RTI Health Solutions (RTI-HS) business practices respect the confidentiality and privacy of personal data collected or acquired during the conduct of our clients’ research projects and our business operations, and we comply with data protection laws in all activities. Our standard operating procedures outline the requirements necessary to identify and protect personal data throughout its life cycle from initial acquisition to destruction and to operationalize the rights of data subjects.
The RTI-HS Data Protection Officer, Office of Contracts, and Office of Quality Assurance work together to facilitate compliance with the laws and regulations governing the collection, processing, and use of personal data. RTI-HS works together with RTI global technology services (GTS) to ensure the security and protection of personal data processed by RTI-HS.
The following is a summary of RTI-HS compliance with the European Union General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”).
RTI-HS GDPR Compliance Framework
RTI-HS implemented the necessary processes and procedures to comply with the GDPR prior to its effective date in May 2018. These processes and procedures, regularly evaluated and updated, form the foundation for our continued compliance with the GDPR.
The RTI-HS GDPR compliance framework described here demonstrates how we have implemented the requirements for data protection. Our compliance framework is built upon six key elements that together ensure privacy by design and default, accompanied by ongoing oversight and continuous improvement:
- Governance and Accountability
- Compliant Data Processing
- Data Protection Security and Controls
- Risk Management
- Data Breach Management
- Records Management
The key aspects of each element of the GDPR compliance framework are described further below.
ELEMENT: Governance and Accountability
GDPR Articles 5, 6, 9, 24, 25, 28, 37-39
RTI-HS senior management has proactively addressed data protection compliance through policies, procedures, staff training, vendor management, and designation of an internal data protection officer. Our procedures include mandatory training for all staff on proper identification and handling of EU personal data, data subject rights, confidentiality, data archive and destruction, and data breach notification.
Data Protection Officer
RTI-HS has voluntarily designated the Vice President of Contracts, reporting to the highest level of RTI-HS management, as our global Data Protection Officer. The RTI-HS Data Protection Officer provides strategic leadership for data protection compliance across the organization, informing and advising RTI-HS management and staff on compliance obligations and supporting day-to-day operational issues for data protection while also serving as the first point of contact for data protection authorities and individuals whose data is processed.
RTI-HS employees share responsibility for data protection compliance. All RTI-HS employees undergo background checks prior to employment as well as ongoing debarment screening and sign an employment contract that includes the requirement for employees to protect the confidentiality and privacy of all information provided or obtained for business purposes. All RTI-HS employees complete training on information security and handling of personal data at first hire and periodically thereafter according to standard operating procedures.
Vendors and Research Partners
Vendors and research partners supporting data processing are evaluated for their ability to process data in compliance with GDPR before approval to process data subject to GDPR on behalf of RTI-HS. The RTI-HS Data Protection Officer reviews the responses and determines whether the vendor or research partner is approved for processing EU personal data. This GDPR evaluation is in addition to the qualification by the RTI-HS Office of Quality Assurance that is done prior to first use for all vendors and research partners providing substantive research services to RTI-HS.
In addition to these assessments, RTI-HS vendor agreements require compliance with GDPR and include data processing agreements applicable for any processing of data subject to GDPR.
Data Controller Registration
RTI-HS is registered as a data controller in the United Kingdom (UK) and Spain and operates office locations in each country.
ELEMENT: Compliant Data Processing
GDPR Articles 5, 6, 9. 12-21, 28, and 30
RTI-HS data processing activities incorporate the fundamental principles of GDPR data protection:
- Data is processed fairly, lawfully and in a transparent manner (“fair and lawful processing”);
- Data is processed for limited purposes and in an appropriate way (“purpose limitation”);
- Only the relevant and minimum necessary data is processed (“data minimization”);
- Steps are taken to assure the accuracy of data;
- Data is not kept longer than necessary for the purpose (“storage limitation”);
- Data is processed with due respect of the data subject rights of access, rectification, deletion, portability of information, and the limitation or opposition to processing (“data subject rights”);
- Data is processed using appropriate technological and organizational security measures; and
- Data is transferred outside the European Union only with adequate protections in place.
Types of RTI-HS Personal Information
RTI-HS uses several types of personal information in conducting our business. Primarily these include:
- Public Business information from clients and vendors: This is information routinely made available in the public domain by those persons as part of their business operations e.g., the contact information in emails or included on a company website.
