My THALLOG Privacy NoTICE
bluebird bio, Inc. ("bluebird"), a U.S. based company with its headquarters at 60 Binney Street, Cambridge, Massachusetts, USA 02142, is conducting an international observational study (the "study") of patients with transfusion-dependent thalassemia ("TDT"). In order to facilitate the study, bluebird is using the services of Vitaccess Limited ("Vitaccess", "we" or "us"), in particular to provide a technology platform, and a bluebird application for participants in the study to use (the "app"). The protocol for the study has been approved by a duly constituted body, Salus IRB (www.salusirb.com) in accordance with best practice for ethics reviews.
In providing these services to bluebird, Vitaccess may collect, store and analyse personal data of participants on behalf of bluebird. For data protection purposes, this means that bluebird is the controller of participant data, and Vitaccess is the processor.
This notice provides information to participants (referred to as "you") about how and why we use your personal data in relation to our services to bluebird. It also provides information to parents or guardians who use the app to provide information about child participants between the ages of 12 and 17 (inclusive).
We may update this notice from time to time. It was last updated on 28 July 2018.
The following summarises key points within this notice. For more detail on any particular matter, please refer to the later sections as indicated.
(a) bluebird controls the use of your data for the purposes of the study, and therefore has primary responsibility for use of your data as part of the study, including ensuring that you are aware of how both bluebird and Vitaccess use your personal data. Vitaccess processes your personal data on behalf of bluebird, and provides this notice to assist bluebird with its responsibilities.
(b) Vitaccess is located within the United Kingdom (UK), and therefore UK data protection laws will apply to the use of your personal data in the context of our activities in providing the app and associated technology for the study. We have appointed a data protection officer (contactable at: email@example.com), who is responsible for overseeing use of personal data by us. See section 2.
(c) Additional data protection laws may apply to bluebird's use of your data within the US and other countries. bluebird has appointed a data protection officer (contactable at: firstname.lastname@example.org), who is responsible for ensuring compliance with applicable laws.
(d) We use your personal data in order to operate the study and provide the app on behalf of bluebird, to assist bluebird in managing its relationship with you. In limited circumstances, we may use your data to protect our own business interests. See section 3.
(e) The personal data we use includes sensitive details, including health information relating to your condition (which we need in order for you to participate in the study), and your ethnic origin (which is useful for the study to understand how TDT varies by ethnicity. See section 3.4.
(f) Parents or guardians of child patients aged 12 to 17 (inclusive) may use the app and provide information about their child. See section 3.6 below.
(g) bluebird, as the controller of your data, will have access to your personal data for the purposes of the study, and is responsible for determining the purposes for which it may be used. bluebird is generally relying on Vitaccess to handle your personal data on its behalf, and seeks to use aggregated and anonymised data for its research purposes, and for use in presentations and publications. See section 4.
(h) Salus IRB and other accrediting agencies may inspect and study findings and the procedures we have followed, which may include access to your personal data. The study investigator may also access your personal data for the purposes of the study, though this will usually be in a form from which he cannot identify you personally. See section 4.
(i) We seek your specific consent (on behalf of bluebird) to most of our uses of your personal data in accordance with data protection and ethics requirements. However, some records are kept for other legitimate interests or legal requirements. See section 5.
(j) As the study is an international project, your data may be transferred to a different country to that in which you are based. This includes transfers to bluebird in the US and in Switzerland and to Vitaccess in the UK, and to the systems of Vitaccess's technology providers (which are located within the US and the European Union). See section 6.
(k) You have certain rights in relation to our use of your data, including the right to obtain a copy of the data held by us (on behalf of bluebird). Requests should be made to bluebird. See section 9.
