1. Objective
To inform all 2CA’s collaborators about the General Data Protection Regulation (GDPR).
2. Scope
It applies to all the beneficiaries of 2CA-Braga’s services.
3. Responsibility
It is incumbent on 2CA-Braga’s board of directors, the Data Protection Officer, and all 2CA-Braga’s collaborators who process personal data to implement this policy.
4. References and abbreviations
CHKS Manual Criteria [2016]: 15.11, 15.14, 15.15, 15.18.
CNPD - National Data Protection Authority
DPIA - Data Protection Impact Assessment
DPO - Data Protection Officer
GDPR - General Data Protection Regulation
NHS - National Healthcare Service
5. Process description
2CA-Braga needs to collect and process personal data from those who participate in clinical research studies and training courses carried out by itself.
For that reason, this Privacy Policy aims to help those participants to know what personal data is collected, how and why it is collected, to whom it is disclosed, and how their privacy is protected when they use 2CA’s services.
5.1. Why?
2CA-Braga is committed to protect the safety and the privacy of those who participate in clinical research studies and training courses carried out by itself, and this Privacy Policy is a statement of this commitment.
2CA-Braga wants the participants to know the general privacy regulation and the terms of personal data processing, in compliance with the applicable legislation in this scope, namely, the Regulation (UE) 2016/679 from the European Parliament and of the Council, of the 27th of April, 2016, (General Data Protection Regulation - GDPR).
2CA-Braga seeks to respect and raise awareness of the best practices in terms of security and protection of personal data, improving systems in order to protect data provided by the participants in clinical research studies and training courses, in strict compliance with legal obligations.
Direct or indirect participation in clinical studies or training courses carried out by 2CA- Braga implies knowledge of the conditions of this policy and any other specific terms, policies, and conditions applicable to the development of its activity.
5.2. What is personal data?
Personal data is any information, of any kind and regardless of its medium, including sound and image, relating to an identified or identifiable natural person (data subject). It is considered as an identifiable person anyone who can be identified, directly or indirectly, namely by reference to an identification number or to one or more factors specific to the physical, physiological, psychological, economic, cultural, or social identity of that natural person.
Personal data may be more sensitive in specific contexts. For that reason, the GDPR classifies them as “special categories of personal data.” These can be related to the racial or ethnic origin of the subject, their political opinions, religious or philosophical beliefs, genetic data, biometric data, sex life or sexual orientation, and data concerning health.
Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their past, current, and future health status. This includes data such as:
i.
any particular number, symbol, or sign given to a person to identify them in an unequivocal way for health care; information collected from clinical analysis or medical examinations to parts of the body or body substances, including genetic data and biological samples;
ii.
any information about, for example, a disease, an impairment, a risk of disease, medical history or treatments, or physiological or biomedical state of the data subject, regardless of its source, for example, a physician or other health care professional, a hospital, a medical device or an in vitro diagnostic test.
