Pharmacovigilance and Safety Reporting: Privacy Notice
Wockhardt UK Limited registered at Ash Road North, Wrexham, LL13 9UF undertakes pharmacovigilance, drug safety monitoring and reporting activities in connection with our own products and those of third parties. We maintain a database of reports, adverse reactions and similar incidents (our “Activities”).
PURPOSE OF THIS PRIVACY NOTICE
Your privacy is very important to us. This Privacy Notice (“Notice”) sets out the way in which we process personal data when obtained in connection with our Activities in accordance with the General Data Protection Regulation (GDPR) and applicable local data protection laws.
This Notice applies to individuals making reports to us via all communication means (including verbally via the telephone or in meetings, during clinical trials or interviews, in writing via letter or email). It extends to the information processed by us whether the report concerns the reporter’s own experiences, or those of another person, eg a health professional, manufacturer or other third party reporting the drug experience of a particular patient to us.
TERMS USED IN THIS NOTICE
- “Personal data” is any information that relates to an identifiable natural person. Your name, address, contact details, patient number, medical history are all examples of your personal data, if they identify you.
- The term “Process” means any activity relating to personal data, including, by way of example, collection, storage, use, consultation, analysis and transmission.
- We are a “Controller” of the personal data provided or otherwise produced by us in connection with the Activities. This means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure it is used in accordance with data protection laws.
- “Special Categories” means personal data in relation to race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation, including results of clinical trials, relevant medical and medicinal history or side effects.
REPORTING IN RELATION TO A THIRD PARTY
If you give us personal data about another person, in doing so you confirm that they have given you their prior permission or you have their authorisation to provide it to us and for us to be able to process their personal data (including any special categories of personal data). You must also ensure this and other relevant privacy notices are brought to their attention so they can review how their personal data may be used.
INFORMATION WE MAY PROCESS
We may collect personal data directly from you, or from someone else reporting your symptoms. These may include Special Categories in connection with our Activities. We may collect your personal data including but not limited to:
- Patient’s name, contact details, email, telephone number, address, date of birth, gender, weight, height and related demographic data;
- Medicines and products taken including dosages, medical history, adverse events/reactions and laboratory reports;
- Reporter’s name, contact details, including email, telephone number, address, professional role and patient relationship.
SOURCES OF PERSONAL DATA
As well as information provided by a patient reporting an adverse reaction or event, we obtain personal data from third parties, including healthcare professionals and authorities, lawyers, manufacturers, as well as licensing partners, group companies and other regulatory authorities.
THE PURPOSES FOR OUR PROCESSING AND THE LAWFUL GROUNDS
- The Activities are driven by the need to assess, detect, maintain, monitor and report safety information and associated risk benefits for public interest and commercial purposes. There are also legal obligations to undertake pharmacovigilance reporting and report to government agencies.
- We are required by law to always have a “lawful basis” (i.e. a reason or justification) for processing personal data. We may process personal data in the following circumstances:
- Conducting research and contributing to studies, for our legitimate interest in carrying out our business, and the public interest;
- Responding to enquiries and/or complaints, for product quality and commercial risk management so appropriate actions can be taken, where the processing is necessary for the purpose of pursuing legitimate interests including ensuring accurate services;
- Reporting to government agencies and healthcare agencies in accordance with our legal obligations and in the public interest;
- Processing in accordance with the public interest and any legal and regulatory obligations under European Union Member State laws and guidance, including Directive 2001/83/EC as amended, Commission Implementing Regulation (EU) No 520/2012 and the adopted good pharmacovigilance practices (GVP) Modules.
KEEPING US UPDATED
If any of the personal data given to us changes, such as contact details, please inform us without delay.
SHARING PERSONAL DATA WITH THIRD PARTIES
We may also share your personal data with third parties (including but not limited to any third parties directed by you) or those who act on our behalf as data processors. Other third parties may be independent data controllers.
All third parties must either comply with applicable data protection laws and where appropriate we will ensure our third party service providers enter appropriate contractual arrangements to maintain security and privacy compliance in accordance with data protection laws.