The remainder of this notice is set out in the following sections:
2. About Vitaccess and bluebird
3. What data we collect and how we use it
4. Sharing your information and relationships with other parties
5. Consents and legal basis for use of your data
6. International data transfers
7. Retaining your information
8. Security of your data
9. Your legal rights, including your right to access a copy of the data held about you
10. Vitaccess and bluebird contact details
2. ABOUT VITACCESS AND BLUEBIRD
Vitaccess Limited is a company registered in England and Wales with company number 10642948. We act as a processor on behalf of bluebird in our collection and use of your personal data for the purposes of the study, meaning that we act on bluebird's instructions in our collection and use of your data using our app and technology. In limited circumstances, we may act as a controller and ourselves determine how your personal data is used – see section 3.3 below.
Vitaccess is located in the United Kingdom, and therefore UK data protection laws will apply to the use of your personal data in the context of our activities in providing the app and associated technology for the study.
We have appointed a data protection officer, who is responsible for overseeing use of personal data by Vitaccess. You may contact the data protection officer with queries or concerns about our use of your data (though your primary contact in relation to the study and your data should be with bluebird).
Contact details for Vitaccess are set out at section 10 below.
2.2. bluebird bio
bluebird bio, Inc. is a US company registered in Delaware with its company headquarters at 60 Binney St., Cambridge, Massachusetts 02142, USA. It acts as a controller for the purposes of data protection laws, meaning that it determines how and why your data is to be collected and used by Vitaccess, and instructs Vitaccess accordingly. It is also responsible for determining any additional purposes or way in which your personal data may be used (outside the scope of Vitaccess's activities) – please contact bluebird for further information about this.
bluebird is located in the United States and is therefore subject to the laws of the United States in its use of your personal data. It will also be subject to UK data protection laws and the European Union General Data Protection Regulation (“GDPR”) 2016/679 in relation to its use of personal data in the context of Vitaccess's activities as described in this notice. The data protection laws of the country in which you are located may also apply in some circumstances. Please contact bluebird for more information about the specific laws which apply to its use of your personal data.
Contact details for bluebird are set out at section 10 below.
2.3. Scope of this notice
Vitaccess is providing this privacy notice to assist bluebird with its responsibilities to make you aware of how your personal data is used by us for the purposes of the study (using our app and associated technology).
3. WHAT DATA WE COLLECT AND HOW WE USE IT
3.1. Installation of the app, eligibility and registration
You may download the app from Android or iOS app stores in response to an email from a TDT patient support group in your country, an invitation or recommendation from a study participant (see section 3.3 below), by seeing marketing materials about the study (e.g. on social media) or word of mouth.
When you install the app, you will be asked to register with us and provide us with information to enable us to assess your eligibility for participation in the study, including to check that you are a genuine TDT patient. We also need to check that you are over 18, or in relation to a child participant between the ages of 12 and 17 (inclusive), the app user will be asked to confirm they are the child's parent or guardian.
The information we collect for these purposes include:
Your (or, where relevant, your parent/guardian's) name and contact details, which we use to contact you (or your parent/guardian) in relation to the study (by email).
Date of birth.
Information about your condition, including beta-thalassemia genotype and frequency of transfusions.
Once you have completed this information, if you have entered valid details, we will send you a username and password for the app by email. We will also assign you with a respondent ID, which we will use for the purposes of administering your use of the app and the information you provide. If you have not provided valid details or are not eligible to participate (which we may assess before or after the username and password have been sent), we will let you know, and will remove your details from our systems within a reasonable period – see section 7 below.
We conduct surveys using the app, to assist with the study and aimed at understanding participants living with TDT, and investigating the burden of disease in the real-world setting.
You will first be asked to answer some background questions requesting further information about you, such as demographics, diagnosis (including thalassemia type and genotype) and treatment (including frequency of transfusion and pre-transfusion haemoglobin levels). They include a question about your ethnic origin (which is optional to complete) – your response will assist us to better help understand how TDT varies by ethnicity.
The information you provide will be used to create your profile within the app (together with information provided at the eligibility stage – see section 3.2 above). You may then complete the surveys, which involve collecting detailed information about how TDT impacts your daily life, for the purposes of the study.