5.3. Other important definitions
Processing
Operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
Data Subject
Identified or identifiable natural person to whom the data relates;
Data Controller
A natural or legal person, public authority, agency or other entity which, individually or together with others, establishes the purposes and the means of personal data processing. Whenever these purposes and means are ruled by the law of the European Union or a member state, the data controller, or the specific applicable criteria for their nomination, may be foreseen by the law in question;
Data Processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
Third-Party
A natural or legal person, public authority, agency, or other entity than the data subject, controller, processor, and people who, under the direct authority of the controller or processor, are authorized to process personal data;
Data Protection Officer (DPO)
A natural person or entity who is designated to ensure that an organization processes the personal data in compliance with the GDPR. They promote effective communication with the data subjects and with the competent regulatory authorities, ensuring a link between the various hospital activities. The DPO doesn’t follow instructions regarding the exercise of their duties, answering directly to the board of directors of the entity which designated them (data controller or processor);
Free and Informed Consent Form
Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;
Profiling
Any form of automated processing of personal data to include a natural person in a specific category, relating to their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
Privacy by design
Taking into account the risks for privacy throughout the entire design process of a new product or service, instead of doing it just on later stages. It means carefully assessing and implementing appropriate technical and organizational measures from the beginning to make sure that the processing complies with DPGR and protects the rights of data subjects;
Privacy by default
Implementing measures to ensure that, by default, only the necessary personal data for each task are collected, processed, and stored. This principle applies both for the amount of personal data collected and for the period of their storage;
Pseudonymization
Processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to proper technical and organizational protection measures;
Anonymization
Processing personal data to irreversibly remove any elements that allow identifying the data subject. To be precise, data must be processed in such a way that they can no longer be used to identify a natural person through any reasonable means, whether by the controller or third-parties. The main personal data anonymization techniques are randomization and generalization;
Data protection impact assessment (DPIA)
Evaluating the necessity and proportionality of personal data processing, allowing to manage the risks for the rights and freedoms of natural persons that result from this processing. The DPIA is mandatory in certain scenarios, such as a systematic and extensive evaluation of natural persons, including profiling and large scale processing of special categories of personal data. It must be carried out before the processing starts;
Supervisory authority
An independent public authority established by a Member State to supervise the compliance with the GDPR. It must protect the fundamental rights and freedoms of natural persons regarding data processing and facilitate the personal data circulation inside the European Union. In Portugal, the supervisory authority is the Portuguese Data Protection Authority;
International data transfers
Transfers of personal data that currently are or are about to be processed after being transferred to a third country (outside the European Union) or an international organization. These transfers can occur either between two or more data controllers or between controllers and processors;
Information society services
Any service usually provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. For this definition:
1.
“at a distance” means that the service is provided without the parties being simultaneously present;
2.
“by electronic means” means that the service is sent initially and received at its destination through electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, forwarded, and received by wire, radio, optical means, or by other electromagnetic means;
3.
“at the individual request of a recipient of services” means that the service is provided through the transmission of data on individual request.
Health data platform
A web platform that provides a central system for registration and sharing of clinical information in compliance with the requirements of the National Data Protection Authority. The platform allows health care professionals in various circumstances (hospitals, emergency rooms, primary health care, and continuing health care national network) to access information from the citizens who have a user number of the National Healthcare Service (NHS). This access can be supervised by the user himself through the User’s Portal Site.
5.4. Who is responsible for processing your personal data?
This Privacy Policy aims to inform the participants of studies and training courses about the terms of personal data processing carried out by 2CA-Braga, establishing the purposes and means of this processing. For that reason, 2CA- Braga is the personal data controller, according to the GDPR.
In the scope of clinical research and training courses, 2CA-Braga usually is the personal data controller. However, in some academic or commercial partnerships, training courses, or clinical researches, it can process personal data together with other entities, being co-responsible for this task.
Specifically in the scope of clinical studies carried out by 2CA-Braga, according to contracts signed with the sponsors and what is stated in clinical research protocols, personal data can be processed directly by the clinical study sponsor (academic or commercial), or by processors designated by the sponsor or by 2CA-Braga, as hirers. In these cases, all the entities will be responsible for data processing. According to the Good Clinical Practices of the International Conference on Harmonization, all the data will be anonymized and pseudonymized.
Nevertheless, according to the GDPR, the beneficiaries of 2CA-Braga’s services can exercise their rights (“5.10 What are the data subject’s rights?”) contacting the organization, by email through dpo@ccabraga.org, or by letter addressed to the data protection officer, using the following address:
Centro Clínico Académico
Hospital de Braga, Floor 1 – Wing E
Sete Fontes – S. Victor
4710-243 BRAGA
beneficiaries can also address a complaint to the National Data Protection Authority (www.cnpd.pt).
5.5. What personal data do we collect, and by what means?
2CA-Braga collects and processes personal data that is necessary for the scope of clinical studies or training courses. These data can be collected directly, namely, when a person is interested in taking part in a clinical study, when they go to a study appointment or an examination, or when they register for a training course carried out by 2CA-Braga.
