Context
The General Data Protection Regulation issued by the European Union (“GDPR”) and effective 25 May, 2018, refers to the protection of the privacy rights of individuals (for example, tighter restrictions around consent, the right to be forgotten, the type of and amount of personal data that can be utilized, data access and security, etc.) beyond those protections that have already been in place for some time in the European Union and in many other countries around the world.
As such, the protection of personal data is a top priority.
FMR GLOBAL HEALTH is compliant with the guidance and requirements of the professional code of conduct applicable to all registered market research companies (ICC/ESOMAR International Code on Market, Opinion and Social Research and Data Analytics) and all current existing local regulations, especially as far as the protection of respondents’ data is concerned.
In addition, FMR has adopted the Cyber security code of conduct with IT Security and Information Management policies to safeguard and protect the personal data of its customers, respondents, and employees.
Its mandate is:
- To ensure that personal data are appropriately treated and protected.
- Anonymized data and access security – For respondents, anonymization techniques are used to protect respondents’ personal data as part of its data collection operations so that access is restricted to its fieldwork teams in its operations units solely on a need-to-know basis.*
- The same policy applies to customer-provided samples, online panelists, and offline respondents.
*ICC/Esomar International Code on Market, Opinion and Social Research and Data Analytics (https://www.esomar.org/what-we-do/code-guidelines)
For our employees, access to employees’ personal data is strictly limited to the relevant staff in charge of human resources management.
FMR GLOBAL HEALTH implemented various encryption solutions, notably on all employees’ laptops and databases containing special (sensitive) categories of personal data, such as data concerning health, political opinions, etc.
For Partners or Suppliers, FMR GLOBAL HEALTH enforces procedures in order to select Partners processing personal data based on their capacity to comply with data protection requirements. This means that all Partners must sign an agreement including data protection clauses and that no supplier can transfer any personal data unless they agree to appropriate safeguards and obtain customer consent. Additionally, our Partners cannot subcontract part of the personal data processing services to sub-processors without prior approval.
Data transfers
Contractual measures were put in place for cross-border data transfers. When a data transfer is required in a country recognized as not having an adequate level of data protection, FMR ensures that EU Standard Contractual Clauses are in place, implementing appropriate technical and organizational measures for protecting personal data.
Depending on the services required, the following actions will be undertaken:
- Health Care Professionals, patients, caregivers, and consumers recruitment
- Carry out interviews face-to-face, in the studio, online (web-assisted), over the phone or in-field
- Simultaneous translation or voice-over
- Compensation of the respondents
- Transcription or delivery of the information collected during the interviews, such as filled-in questionnaires
- Translation of materials
- Consolidated data analysis
FMR will ensure that data delivered are anonymized and that the process abides by the laws and rules applying to data protection as laid out by the General Data Protection Regulation (GDPR) as of May 25th, 2018.
Data Protection Principles
The GDPR imposes significant requirements for organizational compliance measures and safeguards such as enshrining privacy by design and default, use of data protection impact assessments (DPIA’s), keeping comprehensive data processing records, and mandatory reporting of data breaches. Most important is accountability, requiring that data controllers are responsible for, and can demonstrate compliance with the following six general privacy principles:
- Lawfulness, fairness, and transparency – Personal data is processed lawfully, fairly, and transparently. Purpose limitation – Personal data is obtained for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Further processing is allowed for archiving, scientific, statistical, and historical research purposes.
- Data minimization – Personal data processed is adequate, relevant, and limited to what is necessary.
- Accuracy – Personal data is accurate and, where necessary, kept up to date.
- Storage limitation– Personal data is not kept longer than is necessary (but data processed for archiving, scientific, statistical, and historical research purposes can be kept longer subject to safeguards).
- Integrity and confidentiality – Appropriate technical and organizational measures are put in place to guard against unauthorized or unlawful processing, loss, damage, or destruction.
Personal Data
GDPR covers personal data, i.e., information relating to an identified or identifiable natural person; who can be identified directly or indirectly by that data on its own or together with other data.
Personal data is categorized as special data, and this essentially is sensitive personal data covering religious or philosophical beliefs, health, racial or ethnic origin, trade union membership, political beliefs, sex life or sexual orientation, genetic data, and biometric data (including photos when used to uniquely identify a natural person) of individuals. The collection and use of special data are subject to greater restrictions than other types of personal data.
