PRIVACY STATEMENT FOR PHARMACOVIGILANCE DATA
Colonis Pharma Limited (“Colonis”) respects your privacy and is committed to protecting your personal data. This Privacy Statement (“Statement”) aims to give you information on how Colonis collects and processes Personal Data in relation to the PV Purposes (defined below) and to tell you about your privacy rights and how the law protects you.
It is important that you read this Statement together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you or others (such as your patients) so that you are fully aware of how and why we are using this data.
WHO WE ARE
This Statement is issued on behalf of Colonis Pharma Limited so when we mention ”Colonis”, “we”, “us” or “our” in this Statement, we are referring to Colonis Pharma Limited which is the company responsible for processing your data. Colonis Pharma Limited is assumed to be the controller of data collected under this Statement.
If you have any questions about this Statement, including any requests to exercise your legal rights, please contact us using the details set out below.
Colonis Pharma Limited
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). We would, however, appreciate the opportunity to address your concerns with you before you approach the ICO so please contact us in the first instance.
Colonis develops and markets medicines for human use (“Colonis Commercial Products”). Colonis has a legal responsibility to monitor the safety of all of its Colonis Commercial Products in each country globally where they are supplied. This includes monitoring adverse reactions or events (side effects) associated with the use of the Colonis Commercial Products which is called Pharmacovigilance (“PV”). PV requirements exist to allow us and competent regulatory authorities (such as the Medicines and Healthcare products Regulatory Agency and European Medicines Agency and other regulatory authorities) to collate adverse events, identify new side effects, provide accurate and up to date safety information and ensure continued public health protection.
Our PV obligations require us to process certain information, which allow us to directly or indirectly identify a person, (“Personal Data”) of a patient and/or the reporter of an adverse event that we receive in order to comply with strict obligations to perform benefit-/risk assessments of Colonis Commercial Products continuously and report suspected adverse reactions or events to relevant regulatory authorities.
This Statement provides important information to you about how we process Personal Data for PV Purposes, in line with our obligations under applicable data privacy laws and in particular the UK and EU General Data Protection Regulations (“GDPR”).
All Personal Data is processed exclusively for PV Purposes and only where relevant and appropriate to do so in accordance with our PV obligations.
WHY WE COLLECT PERSONAL DATA
In order to meet our PV obligations in respect of the Colonis Commercial Products, we may process Personal Data to:
- I. investigate the adverse event;
- II. contact a patient or their Healthcare Professional for further information about the adverse event being reported;
- III. collate the information about the adverse event with information about other adverse events received by Colonis to analyse the safety of the Colonis product, or active ingredient; and provide mandatory reports to national and/or regional competent regulatory authorities so that they can analyse the safety of a production batch, Colonis Commercial Product, generic or active ingredient, (together the “PV Purposes”)
Therefore, we process Personal Data, including special categories of Personal Data, in accordance with the GDPR and in order to comply with legal obligations under applicable PV laws and regulations and for its legitimate interests in ensuring the PV Purposes are met. PV law has been issued for reasons of substantial public interest in the area of public health and safety of medicinal products or medical devices.
THE DATA WE COLLECT
The Personal Data we may need to process (including collecting, storing or otherwise using and transferring) includes contact data and medical/health data such as the following, as relevant:
I. About the Patient
- patient ID and / or initials;
- date of birth / age group, sex, weight, height;
- information about health, racial or ethnic origin and sexual life; medical history and status, which may for example include:
- details of other medicines or remedies you are taking or were taking at the time of the adverse event, including the dosage you have been taking or were prescribed, the period of time you were taking that medicine, the reason you have been taking that medicine and any subsequent change to your regimen;
- other medical history considered relevant by the reporter, including documents such as lab reports, medication histories and patient histories.
II. About the Reporter:
- contact details (which may include your address, e-mail address, phone number or fax number);
- profession (this information may determine the questions you are asked about an adverse event, depending on your assumed level of medical knowledge); and
- relationship with the subject of the report.
HOW IS PERSONAL DATA COLLECTED AND USED?