Therefore, these data can include information directly or indirectly related to a person’s health.
Training
Category of processed data
Name, address, date of birth, phone number (landline and mobile), email, and taxpayer identification number. These personal data may be mandatory, as stated in the registration form, and the trainee will be informed about the need to provide these data.
Means and timing of the collection
Whenever a person registers for a training course, filling in a form, or sending an email to contact 2CA-Braga or to provide required data; or whenever it is necessary to issue and send the training course invoice.
Category of processed data
Remaining identification data, such as address (district, postal code, city, civil township), profession, job situation, academic qualifications.
Means and timing of the collection
Whenever a person registers for a training course, filling in a form, or sending an email to contact 2CA-Braga or to provide required data; or whenever it is necessary to validate the registration, through the collection of the necessary information to confirm that the criteria for inclusion in the training course are met.
Category of processed data
Data relating to the performance at the training course: evaluation results such as tests, exams, presentations, reports, or works to assess the qualification and the learning.
Means and timing of the collection
During the training course, the data collection may be carried out through digital platforms (smartphones, tablets, computers) or paper forms.
Category of processed data
A person’s opinion about 2CA-Braga
Means and timing of the collection
Whenever a person answers a survey.
Clinical research
Category of processed data
Name, date of birth, phone number (landline and mobile), email, and taxpayer identification number.
It is mandatory to provide these personal data, as stated in the clinical study protocol. The participant is informed about this requirement in the free and informed consent form.
Means and timing of the collection
Whenever a person accepts to take part in a clinical study, through registration in a case report form (digital or paper), or whenever 2CA-Braga needs to pay for expenses related to that participation.
Whenever a person contacts 2CA-Braga in various ways (email, phone, or in- person).
Category of processed data
Information about the participant’s appointments and examinations (including date and time, the doctor’s specialty, the examination done/to be done, data from medical prescription, among others that are necessary for the clinical investigation);
Means and timing of the collection
Whenever an appointment is set, or someone asks for information in various ways (email, phone, or in-person); whenever is collected data relating to clinical history, or a diagnosis is made to confirm that the eligibility criteria for inclusion in the clinical study are met; and after a free and informed consent form.
Category of processed data
Remaining identification data, such as clinical process number; user number of National Healthcare System; country, district, and address of birth; current address (district, postal code, city, civil township); profession and job situation; health center and family doctor; marital status and name of the spouse; father’s and mother’s names (in case the participant is underage).
Means and timing of the collection
Whenever a person accepts to take part in a clinical study and their process or registration in the case report form (digital or paper) is created; whenever information about medical history is collected; whenever a diagnosis is made to confirm that the eligibility criteria for inclusion in the clinical study are met; and after informed consent form.
Category of processed data
Information about a person’s health, including the reason for the appointment/medical act, medical history (child diseases, immunizations, drinking and smoking habits, addictions, gynecological and obstetric history, allergies, active and inactive diseases), surgical history, family history (more frequent cases, such as diabetes, hypertension, cancer, alive/deceased, cause of death), clinical examination, diagnosis, complementary examinations, guidance, alerts (diabetes, hypertension), blood type;
prescribed medicines, prescriber’s identification, code of the place of prescription, prescription data, and special reimbursement system;
medical act and signature of the episode, start and end dates of the episode, episode state, health care professional who carried out the episode, episode number, episode type, existence of results from the episode, and the identifier of those results.
Genetic data, racial or ethnic origin, and data concerning sex life or sexual orientation.
Information about functionality, autonomy, and quality of life, such as data related to work, leisure, and well-being activities.
Information about cognitive functioning, such as memory, attention span, or language, among other processes.
Means and timing of the collection
In case a person accepts to participate in a clinical study, and after free and informed consent form, it may be necessary to collect the mentioned data whenever:
- the process or registration in the case report forms (digital or paper) of the clinical studies is created;
- information about medical history is collected, or a diagnosis is made to confirm that the eligibility criteria for inclusion in the clinical study are met;
- it is necessary to carry out complementary examination for diagnosis, physical examinations, collection of blood or other biological samples, as stated in the protocol.
