IVR Clinical Concepts Inc. (IVRCC)  Privacy Policy

PURPOSE
The purpose of this Privacy Policy is to outline responsibilities and procedures for ensuring privacy, confidentiality and security of all personally identifiable data and sensitive information we collect, are provided, and/or process using our electronic clinical assessment tools. 

IVR Clinical Concepts Inc. (IVRCC) strongly respects individual privacy and strives to manage personal data in line with the laws and high ethical standards of IVRCC and countries in which IVRCC does business.

IVR Clinical Concepts Inc. (IVRCC) abides by a deep commitment to respect the privacy and the protection of any personal information submitted to, hosted at and transferred by IVRCC. IVRCC respects individual privacy and holds the confidence of its customers, employees, clinical trial participants, and others in the highest regard. IVRCC endeavors to collect and shepherd personal, private and metadata information in a manner that is consistent with the laws of the countries in which IVRCC applications and activities are present. Data Privacy is taken seriously and is implemented through company-wide policies and SOPs, while also taking into account regional office locations requirements.

NOTICE
IVR Clinical Concepts Inc. (“IVRCC”) provides software and services to life sciences companies for use in the conduct of clinical trials throughout the world.  IVRCC is sub-contracted to provide interactive voice and web applications (IVR/IWR “IxR”) on behalf of clients and other third-party agents for the purpose of acting as a third-party agent for our clients. Detailed contractual arrangements, SOPs and business policies govern all our work with customer data. IVRCC’s internal policies are available for audit/review by our clients, per IVRCC’s responsibility to adequately maintain these business policies and IVRCC’s technology infrastructure, while maintaining data integrity security and privacy.

IVRCC may collect, process, store and distribute Personal Data (e.g., subject ID, initials, email address, phone number) from clients including study sponsors, research site staff, study participants, consultants/subcontractors, and other employees involved in clients’ clinical trials. Additionally, as requested and authorized by our clients, IVRCC may collect and store Clinical Study Data, which is collected pursuant to a project-specific informed consent (IC) with clinical research subjects, and may include detailed information regarding health status, test results, medical assessments, and other data required for a particular study, in order to support clients’ trials, develop programs for their products, develop reports or other assemblages of information, and monitor progress throughout a study. Typically, IVRCC generates, collects and stores investigative site and subject ID numbers to our database with no traceability back to a specific trial patient/subject. We transfer personal information data collected, for the purposes of the clinical trial, confidentially to third party electronic data bases.

IVRCC informs individuals about the purposes for which it collects and uses personal information. The notice is provided in clear language in a conspicuous manner. The use of the data is limited to the purpose identified, and no more information is collected than is required to satisfy the purpose. Data used for pharmaceutical research and other purposes when using IVRCC software products is anonymized as appropriate. Any personal information that is related to the use of the IVRCC clinical trial software products or personal data collected in specific medical or pharmaceutical research studies belongs to the client. IVRCC informs individuals about the type of third party to which IVRCC discloses information if any, and offers individuals the choices and means for limiting the use and disclosure of their personal information.

IVR Clinical Concepts Inc. (IVRCC) complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield  Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland  to the United States.  IVRCC has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

CHOICE
IVRCC offers individuals the option of choice as to whether their personal information is disclosed to a third party. Individuals can also choose to not have their data shared if the purpose is incompatible with the original purpose of data collection or has not been subsequently authorized by the individuals. IVRCC provides individuals with reasonable mechanisms with which to exercise their choices.

For sensitive personal information, IVRCC gives individuals explicit (opt in) choice if the information is to be disclosed to a third party or is to be used other than the purpose that was originally authorized, or has been subsequently authorized. IVRCC will disclose the information only after explicit consent of the individual.

ONWARD TRANSFER
IVRCC may share personal data with agents, third-parties, or partners explicitly approved by our clients and as required by contract.  In the context of an onward transfer, IVRCC has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. By contract IVRCC ensures for all onward transfers of personal data that IVRCC will take reasonable and appropriate steps to ensure that recipients effectively process the IVRCC’s  obligations under the Principles. Recipients will notify IVRCC if they make a determination that they can no longer meet this obligation.  IVRCC shall remain liable under the Principles if our agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.  The contract shall provide that when such a determination is made, the recipients will cease processing or take other reasonable and appropriate steps to remediate.

