contact you personally to discuss this risk.
Legal or other professional advisers, insurers and auditors.
Prospective or actual purchasers of our company or business.
Other parties to the extent you have consented to us doing so, or where we are otherwise required or permitted by law to do so.
5. CONSENTS AND LEGAL BASIS FOR USE OF YOUR DATA
In accordance with data protection laws, we have identified the legal basis for the collection, use and disclosure of your data, as described above. The following apply to our activities.
We collect, use and disclose your information for the purposes of the study and the features of the app with your consent (which we obtain for ethics as well as data protection reasons). The consents we seek include:
Consent to us contacting you in relation to the study when you complete the online survey – see section 1 above.
Consent to us using your data to confirm your eligibility for the study and to register you for the app and the study – see section 2 above.
Consent to use specific data types for the purposes of the study which we obtain by giving you the option whether or not to complete certain fields (such as ethnic origin) – see section 3 above.
Consent to use of your data within your profile and provided as part of surveys for the purposes of the study and for it to be transferred to the registry database. We will also seek to refresh this consent regularly; generally approximately every six months. See section 3 above.
Consent to use of your data to provide you with condition management features. We will also seek to refresh this consent regularly; generally approximately every six months. See section 4 above.
Consent to us sending you communications about clinical trials and other studies. See section 5 above.
Consent to your data being shared with Salus IRB, Melanoma UK, the Scientific Executive Board and the principal investigator, in accordance with section 4
If you do not consent to your data being used for any specific activity (or withdraw any consent previously given) you may not be able to participate with that activity. So, for example:
your participation in the study relies on your consent to use of your eligibility and profile information for this purpose, and to the sharing of data with other parties involved in the study, as described above;
your participation in any survey relies on your consent to inclusion of your survey information in the registry database; and
our provision of a particular condition management feature relies on your consent to our use of your information for that feature.
However, some consents will not impact your ability to participate (though may affect your level of participation), including:
use of your ethnic origin; and
communications from us about other studies.
We may collect, use or disclose personal data as is necessary to comply with a legal obligation, such as where law enforcement authorities require us to do so or to address rights of other individuals under data protection laws.
6. INTERNATIONAL DATA TRANSFERS
Our activities and our technology systems are based within the European Union, and we do not generally transfer your personal data to countries outside the European Union (though aggregated and anonymised data sets may be accessed from other countries). Should we need to transfer personal data outside the European Union, we will check that safeguards are in place to protect your data to a similar standard as under UK law.[JS1]
7. RETAINING YOUR INFORMATION
We will retain your personal data for as long as we need it for the relevant purposes specified above, in accordance with our records retention procedures. Further information about retention periods is available on request (see contact details at section 10 below).
If you are discontinued or withdraw from the study after we have information about your profile or in response to other surveys, or if you die during the course of the study, no new study data about you will be collected. However all your data that has been collected to date will remain within the registry database. If you prefer that your data is removed from the registry database, we can be contacted using the contact details at section 10 below. Note that your information may still form part of aggregated and anonymised data sets which have already been collated and used for research purposes.
We may also continue to maintain records relating to you (such as your name, contact details, communications with you, and information about how you used the app):
for our own record-keeping purposes, including to comply with our legal obligations and to defend our legal rights; and to assist with app improvement and development.
8. SECURITY OF YOUR DATA
You will be provided with a username and password to access surveys and CMFs, and will have the chance to change your initial password within the app. We recommend you use a strong password of at least eight characters, including one upper and one lower case letter, and one number.
You are also advised to enable a password-protected screen lock from your device’s Settings menu.
Your response to the questions within the app are encrypted before being sent to our systems (operated by us and our service providers – see section 4.7 below). Information within the registry database is pseudonymised (see section 3.3 above), and information within the research portal (accessible by researchers) is aggregated and anonymised.
If you would like any further information about our information security measures, please contact us using the contact details at section 10 below.
9. YOUR LEGAL RIGHTS
In accordance with data protection laws, you have a right:
to obtain a copy of the personal data we hold about you, together with other information about how we process it;
to request that we do not process your data for direct marketing purposes, or in a way that is causing or is likely to cause substantial damage or substantial distress;
to withdraw any consent which you have given relating to use of your data (see section 1); and
to make a complaint about how we handle your data to the Information Commissioner’s Office. Please visit ico.org.uk for further information about how to do this.
Note that there are certain limitations and exemptions to these rights which we may apply depending on the circumstances.
Please contact the data protection officer (see section 10 below) to send us requests to exercise these rights (specifying what you are requesting), or if you would like further information about them.
OUR CONTACT DETAILS
For general queries about the study: email@example.com
For data protection queries:
Data protection officer
The Oxford Centre for Innovation
Oxford, OX1 1BY