- Confidential business information from clients and vendors: This includes financial and legal information (e.g., tax identifiers), and information submitted by a vendor working with us in support of our proposals and contracts with clients or our business operations. This confidential information is maintained in secure business operations databases or in secure project servers.
- Project information: This is information provided to us by clients or third parties or information that we collect while conducting research projects. Health data, a special category of personal data per GDRP Article 9, may be processed with data subject consent and/or ethics committee/Institutional Review Board approval. In project performance, we always seek to limit such data to the minimum necessary to conduct the research and to receive it in a format with the least personal identifiers possible to fulfill the research purpose.
Legal Basis for Processing
RTI-HS processes all data in a lawful manner. Our legal basis for processing personal data of EU origin typically relies on one or more of the following:
- Data subject consent (Article 6.1.a), especially for our research projects where consent is obtained for processing of any personal data, including any data transfer outside the EU.
- Processing is necessary for the performance of a contract to which the data subject is a party, (Article 6.1.b).
- Processing is necessary for compliance with a legal obligation to which the controller is subject, (Article 6.1.c).
- Processing is in the legitimate interests of RTI-HS (Article 6.1.f), as when we process personal data consistent with our business operations (e.g. database of vendors with contact information and credentials).
Records of Data Processing
RTI-HS has implemented an organization-wide Data Registry to identify and document our records of data processing as required by GDPR Article 30. The Data Registry entry is completed by the project leader or another project team member with an understanding of the data to be used in the project. The project leader or delegate must update a project-specific Data Registry entry if the data collection or use plans change during the project.
The RTI-HS Data Protection Officer reviews the Data Registry entries for GDPR compliance. The database housing the Data Registry is programmed to send automatic reminders in advance of and on the scheduled dates for data destruction to ensure that data is retained only for as long as necessary.
Data Transfers Outside the EU
Prior to collecting or obtaining personal data of EU origin, RTI-HS procedures require the project leader to confirm that the data will reside at all times within the EU and be accessible only to RTI-HS staff or approved vendors based in the EU, or to create a plan for the collection, transfer, and processing of data that accounts for the transfer of the data outside the EU in accordance with governing data protection laws.
RTI-HS relies on one of two authorizations to transfer the data to RTI-HS offices and personnel in the United States:
- Standard data protection clauses per GDPR Article 46: Staff in the RTI-HS Contracts Office implement a properly executed set of “model contract” provisions between RTI-HS and the exporting data controller entity.
- Explicit data subject consent per GDPR Article 49: Data subject consent may be obtained in writing, or if web-based, obtained through click-through consent. RTI-HS requires separate explicit consents from the data subject for both the processing the data subject’s sensitive personal data and the transfer of the data subject’s sensitive personal data to the United States.
Note: As a non-profit entity, RTI-HS was not eligible to self-certify to the EU Privacy Shield or Swiss Privacy Shield programs and so had not relied on those programs to effect transfers of personal data subject to GDPR to RTI-HS staff in the US.
ELEMENT: Data Protection Security and Controls
GDPR Articles 5.1(F), 24, 25, 28, 30, and 32
RTI-HS has implemented robust measures to protect the confidentiality and security of all data, not just personal data as required by GDPR. Physical, logical, and procedural controls are in place to protect data from loss, misuse, unauthorized access or disclosure, alteration, or destruction. These include physical and network security including firewalls, access and password controls, data segregation, encryption, patch management and anti-virus controls, on-site and remote backups with defined destruction process, and disaster recovery and business continuity plans.
Confidential Business Information
Confidential business information from clients and vendors is maintained in our secure business operations databases or in secure project servers. The staff is trained on confidentiality and sign employment contracts with provisions requiring protection of confidential information.
Research Project Data
Project Data is contained in secure servers at RTI, and each project has its own access-controlled location on the server. Within that location, folders are created with their own access and permission controls, and these are documented and controlled by the project leader.
RTI Global Technology Services
The RTI Office of Global Technology Services (GTS) supports the RTI-HS information systems and network. GTS policies and procedures are based upon the security framework of the United States National Institute of Standards and Technology Special Publication 800-53 Rev. 4 (NIST). The technical and organizational security measures are extensive and commensurate with industry standards.
ELEMENT: Risk Management
GDPR Articles 25 and 35
RTI-HS has taken steps to limit its risks associated with the processing of personal data. We do not engage in “large scale” data processing. We work most frequently with pseudonymized, anonymized, or aggregated data in our studies. Even so, in accordance with Article 35, GDPR, RTI-HS has implemented procedures that require completion of a Data Protection Impact Assessment (DPIA) when the processing of personal data of EU origin is “likely to result in a high risk to the rights and freedoms of natural persons”.
