Anchor Medical Research LLC Data Protection and Security Policy

Effective Date: 12/5/2024

Last Updated: 12/5/2024

Anchor Medical Research LLC ("we," "us," or "our") is committed to maintaining the privacy, confidentiality, and security of all personal data collected during the course of our clinical research activities. This Data Protection and Security Policy outlines our practices and procedures to safeguard personal and sensitive information, including health data, in compliance with applicable data protection laws, including the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and other relevant regulations.

1. Scope of the Policy

This policy applies to all personal data collected, processed, stored, and shared by Anchor Medical Research LLC in connection with its clinical trials. This includes, but is not limited to:

  • Personal identification data (e.g., names, addresses),
  • Health information (e.g., medical history, test results),
  • Contact information (e.g., phone numbers, email addresses),
  • Any other information collected as part of the clinical trial process.

2. Data Protection Principles

We are committed to protecting personal data by adhering to the following principles of data protection:

  1. Lawfulness, Fairness, and Transparency: We collect and process personal data in a lawful, fair, and transparent manner.
  2. Purpose Limitation: Personal data is collected for specific, legitimate purposes and is not further processed in a manner incompatible with those purposes.
  3. Data Minimization: We ensure that only the minimum amount of personal data necessary for the purposes of the clinical trial is collected.
  4. Accuracy: We take reasonable steps to ensure that the personal data we hold is accurate and up-to-date.
  5. Storage Limitation: Personal data is only retained for as long as necessary to fulfill the purpose for which it was collected and in accordance with regulatory requirements.
  6. Integrity and Confidentiality: We implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.
  7. Accountability: We are accountable for ensuring compliance with this policy and all applicable data protection laws.

3. Data Collection and Use

3.1 Purpose of Data Collection

We collect personal data solely for the purposes of conducting clinical trials and related activities, including:

  • Participant recruitment and enrollment,
  • Medical assessments and trial participation,
  • Monitoring participant safety and health outcomes,
  • Compliance with regulatory requirements, and
  • Communication with trial participants.

3.2 Categories of Personal Data

The types of personal data we collect and process may include:

  • Personal identification data: Full name, address, date of birth, gender, and other identifying information.
  • Health data: Medical history, diagnosis, laboratory results, physical examination data, treatment records, and any other health-related information relevant to the clinical trial.
  • Demographic information: Ethnicity, socioeconomic status, and other relevant demographic data.
  • Contact information: Email addresses, phone numbers, and emergency contact details.

4. Data Security Measures

We are committed to safeguarding the confidentiality and integrity of personal data through the implementation of appropriate technical and organizational security measures, including but not limited to:

  • Encryption: Sensitive data, especially health information, is encrypted both in transit and at rest to protect it from unauthorized access.
  • Access Control: Access to personal data is restricted to authorized personnel only. Each individual’s access to data is based on their role and responsibilities.
  • Authentication: Multi-factor authentication and strong password policies are enforced to ensure that only authorized individuals can access sensitive data.
  • Physical Security: Physical access to data storage facilities and devices is restricted to authorized personnel, and data storage devices are securely disposed of when no longer needed.
  • Regular Audits: We conduct regular audits of our data security practices to ensure compliance with this policy and identify potential vulnerabilities.
  • Data Backups: Regular backups of personal data are performed to ensure data integrity and availability in case of system failure.

5. Data Sharing and Transfers

5.1 Sharing of Personal Data

Personal data may be shared with third parties in the following circumstances:

  • Regulatory Authorities: Data may be shared with regulatory authorities, including the FDA, EMA, Health Canada, and other relevant bodies, to ensure compliance with clinical trial regulations.
  • Research Partners: Data may be shared with third-party research partners or service providers, including laboratories, medical practitioners, and data analysis firms, as part of the clinical trial process. These third parties are required to comply with our data protection standards.
  • Confidentiality Agreements: All third parties with access to personal data are required to sign confidentiality agreements to ensure that the data is protected.

5.2 International Data Transfers

If personal data is transferred outside of the jurisdiction where it was collected (e.g., from the European Union to the United States), we ensure that the transfer complies with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other regional requirements.

6. Data Retention and Deletion

6.1 Data Retention Period

Personal data will be retained for the duration of the clinical trial and for a period afterward, as required by applicable regulatory bodies and laws. The retention period will be determined based on the type of data and the regulatory requirements for data storage, typically ranging from 5 to 15 years, depending on the nature of the trial.

6.2 Data Deletion

Once personal data is no longer required for the purposes of the clinical trial or for legal or regulatory purposes, it will be securely deleted. Deletion will be performed in a way that ensures the data cannot be recovered or reconstructed.

7. Participant Rights

Under applicable data protection laws, participants have the following rights concerning their personal data:

  • Right to Access: Participants have the right to request access to the personal data we hold about them.
  • Right to Rectification: Participants may request the correction of inaccurate or incomplete personal data.
  • Right to Erasure: Participants may request the deletion of their personal data under certain conditions, including when the data is no longer necessary for the purposes for which it was collected.
  • Right to Restrict Processing: Participants may request the restriction of processing of their personal data in specific circumstances.
  • Right to Data Portability: Participants have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.
  • Right to Object: Participants may object to the processing of their personal data, particularly in cases where the processing is based on legitimate interests or for direct marketing purposes.

To exercise these rights, participants may contact Anchor Medical Research LLC using the contact information provided below.

8. Incident Management and Breach Notification

8.1 Data Breach Response

In the event of a data breach, Anchor Medical Research LLC will take immediate steps to mitigate any potential harm, including:

  • Identifying the cause of the breach,
  • Assessing the scope of the breach and affected individuals,
  • Notifying affected individuals if their personal data is compromised, and
  • Reporting the breach to relevant authorities, including the FDA, HIPAA, and applicable data protection bodies, within the required time frame.

8.2 Preventive Measures

We continuously monitor our systems for potential vulnerabilities and take preventive measures, including software updates, security patches, and employee training, to minimize the risk of data breaches.

9. Training and Awareness

We ensure that all employees and contractors involved in the collection, processing, or management of personal data receive regular training on data protection and security best practices. This training includes:

  • Data protection laws and regulations (e.g., HIPAA, GDPR),
  • Data handling protocols for clinical trials,
  • Security practices to protect personal data from unauthorized access or disclosure.

10. Compliance and Enforcement

Failure to comply with this Data Protection and Security Policy may result in disciplinary action, including termination of employment or contractual agreements, and could lead to legal consequences for individuals and Anchor Medical Research LLC. We are committed to enforcing this policy and ensuring the protection of participant data at all times.

11. Policy Updates

This Data Protection and Security Policy will be reviewed regularly to ensure compliance with evolving laws, regulations, and industry standards. Any updates will be communicated to employees, contractors, and participants as necessary.