The app also has a 'Compensation' feature, under which you may earn points for participation in studies. These points may be exchanged for Amazon vouchers/gift cards which we may send you by email. We do not send your personal data to Amazon, though when you redeem your voucher/gift card, Amazon will have the ability to track the source of such voucher/gift card to us.
Your data (including background information and responses to surveys) will be transferred into a database for the purposes of the study, where it will be analysed by bluebird and by Vitaccess on behalf of bluebird. The data in the database will be anonymised, meaning that identifying information will be removed from that dataset but bluebird will separately have access to a key which allows it to re-identify you if needed. Bluebird only intends this key to be used in exceptional circumstances, for example if a clinician has identified a health risk for particular patients arising from the study, and would like to contact you personally to discuss this risk.
bluebird will also have access to this pseudonymised data where needed to perform their role for the purposes of the study. See section 4 below for more information about these parties.
Aggregated and anonymised data sets drawn from the digital registry may be shared with other parties for research purposes using a research portal – see section 4.5 below.
In the event of your death, the data that have been collected continue to be important, and will remain in the central registry. If provided by your designated friend or family member, we will also include the time and cause of death, as this information is also useful to researchers.
3.3. Tell a Friend feature
Our 'Tell a Friend' feature invites you to provide us with another TDT patient's email address, for us to contact them to let them know about the study and the app. You must confirm that you have obtained that person's consent to us doing so before providing their details to us.
Your personal data may also be used by us on behalf of bluebird:
to monitor your use of the app, in order to check that it is being used appropriately, and for the purposes of administration and maintenance of the app and our systems;
if instructed by bluebird, to analyse your use of the app to improve app functionality, for example by measuring the response rates of the different surveys;
to assist bluebird in protecting or enforcing its legal rights, or complying with applicable laws (including data protection law).
bluebird, as the controller, is responsible for determining any additional purposes for which your personal data may be used, outside the scope of Vitaccess's activities. You should contact bluebird directly for more information about this – see contact details at section 10 below.
Vitaccess may, in limited circumstances, use your personal data as a controller for our own business purposes. These purposes include protection of our software and intellectual property (and other rights and responsibilities relation to the app and our technology), administering our technology and our relationship with bluebird, and maintaining appropriate records relating to the same.
3.5. Special categories of data
The activities described above involve collection and use of sensitive categories of data, including as follows:
information about TDT and your condition is fundamental to the study, so is collected and used by us throughout the course of the study and the features provided to you;
information revealing your racial or ethnic origin is collected in order to assist with the study – see section 3.3 above.
monitoring of our systems and/or other business records may involve or reveal information about criminal matters or other sensitive information.
3.6. Parents providing information about their child
Patients under the age of 18 are not permitted to use our app. However, parents or guardians of child patients between the ages of 12 and 17 (inclusive) may use the app and provide information on behalf of their child, so that children may still participate in the study. In these situations, the parent or guardian must ensure that they have explained to their child what personal data will be collected and used how it will be used within the app and the study (in accordance with this notice and other app notifications).
Parents and guardians will also be required to provide consents to their child's participation in the study and use of their information, and to obtain their child's consent to the use of their information – see section 5.1 below.
Parents and guardians should contact us or bluebird to discuss if they do not believe their child has the maturity or capacity to understand or to consent to the relevant uses of their data.
Parents and guardians should also note that personal data collected about them (as well as personal data about their child) will also be used and shared for the purposes and in the ways described in this notice.
4. SHARING YOUR DATA AND RELATIONSHIPS WITH OTHER PARTIES
As bluebird is the controller of your personal data in relation to our activities, it will have access to all personal data about you which Vitaccess collects and processes on its behalf. See further information about its controller status at section 2 above.
4.2. Salus IRB and other accrediting agencies
Salus IRB is the body which has approved the study for the purposes of ethics requirements. You may contact it at: email@example.com, if you would like to speak with someone unrelated to the study, have questions, concerns, or complaints regarding the study, or have questions about your rights as a research participant. If you do so, they will use your personal data to assist you with your query.
