RTI Health Solutions (RTI-HS) business practices respect the confidentiality and privacy of personal data collected or acquired during the conduct of our clients’ research projects and our business operations, and we comply with data protection laws in all activities. Our standard operating procedures outline the requirements necessary to identify and protect personal data throughout its life cycle from initial acquisition to destruction and to operationalize the rights of data subjects.
The RTI-HS Office of Legal and Regulatory Affairs, Office of Quality Assurance, and RTI's Global Privacy Officer work together to facilitate compliance with the laws and regulations governing the collection, processing, and use of personal data. RTI-HS works together with RTI global technology services (GTS) to ensure the security and protection of personal data processed by RTI-HS.
The following is a summary of RTI-HS compliance with the European Union General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”). RTI-HS is a business unit of RTI International.
RTI-HS GDPR Compliance Framework
RTI-HS implemented the necessary processes and procedures to comply with the GDPR prior to its effective date in May 2018. These processes and procedures, regularly evaluated and updated, form the foundation for our continued compliance with the GDPR.
The RTI-HS GDPR compliance framework described here demonstrates how we have implemented the requirements for data protection. Our compliance framework is built upon six key elements that together ensure privacy by design and default, accompanied by ongoing oversight and continuous improvement:
- Governance and Accountability
- Compliant Data Processing
- Data Protection Security and Controls
- Risk Management
- Data Breach Management
- Records Management
The key aspects of each element of the GDPR compliance framework are described further below.
ELEMENT: Governance and Accountability
GDPR Articles 5, 6, 9, 24, 25, 28, 37-39
RTI-HS senior management has proactively addressed data protection compliance through policies, procedures, staff training, vendor management, and dedicated staff. Our procedures include training for all staff on proper identification and handling of EU personal data, data subject rights, confidentiality, data archive and destruction, and data breach notification.
Staff Dedicated to Data Protection
The RTI-HS Office of Legal and Regulatory Affairs includes staff who provide strategic leadership for data protection compliance across the organization, informing and advising RTI-HS management and staff on compliance obligations and supporting day-to-day operational issues for data protection while also serving as the first point of contact for data protection authorities and individuals whose data is processed.
The RTI-HS Office of Legal and Regulatory Affairs also liaises with the RTI organization-wide Global Privacy Officer.
NOTE: RTI-HS is not required to designate a Data Protection Officer because its core activities do not involve regular and systematic monitoring of data subjects on a large scale or processing on a large scale of special categories of data.
RTI-HS employees share responsibility for data protection compliance. All RTI-HS employees undergo background checks prior to employment as well as ongoing debarment screening and sign an employment contract that includes the requirement for employees to protect the confidentiality and privacy of all information provided or obtained for business purposes. All RTI-HS employees complete training on information security and handling of personal data at first hire and periodically thereafter according to standard operating procedures.
Vendors and Research Partners
Vendors and research partners supporting data processing are evaluated for their ability to process data in compliance with GDPR before approval to process data subject to GDPR on behalf of RTI-HS. Designated, experienced staff in the RTI-HS Office of Legal and Regulatory Affairs review the responses and determine whether the vendor or research partner is approved for processing EU personal data. This GDPR evaluation is in addition to the qualification by the RTI-HS Office of Quality Assurance that is done prior to first use for all vendors and research partners providing substantive research services to RTI-HS.
In addition to these assessments, RTI-HS vendor agreements require compliance with GDPR and include data processing agreements applicable for any processing of data subject to GDPR.
Data Controller Registration
RTI-HS is registered as a data controller in the United Kingdom (UK) and Spain and operates office locations in each country.
ELEMENT: Compliant Data Processing
GDPR Articles 5, 6, 9, 12-21, 28, and 30
RTI-HS data processing activities incorporate the fundamental principles of GDPR data protection:
- Data is processed fairly, lawfully and in a transparent manner (“fair and lawful processing”);
- Data is processed for limited purposes and in an appropriate way (“purpose limitation”);
- Only the relevant and minimum necessary data is processed (“data minimization”);
- Steps are taken to assure the accuracy of data;
- Data is not kept longer than necessary for the purpose (“storage limitation”);
- Data is processed with due respect of the data subject rights of access, rectification, deletion, portability of information, and the limitation or opposition to processing (“data subject rights”);
- Data is processed using appropriate technological and organizational security measures; and
- Data is transferred outside the European Union only with adequate protections in place.
Types of RTI-HS Personal Information
RTI-HS uses several types of personal information in conducting our business. Primarily these include:
- Public Business information from clients and vendors: This is information routinely made available in the public domain by those persons as part of their business operations e.g., the contact information in emails or included on a company website.