- it is necessary to collect data about functionality, autonomy, quality of life, and cognitive functionality, through neuropsychological instruments, or surveys and scales, either run by qualified professionals or self-administered, as specified in the protocol.
This collection may be carried out using a case report form (digital or paper).
Category of processed data
A person’s opinion about 2CA-Braga
Means and timing of the collection
Whenever a person answers a survey.
In the scope of participation in clinical studies, and after your free and informed consent form, 2CA-Braga may collect data related to your health and, sometimes, genetics, racial or ethnic origin, and sex life or sexual orientation. Such information is classified as “special categories of personal data” according to the GDPR, and, for that reason, 2CA-Braga will act in compliance with the strictest requirements of data processing and protection. This applies to proper legal bases for processing (look up section “5.7. What is the basis for processing your personal data?”), to the implementation of technical and organizational measures adequate to the minimization of such processing, to the restriction of access to this data (look up section “5.8 Which 2CA-Braga’s professionals have access to your data?”), and to the guarantee of security of this data (look up section “5.11. What security measures does 2CA-Braga take?”).
5.6. What are the purposes of collecting your data?
The personal data from those who participate in clinical studies are processed in the scope of these studies to allow, for example, for the analysis of the effectiveness of certain medicines, treatments, or medical devices and, so, to ensure better health care; for the analysis of predominance of certain disease and risk factors, for example, among the users of Hospital of Braga, general population, or clinical population; and also for the continuous improvement of 2CA-Braga’s services.
Your data may be processed in the scope of the participation in training courses carried out by 2CA-Braga.
Therefore, we use your data for the following purposes:
In the scope of the participation in clinical studies
We use your personal data above-mentioned to undertake clinical research, to schedule appointments and examinations, and to confirm a medical diagnosis, in compliance with clinical protocols. Therefore, a free and informed consent form will always be requested to present the study objectives and the data to be collected. 2CA-Braga and their collaborators and investigators will always respect the decision of the study participant in case they refuse to participate or interrupt the participation. In these scenarios, 2CA-Braga will cease processing their data.
Your personal or health-related data will only be processed by or under the responsibility of professionals obliged to professional secrecy or under a confidentiality commitment, as strictly necessary to carry out clinical studies. These data may only be revealed to your relatives in scenarios foreseen by the law. As required by clinical research protocols and in compliance with the Good Clinical Practices (International Conference on Harmonization), the data will be anonymized or pseudonymized.
In the scope of training courses
To carry out training courses about topics related to clinical research, we use your data to inform you about the course itself or future events; to process your registration and issue an invoice; to evaluate your knowledge and learning; to assess your satisfaction with the training and the trainer.
Your data will be processed only by 2CA-Braga’s collaborators involved in the training course, who are under confidentiality commitment.
To communicate and manage our relationship with you
We may contact you by phone, email, or SMS, for administrative or operational purposes, such as confirming appointments or informing you about any changes or unexpected events about your appointments.
We may also use your data to answer your requests, suggestions, or contacts, and to improve our services and your experience as a beneficiary of 2CA-Braga’s services.
To improve our services and meet our administrative goals
The service level goals for which we use your information are related to accountancy, invoicing, training, and audit. Such goals are intended to ensure the compliance with the contractual agreement with sponsors of clinical studies, the certification and evaluation of the service and audit levels of 2CA-Braga, the detection and analysis of fraud, the security, certain legal and judicial purposes, the carrying out of statistical studies, and the system development and maintenance.
To meet our legal obligations
In the scope of clinical research, we have the obligation of providing the National Authority of Medicines and Health Products (INFARMED) and the competent ethics commission with your data (to know more about categories of addressees of your data, look up section “5.12. In what circumstances are data shared with other entities?”).
5.7. What is the basis for processing your personal data?
2CA-Braga will only process your data when properly qualified for such. The GDPR states the need for a legal basis for each specific process. Such a basis may be of diverse types.