In the research context, it is important to recognize a difference between data that identifies a participant in a market, opinion, and social research project from data obtained from participants during fieldwork, such as responses provided, opinions expressed, etc. The first category of identifiable demographic details (personal data), but the participants’ responses will only be considered personal data when they can be linked to the demographic details (or if the responses themselves have identifiable details within them). Sound and video recordings and still images should always be considered personal data in light of the ease of linking these to a person.
The ease of technology in doing this means there is a higher risk of re-identifying this type of material. Transcripts of recordings are used in order to properly anonymize them. Researchers separate these different categories of information and resort to the anonymization of personal data as working with anonymized data (i.e., participant responses which cannot identify an individual), the requirements of the data protection rules are no longer applicable. Data can also be “pseudonymized.” Pseudonymized data is personal data that has been processed so that it can no longer be attributed to a specific data subject without the use of additional information, such as a unique identifier that can make the data identifiable. An original string of data, even without the identifier, can still be personal data (in the hands of an organization that holds both the dataset and the identifier) since it can be matched again with the original database to make the data in a string identifiable. In order to become pseudonymized data, the additional 4 Article 4 (1) GDPR. 5 Information about criminal convictions and offenses is treated separately and is subject to tighter controls. Conducting Research under the GDPR: Legal Bases June 2017 v.1.4 7 information must be kept separately and held subject to adequate technical and organizational measures. The data can then be pseudonymized even where the identifier is kept within the same organization.6 Pseudonymised data is still personal data, but pseudonymization of the data is a security technique that provides a mechanism for reducing the level of exposure under the GDPR. The transition from personal data sets held by researchers to pseudonymized and anonymized datasets is set out in Figure 1.
FMR researchers take steps to anonymize data early in the research cycle and follow regulatory guidance to keep up to date with the limits of effective anonymization in a digital environment.
Regulators do not look to the absolute impossibility of identification; rather, they consider the likelihood of re-identification occurring. GDPR sets out a clear preference for processing personal data used in research to the point where data subjects cannot be identified.
GDPR does not apply to data that does not relate to or identify an individual, such as aggregated data sets that show general trends without identifying people, or commercial data, such as sales or revenue figures which do not contain personally identifiable information.
FMR employees are obliged to follow policies and procedures regarding confidentiality, security, and privacy. We adhere to the following industry requirements:
- ESOMAR professional Codes of Conduct.
- EphMRA (European Pharmaceutical Market Research Association).
- General Data Protection Regulation (GDPR) and any subsequent legislation may be amended from time to time.
Accuracy:
Reasonable steps are taken to keep personal information in our possession or control, which is used on an on- going basis, accurate, complete, current, and relevant, based on the most recent information available to us.
Children’s data collection:
We never knowingly invite children under the age of 16 years to participate in research studies without
consent. Suppose it is necessary and appropriate to a particular project to directly involve children under the age of 16 years. In that case, we ensure their parent or legal guardian has permitted us. This must be verified with an ID from that individual, and they must confirm that no further consent from any other parent or guardian is required.
Rights of individuals:
Health Care Professionals, patients, caregivers, and consumers have the right to request access to personal information.
Under current EU data protection laws, all participants have the right to access, rectify or erase their personal information from our systems unless we have legitimate interest reasons for continuing to process it.
Under current EU data protection laws, researchers are not authorized to make any individual analyses but only consolidate analyses of all respondents.
From 25 May 2018, individuals have the following rights in relation to personal information:
- Right to change your mind and to withdraw consent.
- Right to access personal data
- Right to erase personal data from our systems unless there is a legitimate interest reason for continuing to process the information
- Right to port personal data (portability right), if appropriate
- Right to restrict processing of personal data
- Right to object to the processing of personal data
Principles relating to the processing of personal data
Definition: ‘personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data shall be:
a. processed lawfully, fairly, and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency);
b. collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c. adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed (‘data minimization’);
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e. kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality).
Under the OECD Privacy Principles, any personal data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. Generally, national laws provide a number of lawful and fairgrounds, but in most instances, researchers will be obliged to rely on consent.
Consent must be:
• free (voluntary and able to be withdrawn at any time);
• specific (relating to one or more identified purposes);
• informed (in full awareness of all relevant consequences of giving consent). Consent must also be clearly indicated by a statement or action by the data subject having been provided with the information set out under the items below:
-he or she should be informed about
(a) the use to which his or her personal data will be put;
(b) the specific data to be collected;
(c) the name, address, and contact information of the company or organization collecting the data and, if not the same organization, the data controller
(d) whether data will be disclosed to third parties.