In addition, if authorised by bluebird, other accrediting agencies may inspect and study findings and the procedures we have followed, which may contain your personal data (including your name or other identifying information) within them. This includes, for example, where it investigates any issues relating to misconduct, deviations from the protocol, conflicts of interest, safety issues or adverse events.
4.3. Study Investigator
The Study Investigator is Dr. Mark Larkin. His role is to ensure the study is conducted properly and completed within the agreed period. The scope of data shared with the Study Investigator will be determined by bluebird – please contact bluebird for further information. He will generally only access and use anonymised data
4.4. Publications and presentations
Aggregated and anonymised information arising from the study (using your profile information and responses to the surveys) will be used to help bluebird to understand the impact of TDT in the real-world. This information may be presented at conferences and published in peer-reviewed journals by bluebird– please contact bluebird for further information about this.
4.5. Our technology service providers
Our technology service providers may handle your data. They act as sub-processors on behalf of bluebird (but appointed by us), meaning that bluebird remains primarily responsible for how they use your data, and we pass on our responsibilities as a processor to such providers within our agreements and arrangements with them. Our providers (as at the date of this notice) provide platforms on which we store your data, assist us (on behalf of bluebird) to analyse and anonymise your data.
4.6. Other parties
We may also share your data, where instructed or authorised by bluebird, with legal authorities or regulatory bodies. For example, other accredited agencies investigating matters reported to the appropriate conduct of this study.
Other parties to the extent you have consented to bluebird doing so, or where we are otherwise required or permitted by law to do so. bluebird, as the controller, is responsible for determining any additional disclosures of your personal data, outside the scope of Vitaccess's involvement. You should contact bluebird directly for more information about this – see contact details at section 10 below.
5. CONSENTS AND LEGAL BASIS FOR USE OF YOUR DATA
In accordance with data protection laws, we are informing you of the legal basis for the collection, use and disclosure of your data, as described above. The following apply to our activities.
We collect, use and disclose your information for the purposes of the study and the features of the app with your consent (which is obtained for ethics as well as data protection reasons). The consents we seek (on behalf of bluebird) include:
(a) Consent to bluebird and us using your data to confirm your eligibility for the study and to register you for the app and the study – see section 3.2 above.
(b) Consent to use specific data types for the purposes of the study which we obtain by giving you the option whether or not to complete certain fields (such as ethnic origin) – see section 3.3 above.
(c) Consent to use of your data from background questions and provided as part of surveys for the purposes of the study and for it to be transferred to anonymised, aggregated database.
(d) Consent to your data being shared with other parties, in accordance with section 3 above.
For parents and guardians who are using the app to provide information about their child, we request both that the parent/guardian gives such consents, and also confirmation that the child has given such consents. The parent/guardian should contact us or bluebird to discuss if they do not believe their child has the maturity or capacity to consent to the relevant uses of their information.
If you do not consent to your data being used for any specific activity (or withdraw any consent previously given) you may not be able to participate with that activity. So, for example:
your participation in the study using our app relies on your consent to use of your eligibility and background information for this purpose, and to the sharing of data with other parties involved in the study, as described above;
your participation in any survey using our app relies on your consent to inclusion of your survey information in the study database.
However, some consents will not impact your ability to participate (though may affect your level of participation), including:
use of your ethnic origin details.
5.2. Legitimate interests
We collect, use and retain data (including your name, contact details and communications with you), on behalf of bluebird, which is necessary for bluebird's legitimate interests in providing the study and the app, and in the operation of its business, for example to manage and administer bluebird's relationship with you, to check you are using the app and participating in the study appropriately, to maintain records of communications, and to assist bluebird in protecting or enforcing its legal rights and complying with applicable laws.
Where Vitaccess, in limited circumstances, uses your personal data as a controller for our own business purposes (see section 3.3 above), this is necessary for our legitimate interests in protecting our rights (including intellectual property rights) and managing our responsibilities relation to the app and our technology, and in administering our technology and our relationship with bluebird.