- Confidential business information from clients and vendors: This includes financial and legal information (e.g., tax identifiers), and information submitted by a vendor working with us in support of our proposals and contracts with clients or our business operations. This confidential information is maintained in secure business operations databases or in secure project servers.
- Project information: This is information provided to us by clients or third parties or information that we collect while conducting research projects. Health data, a special category of personal data per GDRP Article 9, may be processed with data subject consent and/or ethics committee or Institutional Review Board approval. In carrying out research projects, we always seek to limit such data to the minimum necessary to fulfill the research purpose, e.g. receiving data with the least personal identifiers possible.
Legal Basis for Processing
RTI-HS processes all data in a lawful manner. Our legal basis for processing personal data of EU origin typically relies on one or more of the following:
- Data subject consent (Article 6.1.a), especially for our research projects where consent is obtained for processing of any personal data, including any data transfer outside the EU.
- Processing is necessary for the performance of a contract to which the data subject is a party, (Article 6.1.b).
- Processing is necessary for compliance with a legal obligation to which the controller is subject, (Article 6.1.c).
- Processing is in the legitimate interests of RTI-HS (Article 6.1.f), as when we process personal data consistent with our business operations (e.g. database of vendors with contact information and credentials).
Records of Data Processing
RTI-HS has implemented an organization-wide Data Registry to identify and document our records of data processing as required by GDPR Article 30. The Data Registry entry is completed by the project leader or another project team member with an understanding of the data to be used in the project. The project leader or delegate must update a project-specific Data Registry entry if the data collection or use plans change during the project.
Designated staff in the RTI-HS Office of Legal and Regulatory Affairs review the Data Registry entries for GDPR compliance. The database housing the Data Registry is programmed to send automatic reminders in advance of and on the scheduled dates for data destruction to ensure that data is retained only for as long as necessary.
Data Transfers Outside the EU or United Kingdom (UK)
Prior to collecting or obtaining personal data of EU or UK origin, RTI-HS procedures require the project leader to confirm that the data will reside at all times within the EU or UK and be accessible only to RTI-HS staff or approved vendors based in the EU or UK, or to create a plan for the collection, transfer, and processing of data that accounts for the transfer of the data outside the EU or UK in accordance with governing data protection laws.
RTI-HS relies on one of two authorizations to transfer the data to RTI-HS offices and personnel in the United States:
- Standard Contractual Clauses per GDPR Article 46: Staff in the RTI-HS Office of Legal and Regulatory Affairs implement a properly executed set of “model contract” (Standard Contractual Clauses) between RTI-HS and the exporting data controller entity.
- Explicit data subject consent per GDPR Article 49: Data subject consent may be obtained in writing, or if web-based, obtained through click-through consent. RTI-HS requires separate explicit consents from the data subject for both the processing of the data subject’s personal data and the transfer of the data subject’s personal data to the United States.
ELEMENT: Data Protection Security and Controls
GDPR Articles 5.1(f), 24, 25, 28, 30, and 32
RTI-HS has implemented robust measures to protect the confidentiality and security of all data, not just personal data as required by GDPR. Physical, logical, and procedural controls are in place to protect data from loss, misuse, unauthorized access or disclosure, alteration, or destruction. These include physical and network security including firewalls, access and password controls, data segregation, encryption, patch management and anti-virus controls, on-site and remote backups with defined destruction process, and disaster recovery and business continuity plans.
Confidential Business Information
Confidential business information from clients and vendors is maintained in our secure business operations databases or in secure project servers. All staff are trained on confidentiality and sign employment contracts with provisions requiring protection of confidential information.
Research Project Data
Project data is stored on dedicated project shares on secure network servers within Europe or RTI’s data center or in approved cloud vendor platforms. Access to each project-specific share is controlled through a documented process with access and permission levels requested by the project leader on a need-to-know basis and then implemented by the RTI Office of Global Technology Services (GTS) system administrators.
Analysis data may be stored as SAS datasets on RTI-HS project-specific drives within the protected RTI network. Access to those drives is only available to staff on a need-to-know basis who have been granted access to those directories by the project leader. Access is controlled by GTS consistent with the access and permissions approved by the project leader. SAS datasets may contain coded identifiers for subjects (e.g., 101-015). There are no names, addresses, email addresses, GPS locations, or telephone numbers associated with the coded identifiers.