Data Protection Impact Assessment (DPIA)
The RTI-HS Data Protection Officer has conducted a DPIA assessing overall business operations and research studies. In general, RTI-HS does not engage in “high risk” types of data processing as defined under GDPR; however, certain types of processing involving identifiable personal data do require completion of project-specific DPIAs.
When project data is classified as identifiable personal data of EU origin in the Data Registry, the project leader must then complete a standard DPIA Screening Checklist. The DPIA Screening Checklist facilitates the identification of “likely high risks” that necessitate completion of a full DPIA for a specific project or organizational process. The RTI-HS Data Protection Officer may also recommend completion of a full DPIA notwithstanding the results of the DPIA Screening Checklist.
The RTI-HS DPIA Screening Checklist and DPIA are based on the guidelines and templates of the UK Information Commissioner’s Office (ICO), French Commission Nationale Informatique & Libertés (CNIL), and the European Data Protection Board (adopting the Guidelines issued by the predecessor Article 29 Data Protection Working Party).
The RTI-HS Office of Quality Assurance (OQA) maintains a robust vendor management program to ensure that RTI-HS works only with third parties capable of delivering services in accordance with the standards applicable to their work. In addition to the OQA vendor management program, the RTI-HS Data Protection Officer partners with OQA to identify and assess relevant vendors for compliance with GDPR. Vendors who may provide or process data of EU origin during the conduct of RTI-HS research must complete an in-depth GDPR questionnaire. The RTI-HS Data Protection Officer reviews the completed questionnaire and supporting documentation provided by the vendor to determine whether the vendor is approved for processing data of EU origin.
RTI-HS standard vendor agreements and purchase orders include requirements for qualified, approved vendors to comply with all applicable data protection laws, specifically referencing the GDPR, and to execute a data processing agreement when processing data subject to GDPR.
ELEMENT: Data Breach Management
GDPR Articles 5.1(F), 33, and 34
RTI-HS has implemented comprehensive procedures, best practices, and technological controls to prevent or limit the risks associated with unintended data exposure. Internal procedures provide an incident response framework for when, where, and how to report potential and actual data breaches.
Data Breach Notification Procedures
All RTI-HS employees are trained to immediately notify the RTI-HS Data Protection Officer of incidents where personal data may have been improperly transferred, disclosed, or processed by RTI-HS staff, vendors, or clients. Upon notification, the RTI-HS Data Protection Officer will then promptly coordinate further actions per the established Data Incident Response and Breach Notification Plan.
ELEMENT: Records Management
GDPR Article 5.1(E)
RTI-HS has implemented processes and procedures to retain records in a secure and confidential manner only for the minimum time required by applicable law, regulation, contract, or mission-critical business needs.
RTI-HS adheres to the “storage limitation” requirement of GDPR Article 5.1(e) by keeping personal data only for as long as required for the purpose for which the data were collected, or as required by law or regulation.
RTI-HS procedures require all personal data held in electronic form to be segregated and stored only in restricted access folders and files. Access to personal data is restricted to persons who have a need to know based on their organizational or project role.
Electronic personal data of EU origin that is not approved for export must reside in project-specific, controlled access folders created within the servers available in the Manchester, United Kingdom, or Barcelona, Spain RTI-HS offices. Access to these folders is restricted to EU staff.
RTI-HS maintains a Controlled Documents Room for secure storage of hard copy documentation, signed informed consent forms in hardcopy form, and data storage media.
Record Retention Schedules
RTI-HS and RTI have record retention schedules based on typical record types created during our normal course of business. The record retention schedules are periodically reviewed to align with applicable laws and provide default retention periods when applicable laws or contract provisions do not dictate the retention period.
When personal data are no longer needed and there is no contractual or regulatory requirement to retain the data for a longer period, RTI-HS requires that the data be permanently erased or destroyed, and the destruction documented per written process. If personal data are no longer needed but there is a contractual or regulatory requirement to retain the data, the data must be placed in a read-only archive with access restricted to the project leader and GTS Administration.
Owner and Data Controller
RTI Health Solutions
P.O. Box 12194
3040 Cornwallis Road
Research Triangle Park, NC 27709-2194 USA
Data Protection Officer contact email: firstname.lastname@example.org