We use different methods to collect Personal Data in order to fulfil our PV obligations, these include gathering information received via emails, phone calls, completion of website forms, regulatory authorities.
Personal Data is used solely to enable us to comply with our PV obligations. This means we may use Personal Data by sharing and/or disclosing Personal Data:
- within the Clinigen Group in order to analyse and process a reported adverse event;
- with competent regulatory authorities, in respect of a suspected adverse reaction;
- with third party service providers of Colonis or the Clinigen Group; these service providers may include safety database providers, call centre operators, and in the event that you disclose details of your suspected adverse reaction to our market researchers, that particular market research provider;
- with other pharmaceutical companies who are our co-marketing, co-distribution, or other license partners where PV obligations for a Colonis Commercial Product require such exchange of safety information;
- with a third party successor in business in the event of a sale, assignment or transfer of a specific Colonis Commercial Products
- when publishing information about adverse events (such as case studies and summaries); in such cases, we will remove identifiers from any publication to keep an individual’s identity private.
We require all third parties to respect the security of Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use Personal Data for their own purposes and only permit them to process Personal Data for specified purposes and in accordance with our instructions.
We do not sell your Personal Data.
Whilst we do not routinely do so, we may share Personal Data within the Clinigen Group. This will involve transferring your data outside the UK and/or European Economic Area (“EEA”).
We ensure Personal Data is protected by requiring all Clinigen Group companies to follow the same rules when processing Personal Data.
Many of our external third parties are based outside the UK and/or EEA, and as a result their processing of Personal Data will involve a transfer of data outside the UK and/or EEA. Whenever we transfer Personal Data out of the UK and/or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer Personal Data to a country where there is an applicable finding under the UK or EEA data protection regime that such country provides an adequate level of protection for personal data.
- where we use certain service providers, we may use standard data protection contractual terms recognised or approved under the applicable UK or EEA data protection regimes.
Please contact us if you want further information on the specific mechanism used by us when transferring Personal Data out of the UK and/or EEA
HOW SECURE IS MY DATA?
We have put in place appropriate security measures to prevent Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
HOW LONG WILL YOU USE MY PERSONAL DATA FOR?
We will only retain Personal Data for as long as necessary to fulfil the PV Purposes, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Personal Data, the purposes for which we process Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. For PV related information, mandatory requirements oblige us to archive PV information which may include Personal Data at least for the duration of the product life-cycle and for an additional ten years after the respective medicinal product has been taken from the market.
In some circumstances we may anonymise Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under data privacy and protection laws in relation to your Personal Data. These rights include:
- Request access to or disclosure of your Personal Data – Commonly known as a data subject access request, this enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it. You also have a right to know the categories of Personal Data collected, the sources from which Personal Data is collected, our purpose for collection, the categories of third parties with which Personal Data is shared.
- Request correction of your Personal Data – This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your Personal Data – This enables you to ask us to delete or remove Personal Data from our records where there is no good reason for us continuing to process it and to ask us to direct any third parties to delete Personal Data from their records. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your Personal Data – Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object or opt-out to the processing or disclosure of your Personal Data on this ground as you feel it impacts on your fundamental rights and freedoms, you can do so by contacting us. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing your Personal Data – This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request transfer of your Personal Data to you or a third party – We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Right to withdraw consent – Where we are relying on consent to process your Personal Data, you may withdraw it at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
- Protection against discrimination – We will not discriminate against you because you exercised any of the above rights. This means, among other things, we will not deny services to you if you request disclosure or deletion of your Personal Data.
HOW TO EXERCISE YOUR RIGHTS
If you wish to access your own Personal Data, please contact the Head of Group HR of the Clinigen Group. If you wish to exercise any of the other rights set out above, please contact LegalandContracts@clinigengroup.com.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
WHAT WE MAY NEED FROM YOU
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. Any personal information we collect from you to verify your identity in connection with your request will be used solely for the purposes of verification (unless we notify you otherwise and obtain your approval accordingly).
TIME LIMIT TO RESPOND
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
WHAT WE MAY NEED FROM YOU
If you have any questions regarding this Policy or any related issue, you should contact LegalandContracts@clinigengroup.com