RTI Global Technology Services
The RTI Office of Global Technology Services (GTS) supports the RTI-HS information systems and network. GTS policies and procedures are based upon the security framework of the United States National Institute of Standards and Technology Special Publication 800-53 Rev. 4 (NIST). GTS is an ISO/IEC 27001:2013 certified provider whose Information Security Management System (ISMS) has received third-party accreditation from the International Standards Organization. The technical and organizational security measures are extensive and commensurate with industry standards.
ELEMENT: Risk Management
GDPR Articles 25 and 35
RTI-HS has taken steps to limit its risks associated with the processing of personal data. We do not engage in “large scale” data processing. We work most frequently with pseudonymized, anonymized, or aggregated data in our studies. Even so, in accordance with Article 35, GDPR, RTI-HS has implemented procedures that require completion of a Data Protection Impact Assessment (DPIA) when the processing of personal data of EU origin is “likely to result in a high risk to the rights and freedoms of natural persons”.
Data Protection Impact Assessment (DPIA)
As a data controller, in general, RTI-HS does not engage in “high risk” types of data processing that require completion of a DPIA as defined under GDPR or the UK Data Protection Act. RTI-HS acts as a data processor for client’s research projects. RTI-HS will assist the client, who serves as the data controller, in the completion of any requested project-specific DPIA.
The RTI-HS Office of Quality Assurance (OQA) maintains a robust vendor management program to ensure that RTI-HS works only with third parties capable of delivering services in accordance with the standards applicable to their work. In addition to the OQA vendor management program, the designated staff in the RTI-HS Office of Legal and Regulatory Affairs partner with OQA to identify and assess relevant vendors for compliance with GDPR. Vendors who may provide or process data of EU origin during the conduct of RTI-HS research must complete an in-depth GDPR questionnaire. Designated staff in the RTI-HS Office of Legal and Regulatory Affairs review the completed questionnaire and supporting documentation provided by the vendor to determine whether the vendor is approved for processing data of EU origin.
RTI-HS standard vendor agreements and purchase orders include requirements for qualified, approved vendors to comply with all applicable data protection laws, specifically referencing the GDPR, and to execute a data processing agreement when processing data subject to GDPR.
ELEMENT: Data Breach Management
GDPR Articles 5.1(f), 33, and 34
RTI-HS has implemented comprehensive procedures, best practices, and technological controls to prevent or limit the risks associated with unintended data exposure. Internal procedures provide an incident response framework for when, where, and how to report potential and actual data breaches.
Data Breach Notification Procedures
All RTI-HS employees are trained to immediately notify the RTI-HS Office of Legal and Regulatory Affairs of incidents where personal data may have been improperly transferred, disclosed, or processed by RTI-HS staff, vendors, or clients. Upon notification, the RTI-HS Office of Legal and Regulatory Affairs will then promptly coordinate further actions with the RTI Global Privacy Officer per the established RTI organizational Data Incident Response and Breach Notification Plan.
ELEMENT: Records Management
GDPR Article 5.1(e)
RTI-HS has implemented processes and procedures to retain records in a secure and confidential manner only for the minimum time required by applicable law, regulation, contract, or mission-critical business needs.
RTI-HS adheres to the “storage limitation” requirement of GDPR Article 5.1(e) by keeping personal data only for as long as required for the purpose for which the data were collected, or as required by law or regulation.
RTI-HS procedures require all personal data held in electronic form to be segregated and stored only in restricted access folders and files. Access to personal data is restricted to persons who have a need to know based on their organizational or project role.
Electronic personal data of EU origin that is not approved for export must reside in project-specific, controlled access folders created within the servers available in the Manchester, United Kingdom; Lyon, France; or Barcelona, Spain RTI-HS offices. Access to these folders is restricted to EU staff.
RTI-HS maintains a Controlled Documents Room for secure storage of hard copy documentation, signed informed consent forms in hardcopy form, and data storage media.
Record Retention Schedules
RTI-HS and RTI have record retention schedules based on typical record types created during our normal course of business. The record retention schedules are periodically reviewed to align with applicable laws and provide default retention periods when applicable laws, research informed consent forms, or contract provisions do not dictate the retention period.
When personal data are no longer needed and there is no contractual or regulatory requirement to retain the data for a longer period, RTI-HS requires that the data be permanently erased or destroyed, and the destruction documented per written process. If personal data are no longer needed but there is a contractual or regulatory requirement to retain the data, the data must be placed in a read-only archive with access restricted to the project leader and GTS Administration.
Owner and Data Controller
RTI Health Solutions
P.O. Box 12194
3040 Cornwallis Road
Research Triangle Park, NC 27709-2194 USA
Data Protection contact email: firstname.lastname@example.org
Revision 2, Effective Date: October 1, 2021