5.3. Legal obligation
We may (on behalf of bluebird or directly, where required) collect, use or disclose personal data as is necessary to comply with a legal obligation, such as where law enforcement authorities require us or bluebird to do so, or to address rights of other individuals under data protection laws.
6. INTERNATIONAL DATA TRANSFERS
As the study is an international project, your data may be transferred to different countries to that in which you are based. This includes:
transfers to bluebird both in Switzerland and in the US. bluebird is responsible for ensuring appropriate safeguards are in place to protect your data in relation to such transfers – please contact bluebird for further information;
transfers to Vitaccess in the United Kingdom (which, at the date of this notice, is located within the European Union); and
transfers to Vitaccess's technology providers, whose data systems may be located either within the US, the UK or the European Union. As at the date of this notice, this includes technology providers within the United States who have self-certified with the EU-US Privacy Shield framework. Where other providers are based outside the UK or the European Union, we will check that safeguards are in place to protect your data to a similar standard as under UK law.
7. RETAINING YOUR INFORMATION
We will retain your personal data for as long as we are instructed by bluebird to do so, for the relevant purposes specified above. Further information about retention periods is available on request (see contact details for bluebird and us at section 10 below).
If you are discontinued or withdraw from the study after we have information about your profile or in response to other surveys, no new study data about you will be collected by Vitaccess. However, all your data that has been collected to date will remain within the registry database. If you prefer that your data is removed from the study database, bluebird can be contacted using the contact details at section 10 below. Note that your information may still form part of aggregated and anonymised data sets which have already been collated and used for research purposes.
We may also continue to maintain records relating to you (such as your name, contact details, communications with you, and information about how you used the app):
for bluebird's or our record-keeping purposes, including to comply with its or our legal obligations and to defend its or our legal rights; and
where requested by bluebird, to assist with app improvement and development.
8. SECURITY OF YOUR DATA
You will be provided with a username and password to access surveys, and will have the chance to change your initial password within the app. We recommend you use a strong password of at least eight characters, including one upper and one lower case letter, and one number.
You are also advised to enable a password-protected screen lock from your device's Settings menu.
Your response to the questions within the app are encrypted before being sent to our systems (operated by us and our service providers – see section 4.7 above). Information within the study database is anonymised (see section 3.3 above).
If you would like any further information about our information security measures, please contact us using the contact details at section 10 below.
9. YOUR LEGAL RIGHTS
In accordance with data protection laws, you have a right:
to obtain a copy of the personal data we hold about you, together with other information about how we and bluebird process it;
to withdraw any consent which you have given relating to our use of your data;
to request rectification of inaccurate or incomplete data, and, in some circumstances, to request bluebird to erase or restrict our use of your data, or otherwise to object to the processing of your data for direct marketing purposes or for reasons relating to your particular situation;
to receive a copy (in a machine-readable format) of personal data which you have provided to us (otherwise known as the "right to data portability"), to the extent it is processed electronically based your consent (as described in section 5 above);
not to be subject to a decision based solely on automated processing, which significantly affects you, unless additional legal requirements are met; and
to make a complaint about how bluebird or we handle your data to the UK Information Commissioner's Office. Please visit www.ico.org.uk for further information about how to do this.
Note that there are certain limitations and exemptions to these rights which may be applied depending on the circumstances.
Please contact bluebird (see section 10 below) to make requests to exercise these rights (specifying what you are requesting), or if you would like further information about them.
10. VITACCESS AND BLUEBIRD CONTACT DETAILS
For general queries about the study: firstname.lastname@example.org
For data protection queries to Vitaccess:
Data protection officer
The Oxford Centre for Innovation
Oxford, OX1 1BY
For data protection queries to bluebird:
bluebird bio, Inc.
Attn: Compliance Officer
60 Binney Street
Cambridge, Massachusetts 02142