We have set out below a list of the categories of recipients with whom we may share your personal data:
- Our group companies and departments for quality assurance, reporting, storage and analysis purposes;
- Health authorities, regulatory bodies and government agencies;
- Distributors, licence partners or other companies that collaborate for the purposes of drug safety and pharmacovigilance or act on our behalf to analyse reports;
- Consultants and professional advisors including pharmaceutical, legal and other expert advisors;
- Certain software and IT systems and/or service providers;
We may also transfer personal data to:
- Comply with a legal or regulatory requirement of a court or other competent authority;
- Or in connection with a potential sale, purchase, transfer or reorganisation of our business (or any part of it), including disclosure to a prospective buyer, successor, assignee or their professional advisers.
HOW LONG DO WE KEEP PERSONAL DATA
Adverse events and reaction reports are retained for at least 10 years after the cessation of the marketing authorisation for a medicinal product.
We will only otherwise retain personal data in connection with the Activities for a limited period of time and for no longer than is necessary for the purposes for which we are processing it for.
This will depend on a number of factors, including:
- Any laws, regulations or guidance that we are required to follow in relation to pharmacovigilance;
- Whether we are in a legal or other type of dispute with each other or any third party;
- The type of information that we hold about you; and
- Whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.
TRANSFERRING YOUR PERSONAL DATA OUTSIDE OF THE EEA
We are based in the UK but as a global business, we may transfer the personal data to servers, entities, database subscribers and partners located outside European Economic Area (“EEA”) or other trusted third parties based in other countries so that they can process personal data on our behalf or for their own analysis purposes. Please be aware that the data protection laws in some jurisdictions may not provide the same level of protection as those under the laws in your location. This includes transfers to Global Pharmacovigilance Cell (Wockhardt India). We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with our data protection policies. We will only make a transfer outside the EEA if:
- The country to which the personal data is to be transferred ensures an adequate Level of protection for personal data;
- We have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient. This includes use of European Model Clause contracts which are approved by the European Commission. You can find out what these are here: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm;
- Where the importer is based in the US, they maintain adherence to the EU-US Privacy Shield;
- The transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
- You explicitly consent to the transfer.
We understand the importance of taking extra precautions to protect the privacy and safety of children. If we become aware that the personal data relates to a person under 16, we will seek consent and involvement of a parent or guardian.
SECURITY: HOW SECURE IS YOUR INFORMATION WITH US?
We have implemented appropriate physical, electronic, procedural and managerial procedures to safeguard personal data against accidental loss, unauthorised access, disclosure, misuse or modification this includes encryption of personal data. We require any third parties processing your information on our behalf to implement appropriate levels of protection and to agree to contractual terms imposing strict standards.
CHANGES TO THE NOTICE
This Notice is effective as of September 2018. We reserve the right to update or change this Notice at any time, and we will provide you with the updated Notice when we make any substantial updates at the earliest opportunity via an appropriate method including email, or by providing a prominent notice of change on the website. We advise you to check the Notice periodically.
THIRD PARTY WEBSITES
From time to time we may provide links to the websites of other organisations; these links are provided for your information only. We have no control over the contents of those sites or resources, and accept no responsibility for them or for any loss or damage that may arise from your use of them.
YOUR PRIVACY RIGHTS
We respect legal rights in relation to personal data. Individuals have the right to:
- Access information held about them. A person may make a request in writing providing sufficient information to permit us to identify the personal information. In certain circumstances under the privacy laws, we may not be required to provide all the details of personal data held;
- Individuals also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/.
- Amend and rectify personal information that is inaccurate and notify any third party recipients of the necessary changes;
- Request restriction of information processing concerning a person or to object to processing;
- Where our processing is based on the legitimate interests, the individual can object to this processing at any time. We will need to show either a compelling reason why our processing should continue, which overrides the individual’s interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim;
- The right to request the erasure of personal information;
- The right to data portability including to obtain personal information in a commonly used machine readable format in certain circumstances such as where our processing of it is based on a consent;
- Where we are processing personal data for direct marketing purposes, a person has the right to object to that processing;
- The right to object to automated decision making including profiling (if any) that has a legal or significant effect on an individual; and
- The right to withdraw your consent to any processing, without affecting the lawfulness of any processing based on any consent prior to its withdrawal.
Individuals also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/.
HOW TO CONTACT US AND OUR DATA PROTECTION OFFICER
In case you have any questions, comments or concerns about this notice or wish to exercise any of the above mentioned rights, you can contact the Human Resources Department on firstname.lastname@example.org or 01978 661261.