Data storage and retention:
Personal information will be retained only for such period as is appropriate for its intended and lawful use. In this case, we shall retain data for no longer than 6 months, after which they will be destroyed them with proof of this destruction unless otherwise required to do so by law. Personal information that is no longer required will be disposed of in ways that ensure its confidential nature is not compromised.
All archives are retained for a defined period of time in a strictly controlled environment. Once expired, the data is deleted, and the physical media is destroyed to ensure the data is erased completely.
The use of appropriate security safeguards to provide necessary protection includes:
• physical measures (locked filing cabinets, restricting access to offices, alarm systems, security cameras)
• technological tools (passwords, encryption, firewalls)
• organizational controls (background checks, rules relating to taking computers off-site, limiting access on a “need-to-know” basis, staff training, agreements with clients and subcontractors)
The security policy also includes a procedure for dealing with a potential data breach in which personal data is disclosed. In the case of secondary data collected by another party, such as a client’s database, that party must be informed immediately. Data subjects whose data was disclosed also must be notified if the disclosure exposes them to some risk (e.g., identity theft) and appropriate steps taken to protect against that risk.
Photographs, audio, and video recordings
A number of new research techniques create, store, and transmit photographs, audio, and video recordings as part of the research process. Two prominent examples are ethnography and mystery shopping.
Photographs, audio, and video recordings are personal data and must be handled as such.
Some types of observational research may involve photographing, videoing, or recording in public settings involving people who have not been recruited as data subjects. In such instances, researchers need permission to share such images from those data subjects whose faces are clearly visible and can be identified. If permission cannot be obtained, then the data subject’s image should be pixelated or otherwise anonymized. In addition,
clear and legible signs should be placed to indicate that the area is under observation, along with contact details for the individual or organization responsible. Cameras should be sited so that they monitor only the areas intended for observation.
Audio and video recordings will not be stored for more than 6 months, after which they will be destroyed with proof of this destruction unless otherwise required to do so by law.
It has also been agreed that all FMR partners will abide to the following:
ARTICLE 1 – CONTRACTUAL OBJECT
The Partner will carry out its services for FMR in compliance with the professional codes of conduct and of Pharmacovigilance applying to medical Market Research.
ARTICLE 2 – PROVISION OF SERVICES
In order to carry out its mission, the Partner will resort to its knowledge, techniques, and experience. The services carried out, the reports established, the conclusions drawn, and the opinions formulated are in accordance with the profession’s most rigorous state of the art.
The Partner agrees to carry out its services in compliance with the legal dispositions and any other rules that may apply with all the necessary professional care and diligence.
The Partner agrees to never offer, promise, or make any payment, any remuneration or provide direct or indirect advantages of any kind to civil servants, employees of regulatory decision bodies, health care professionals, governmental organizations, public institutions of any kind that constitute or may constitute an illegal action or an act of corruption in exchange for the realization of the contract.
The Partner also agrees to never offer, promise or make any payment or provide direct or indirect advantages of any kind to any FMR employee in order to obtain or influence the conclusion of a contract with FMR. Any such practice will be grounds for immediate termination of this Agreement.
The Partner agrees to provide the necessary means, humans, and materials for the realization of the Services. To carry out the Services covered by this Agreement, the Partner will resort to qualified personnel. The collaborators of the Partner are under its sole responsibility and will receive instructions from the Partner only in the quality of the employer, excluding any subordination relationship with FMR.
The Partner, as the employer, is the sole responsible for work organization and for the work schedule of its employees.
The Partner will be solely responsible for the mistakes the Partner or the personnel the Partner will have assigned to the realization of its services, as well as for any delay or defects of any kind impacting the delivery of the services and/or their quality.
The Partner agrees to comply with any administrative, fiscal or social duties necessary to the compliance to the current legislation and declares abiding by the law. FMR shall not be held responsible if it were to be otherwise.
Any digital or document-based document delivered to FMR by the Partner in the framework of the Services carried out will be exempt from viruses. The Partner agrees to destroy the files FMR will have provided once the Services are carried out.
ARTICLE 3 – DURATION AND TERMINATION
The present Agreement will be valid for every project FMR and the Partner will work together on. FMR reserves the right to amend this agreement at any time.