First, data processing required by or associated with clinical studies will always have as a basis the development of clinical investigation. Additionally, whenever the participation in clinical studies requires the processing of data related to the health of the participants or other special categories of data (such as genetic data, data related to sex life or sexual orientation, or ethnical origin), a data protection impact assessment will occur. These studies are previously authorized by the competent regulatory authorities (national or local ethics commissions and/or the National Authority of Medicines and Health Products, as applicable). The rationale for the carrying out of these studies, as well as the need to collect these data, is presented in the respective free and informed consent form.
In what concerns training courses, a minimum amount of personal data will be collected. These data will be related to the registration, the issuing of invoices, and the evaluation of the trainees and the training course/trainer.
Regarding the processing of your data to improve our services and fulfill our organizational and quality goals, the proper legal basis will be the protection of the data controller’s legitimate interests. Such protection involves that data subjects may be able to oppose the data processing for the purposes mentioned above, according to the GDPR, in case they present compelling reasons related to their situation. In such a case, the data controller may present imperative and legitimate reasons that justify proceeding with this processing and reserve the right to do it. This also applies to cases in which the processing is necessary to declare, exercise, or protect a right in a lawsuit.
Although the data processing in these contexts is carried out, usually, with anonymized or pseudonymized information, it is possible that, in some instances, this processing implies specific data related with the subjects’ health, such as their clinical process number and the identifiers of clinical acts carried out by them, among others.
In what concerns data processing carried out by 2CA-Braga in the context of legal duties fulfillment, the legal basis for such processing - mostly data sharing with external entities —will be the obligation to provide INFARMED and the competent ethics commissions with your data (to know more about the categories of addressees of your data, look up section “5.12. In what circumstances are data shared with other entities?”).
5.8. Which 2CA-Braga’s professionals have access to your data?
2CA-Braga complies with the principles of privacy by design and privacy by default. Such commitment involves, among other aspects, that data is accessible only to people who need to know them in the exercise of their duties, as strictly necessary for the treatment purposes above-mentioned (look up section “5.6. What are the purposes of collecting your data?”).
Therefore, in what concerns data related to your health and other special categories of data, the access to these will be, in compliance with the applicable law, accessible only to physicians and other health care professionals connected to clinical research, when authorized for such access.
As for training courses, only 2CA-Braga’s trainers and administrative staff (for contacts and invoice issuing) will have access to your data under a confidentiality commitment.
The administrative staff will have access to your data (related to health and other special categories) whenever they need to pay for clinical studies participants’ expenses, to charge for clinical studies sponsors’ expenses (pseudonymized data), to schedule appointments and complementary diagnosis examinations, or to manage your information requests and complaints.
5.9. For how long will your data be stored?
Clinical research
The personal data from the study participants are processed in compliance with the protocol of each clinical study. These data are stored in an anonymized/pseudonymized format in databases created for that purpose, during a period that may vary according to the purpose for which the information is utilized. However, there are legal requirements that oblige to store data for a specified period. Therefore, data related to health are stored for at least 5 years, according to the current law. If data are stored for more extended periods, the storage period must be stated in the free and informed consent form. We take as reference for determining the proper storage period several resolutions from the European data protection control authorities, namely the National Data Protection Authority.
Training courses
Personal data collected in the scope of your registration and participation in training courses are stored, according to the current legislation, for at least 5 years, counting from the start date of each attended course.
5.10. What are the data subject’s rights?
According to the applicable legislation, the data subject may request, at any time, the access to their data, as well as its correction and portability, or oppose their processing directly through dpo@ccabraga.org or a letter addressed to the data protection officer, to the following address:
Centro Clínico Académico
Hospital de Braga, Floor 1 – Wing E
Sete Fontes – S. Victor
4710-243 BRAGA
They also may ask for a meeting with the data protection officer in the same address. In what concerns data related with clinical information, the right for the data subject (or third-parties with the subject’s free and informed consent form, or according to the law) to access health information may be exercised directly, or through a physician, if the data subject requests it by a written statement sent to 2ca@ccabraga.org.