SECURITY
IVRCC protects confidentiality, integrity and availability of personal information by physical, electronic and logical security measures. IVRCC has written procedures in place regulating the protection of confidential data from loss, misuse and unauthorized access, disclosure, alteration and destruction.

DATA INTEGRITY
IVRCC takes reasonable steps to ensure that personal information is relevant for the purposes of its use, and that the data is accurate, complete and current. IVRCC complies with the current data retention principle, with making individual identifiable only for as long as it serves a purpose of processing. Such processing would reasonably serve the purpose of archiving in the public interest, journalism, literature and art, scientific or historic research and statistical analysis, while maintaining adherence to the provisions of the Principles and the Framework.

ACCESS
Upon request, individuals will be granted reasonable access to personal information that IVRCC holds about them.  In response to lawful request by public authorities, including to meet national security or law enforcement requirements, IVRCC is required to disclose personal information, per the enforcement authority which has jurisdiction over IVRCC’s compliance with the Framework. Personal/sensitive personal data is held by IVRCC as data controller and we ensure such data is accurate and relevant for the purposes for which we collected it.   IVRCC will take reasonable steps to allow individuals to correct, amend, or delete information that is found to be inaccurate or incomplete.  Exceptions could include where the burden of providing access is disproportionate to the risk to the individual’s privacy or where violation of another person’s rights would occur.  Where IVRCC is a data processor, we will direct individuals to the relevant client/sponsor third party who is the data controller of the personal/sensitive personal data.

ENFORCEMENT
IVRCC has written procedures in place that regulate regular internal compliance audits of the Privacy Principles. Internal audits are conducted by the QA Department or by a third party as delegated by the QA Department. The QA Department is comprised of QA Department Head and additional company representatives, who have authority to enforce the policies that are created. The company President has the ultimate responsibility and authority of managing Quality Systems. Non-compliance issues are investigated and rigorous corrective actions are put in place and followed up until resolution for any problems arising out of failure to comply with the Principles. Remedy actions could include disciplinary actions. The U.S. Federal Trade Commission (FTC) has jurisdiction over IVR Clinical Concepts Inc.’s compliance with the Privacy Shield Principles.

DISPUTE RESOLUTION
Individual complaints will be investigated and remedy actions performed in the same rigorous way as described for non-compliance detected during internal audits (see above, Enforcement). An independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved is at no cost to the individual and by reference to the Principles. IVRCC also commits to a binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.

IVRCC has committed to cooperate with data protection authorities (DPAs) by declaring our self-certification submission to the Department of Commerce.

In compliance with the Privacy Shield Principles, IVR Clinical Concepts Inc. (IVRCC) commits to resolve complaints about our collection or use of your personal information.  European Union,  Swiss or other individuals with inquiries or complaints regarding our Privacy Shield or Privacy Policy should first contact IVR Clinical Concepts Inc. (IVRCC) at:

IVR Clinical Concepts Inc.
Attention: Compliance Department
358 Broadway, Suite 201
Saratoga Springs, NY 12866

Email address: john@ivrcc.com
Phone: (518) 583-0095
Fax: (518) 583-0394

Per the Privacy Shield Framework, IVRCC must respond to all complaints within 45 days of receipt of a complaint related to an individuals’ personal data.

For any Privacy Shield complaints or questions that cannot be resolved with IVRCC directly, we commit to cooperate with the panel established by EU data protection authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner. and comply with the advice given by the panel with regard to data transferred from the EU or Switzerland.

If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs or the Swiss Federal Data Protection and Information Commissioner (FDPIC) for more information or to file a complaint. 

Note that an individual also has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding EU Privacy Shield or Swiss Privacy Principles not resolved by any of the other Privacy Shield mechanisms. 

For additional information: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

NOTIFICATION OF POLICY CHANGES
If major content changes are made to IVRCC Privacy Policy we will outline and post the changes along with the new version on this Web site. The effective date of the revised Privacy Policy will be set forth in this paragraph. This Privacy Policy was last updated on December 28, 2017 and is effective as of that date.