Each party can, in case of characterized non-compliance by the other party to the present Agreement, by way of notice, remind the other party of its obligation to fulfill its obligations. If the said notice, sent by registered letter with acknowledgment of receipt, has not been answered within fifteen (15) days from the moment the letter was received, the present Agreement can be terminated without notice via registered letter with acknowledgment of receipt sent to the defaulting party without prejudice to any damages the complaining Party may claim.
The contract will be terminated without notice if the default is substantiated and cannot be overcome due to its nature.
ARTICLE 4 – CONFIDENTIALITY
The Partner agrees to consider all the materials and information provided by FMR or its affiliates, as well as any information it may produce or to which the Partner may have access to within the present Agreement, hereinafter “Confidential Information”, as strictly confidential.
The Partner, therefore, agrees not to share nor make accessible any of that information to any third party, directly or indirectly. The Partner also agrees to destroy all the files provided by FMR at the end of each mission to which the Partner has been assigned.
The Partner agrees to take all necessary measures to ensure confidentiality is preserved to inform its personnel of the dispositions in the present Agreement and to ensure these rules are abided to. The Partner will guarantee its personnel or its potential subcontractors respect those dispositions.
The obligation of confidentiality will not apply if the Partner can prove the following:
- That the Partner already had this information when the Partner received the said information from FMR.
- That the said information is in the public domain otherwise than by the Partner’s fault or negligence.
- The said information was already in the public domain when the Partner received it from FMR.
- That the said information is to be revealed in accordance with a legal obligation or a non-equivocal regulation, with a court decision, or with the request from an administrative authority to which the Partner must comply.
The present confidentiality obligations will remain after termination of the agreement, for any reason whatsoever, with no limitation in time others than the dispositions of the present Agreement.
ARTICLE 5 – DECLARATION OF THE PARTNER
In any event, the Partner declares:
- Complying with all legal prescriptions, regulatory or administrative governing its activities as described in the present contract.
- Being able, with no restrictions whatsoever, to carry out the Services described in the present provisions to arrange all the necessary administrative authorizations and to respect any legal, regulatory or administrative prescription as well as the ethical code of professional conduct directly or indirectly in connection with the present Agreement.
- Not being in default of payments or being the object of any collective proceedings.
ARTICLE 6 – FILES AND DATABASES
FMR may have to give the Partner access to files or databases, allowing the Partner to carry out the requested Services.
The Partner agrees to use the databases and the data exclusively in the name of and for FMR and its client within the determined framework of the mission, and the Partner agrees not to use them directly or indirectly for any other purposes. The Partner agrees to:
- MaintainthestrictestconfidentialityregardingtheinformationpassedontothePartnerbyFMRandtouse them exclusively in order to carry out the Services for the sole benefit of FMR and its client. The Partner also agrees to reveal the said information only to the person who may need it in order to carry out the Services. The Partner is forbidden to communicate Confidential Information to anyone else, with the exception of the members of staff mentioned above.
- The Partner agrees to use the Confidential Information exclusively within the framework of the Services and exclusively in the name of FMR and its client.
- The Partner agrees to forbid access of a third party or to make Confidential Information available to a third
party, even for free, directly or indirectly, and even out of negligence, the entirety or parts of the Confidential Information provided by FMR. - The Partner agrees to not extract and/or re-use the structure, template, or content of the database provided by FMR for any other use than authorized to carry out the Services for the sole benefit of FMR and its client.
- The Partners agree to not use the data, the model, or the structure of the database provided by FMR in order to sell, constitute, update or improve the commercial database.
- The Partner agrees to control access to the data provided by FMR and to take any necessary safety measure in order to ensure that only the members of the personnel and the collaborators who expressly need it can access the data in order to carry out the Services for FMR and for the sole benefit of FMR and its client.
ARTICLE 7 – DATA PROTECTION AND CIVIL LIBERTIES LAW
Each party guarantees they are committed to undertaking all the declarations needed regarding their files and, more generally, to respect their obligations regarding the automatic processing of personal data according to the current legislation (as amended May 26th, 2018).
ARTICLE 8 – TRANSFER OF THE RIGHTS AND SUBCONTRACTING
The present Agreement is intuitu personae regarding the specific competencies and qualifications of the Partner and the mutual trust between the Partner and FMR.