They may confirm the data that are the object of processing, as well as to access them. In case of request and as long as there aren’t any legal restrictions, they will be provided with a copy of such data.
Without excluding any other way of administrative or judicial appealing, the data subject has the right to present a complaint to the National Data Protection Authority (www.cnpd.pt) or other competent entity, according to the law, in case they consider their data are not being legitimately processed by 2CA-Braga, according to the applicable legislation and this privacy policy.
5.11. What security measures does 2CA-Braga take?
We are committed to ensuring the confidentiality and safety of personal data from the participants of clinical studies and training courses, through the implementation of proper technical and organizational measures to protect their data against any accidental loss or destruction. To do so, we have systems and teams intended to ensure the security of processed personal data, and we create and update procedures to prevent unauthorized accesses, accidental losses, and/or destruction of personal data. We comply with the legislation related to the protection of data from the participants of studies and training courses, and we commit to process these data just for the intended purposes and to ensure that they are processed with proper levels of security and confidentiality.
Since we acknowledge the sensitivity of this information, all of our collaborators sign a confidentiality agreement. Besides, to ensure their awareness about their obligations in this question, they’re informed about the Hospital of Braga’s policy on information security (POL.006—Information Security), which establishes the procedures of personal data protection. To ensure the continuous raising of awareness of our team, we carry out training courses. Our collaborators commit themselves to not disclose to third-parties or use against the law any piece of personal information from participants of clinical studies that come to their knowledge during the exercise of their duties.
In this scope, we designated a data protection officer (dpo@ccabraga.org), who may be contacted to keep up with the fulfillment of policies and applicable regulation as to personal data protection.
5.12. In what circumstances are data shared with other entities?
2CA-Braga turns to other entities to carry out clinical research and training courses. This may involve the access to personal data from the participants of clinical studies and training programs by entities such as 2CA-Braga’s associates, technical support providers, accountants, clinical service providers, law firms, and third-parties who manage the 2CA-Braga’s physical archive.
Therefore, any associate or subcontractors of 2CA-Braga will process the personal data from the participants of clinical studies and training courses, on 2CA-Braga’s behalf and at its expense, under the commitment to follow its instructions. 2CA-Braga assures that such subcontractors or associates offer sufficient guarantees of implementation of proper technical and organizational measures so that the processing complies with the applicable law and ensures the security of data subject’s rights, according to the subcontracting agreement signed with the entities in question.
In the scope of clinical research, 2CA-Braga may also share personal data from the participants of clinical studies with third-parties whenever necessary, namely
i.
according to the applicable law,
ii.
in the fulfillment of juridical obligations or decrees;
iii.
to respond to requests from public or governmental authorities.
Consequently, 2CA-Braga may share your data with INFARMED, the competent ethics commission, the local health administration, the health regulatory agency, courts, solicitors, police, or the Public Prosecution Service of Portugal, when notified for such or whenever necessary to fulfill juridical obligations, according to the law. In any of the cases mentioned above, 2CA-Braga commits itself to take all the reasonable measures to ensure the protection of the personal data it processes.
5.13. In what circumstances may your data be the object of international transfers?
2CA-Braga will take the proper and necessary measures, in compliance with the applicable law, to ensure the protection of personal data that are the object of an international transfer, fulfilling the precepts of law regarding the requirements for this type of transfer, namely, informing the participants of clinical studies, through a free and informed consent form.
5.14. Contact us
You may contact the 2CA-Braga’s data protection officer to get more information about personal data processing and the exercise of rights assured by the applicable legislation, in particular, those mentioned in this Privacy Policy. For such contact, you may use the following contacts:
Email:
Address:
Centro Clínico Académico
Hospital de Braga, Floor 1 – Wing E
Sete Fontes – S. Victor
4710-243 BRAGA
5.15. How to get information about any changes in 2CA’s Privacy Policy?
We reserve the right to change or update this Privacy Policy at any time. Those changes or updates will be adequately announced through our platforms. We suggest that you look up them regularly.