The Partner will not transfer its rights and obligations to the contract to any third party, in any form or in any way, be it only for a short period, nor be considered part of the company unless FMR has expressly given its prior consent.
ARTICLE 9 – RESPONSIBILITIES – INSURANCES
The Partner shall bear the sole responsibility of perfectly executing the Services. Therefore, in case of any fault or defect, negligence, breach, omission, or poor execution for which the Partner is responsible or for which any person directly or indirectly involved under the Partner’s control, the Partner shall repair the totality of the damages caused to FMR.
ARTICLE 10 – PHARMACOVIGILANCE / MATERIOVIGILANCE
The Partner will be trained in FMR’s internal Pharmacovigilance process.
Equally, and before any activity, the Partner will be trained in the Pharmacovigilance process specific to FMR’s client and for whom the Services will be provided. These processes will have to be enforced by the Partner and its personnel.
FMR must be informed immediately, as soon as it is brought to the Partner’s knowledge, of any information regarding Pharmacovigilance or vigilance in general concerning a product of FMR’s client (drug, food supplement, cosmetics, medical device), regardless of this information being initial or complementary, and more particularly in case of :
- Adverse Event (AE), serious or not,
- Incorrect use of a product of FMR’s client, with or without Adverse Event (AE),
- Overdosing, with or without AE,
- Intentional misuse of a product of FMR’s client, with or without AE,
- A medication error, with or without AE,
- Lack or absence of efficacy,
- An improved therapeutic effect or an unexpected beneficial effect,
- Interaction between a product of FMR’s client and other medications, food, tobacco, alcohol or radiation,
- Exposure to a product of FMR’s client during pregnancy, with or without AE,
- AE after exposure to a product of FMR’s client when breastfeeding,
- Exposure of the father or the mother to a product of FMR’s client at the moment of conception, with or without AE,
- AE following professional exposure,
- AE due to a default in quality, design, or counterfeit of a product of FMR’s client
- Suspicion of infectious agent transmission by a product of FMR’s client,
- Incident or risk of an incident with a medical device of FMR’s client.
The information must be forwarded the same day to FMR and via email directly to the project manager, who will, in turn, liaise with the client’s Pharmacovigilance department.
ARTICLE 11 – LITIGATIONS
In the event of a dispute between the parties regarding the interpretation, the execution of the contract, or lack of it thereof, and provided the parties do not reach an agreement, the Paris commercial court will be the sole competent jurisdiction for all claims, even incidental, in intervention or appeal in guarantee, or the case of multiple defendants.
EphMRA (European Pharmaceutical Market Research Association) Guiding principles that underpin the Code of Conduct:
- Subjects MUST be able to provide voluntary, informed consent to data collection and use based upon a clear understanding of the purpose of the data collection and the use(s) to which the data will be put.
- The subjects’ rights MUST be observed, including rights to confidentiality, anonymity, and the right to withdraw at any stage.
- Market research MUST be kept separate from any form of promotion or selling. It MUST NOT be a vehicle for disguised promotion.
- Subjects MUST be treated fairly and reasonably, with care and courtesy.
- Subjects MUST be protected for the duration of the study – not harmed, exposed, disadvantaged, or made uncomfortable. Confidence in market research MUST NOT be abused.
- Data collection MUST be adequate, relevant, and limited to the purpose (s) for which it is processed. Researchers MUST be transparent about the personal data they plan to collect, the reason(s) it is being collected, and who it will be shared with.
- Data MUST be processed fairly and lawfully and only used for the specific and lawful purposes for which it was obtained. Personal data must be accurate and up to date. It must be processed in accordance with the rights of individuals within national and international data protection and privacy legislation.
- There MUST be no unauthorized or unlawful processing, loss, destruction, or damage to personal data. You must take appropriate technical and organizational measures to keep data safe.
- Data can only be transferred, to a third party or overseas, when adequately protected.
- Personal data MUST NOT be kept beyond the time required to fulfill the immediate purposes of the study.
- Researchers MUST behave ethically; they MUST NOT undermine or damage the reputation of healthcare market research. They MUST NOT disparage or appear to disparage competing companies or products.
- Researchers MUST conduct market research accurately, transparently, objectively, and appropriately.
FMR GLOBAL HEALTH is committed to protecting the personal data of its customers, respondents, and employees. If you have any questions or require further clarification, please contact Thierry Rollin, who has been elected as responsible for data protection.