This Policy was last updated on 28 January, 2022
1. Addressing Privacy
This Global Privacy Notice (“Notice”) explains how ICON plc and our companies process personal data.
Personal data is any information relating to you as a living individual which allows you to be identified directly or indirectly. Personal data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual.
Processing means any operation which is performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Under data privacy laws, a “controller’ decides the reasons and necessity for the processing. A “processor” processes personal data on behalf of the controller under their instructions.
Sometimes ICON acts as the controller and sometimes as the processor when your personal data is being used.
Throughout this Notice we explain whether we are acting as a controller or a processor in respect of a given activity.
To help you navigate to the sections relevant to you, in section two “What Personal Data is Handled by ICON and for What Purposes” our explanations are based on the main categories of relationships between ICON and those it collects personal data from.
In section three “More Information” we address issues that are relevant to most or all of the relationships between ICON and the individuals who share personal data with ICON, for example your rights as an individual who has shared personal data with ICON, who ICON may share personal data with and our obligations when sharing personal data with third parties internationally.
Additional privacy terms tailored for different methods of data processing by ICON business lines and operations may apply to personal information shared with ICON. If alternative privacy terms are provided to you for a specific purpose those terms will govern the processing of personal data in relation to that purpose.
If you do not provide us with your personal data, we may not be able to provide you with any of our services, process your employment application or respond to communications from you via our website. We will tell you when we ask for personal data which is a contractual requirement or is needed to comply with our legal obligations.
2. What Personal Information is Handled by ICON and for What Purposes
2.1 Website Visitors and Mobile ApplicationUsers:
Personal data that we ask you to provide on the Websites and Apps is often limited to e-mail address, language preference, country or location, but may include other information to provide a requested service, where an employment opportunity is being processed or where services as an Investigator in a clinical trial are being offered. We collect information in several ways:
1. On some Website pages you can register with ICON to receive financial, governance and marketing information.
- The personal data collected is your name, e-mail address, employer name and occupation. You will have the option of cancelling your registration by clicking on an unsubscribe link on each email alert message.
2. On some website pages and apps, you may choose to provide personal information about yourself depending on your relationship with ICON e.g.:
- if you are interested in employment or service provider opportunities with ICON
- if you are interested in providing clinical trial Investigator or related services
- if you are interested in participating in a clinical trial
- if you are interested in obtaining services from or providing services to ICON.
3. On some website pages or apps you may register to receive access to web casts, updates or information on specific ICON services. Personal data collected is usually your name, title, company and e-mail address. This information is collected for qualification and aggregate measurement purposes and to provide you with the service.
4. On some website pages and apps you can register to receive customised information. This information is generally collected on ‘Contact Us’ forms where you may choose to be contacted by ICON. The personal information collected usually includes your name, title, company, address, contact details and email address.
5. Websites and apps also collects information about your computer hardware and software. This information may include; your IP address, browser type, operating system, domain name, access times and referring website addresses. This information is used for the operation of the service, to maintain and monitor quality of the service and to provide general statistics regarding use of websites.
If you don’t want non-essential cookies to be placed on your device, then you can easily accept or reject them in the cookie banners.
Website and App Security. Whilst we do all that we can to safeguard the security of your personal data, the transmission of information over the internet is not completely secure and therefore you do this at your own risk. Once we receive your personal information, we will implement strict security procedures to prevent unauthorised access.
2.2 Potential Employees
This section describes how we handle and protect your personal data in connection with our recruiting processes and programs. We will process your personal data in accordance with this Notice, unless such processing conflicts with the requirements of specific national law, in which case, that applicable law will prevail.
Personal data we collect:
We usually collect personal data directly from you when you apply for a role with us, such as your name, photo, address, contact information, work and educational history, references, achievements, copies of identification documents, CVs, diversity information (if required for compliance reasons) and test results. We also may collect personal data about you from third parties, such as your references, prior employers, publicly available websites and employment background check providers, to the extent this is necessary, and permitted by applicable law. Use of your personal data: We process your personal data for necessary human resources and business management reasons including: identifying and evaluating candidates for potential employment, as well as for future roles that may become available; recordkeeping in relation to recruiting and hiring; ensuring compliance with legal requirements, including any diversity and inclusion requirements and practises; conducting background and criminal history checks as permitted by applicable law. We may also analyse your personal data or aggregated/pseudonymized data to improve our recruitment and hiring process and augment our ability to attract successful candidates.
We may desire to retain your personal data to consider you for future employment opportunities. In such an event we will seek your consent to be part of our future job alerts.
If you consent to future job alerts, but subsequently wish to withdraw, please contact us at the following emails addresses:
if you are based in ASIAPAC at APACTalentAcquisition@iconplc.com
if you are based in EMEA at EU.Recruitment@iconplc.com
if you are based in the Americas at MyHR.USRecruitment@iconplc.com
Data recipients and international data transfers: Your personal data may be accessed by recruiters and interviewers working in the country where the position for which you are applying is based, as well as by recruiters and interviewers working in different countries within our organisation.
Individuals performing administrative functions and IT personnel within our organisation may also have a limited access to your personal data in order to perform their jobs. We have put in place legal mechanisms designed to ensure protection of your personal data that is processed by us, including the transfer of it to countries other than the one in which you reside.
We may use third party service providers to provide a recruiting software system. We may also share your personal data with other third-party service providers that may assist us in recruiting talent, administering and evaluating pre-employment screening, background checks and testing, and improving our recruiting practises.
We maintain processes designed to ensure that any processing of personal data by third party service providers is consistent with this Notice and protects the confidentiality, availability, and integrity of your personal data.
We may also share your personal data with any client of ours that you are proposed to be assigned to in connection with a position.
Data retention: If you accept an employment offer, any relevant personal data collected during your pre-employment period will become part of your personnel records and will be retained in accordance with specific country requirements and our Data Protection and other workplace policies which will be provided to you at that time.
2.3 Investigators, clinical site study team members and other healthcare professionals (HCPs)
We collect names, contact details, and professional information of clinical trial investigators, study researchers, data safety monitoring board members, and other HCPs for the purpose of identifying and assessing suitability to assist in clinical trials and research studies and to provide services. We collect your personal data when you provide it to us directly, for example when you register an interest to participate in a study through our websites, and also from publicly available sources, such as websites, directories and industry networks etc. If you subsequently participate in a trial or study ICON manages or provides services for, we will also collect information relating to the involvement and performance of HCPs.
2.4 Study Participants in Studies sponsored by ICON’s clients
ICON is a global contract research organisation (“CRO”) supporting the clinical trials and medical research studies of Sponsors. We process personal data relating to study participants on behalf of our Sponsors and in accordance with contracts and instructions from them. ICON may also process personal data relating to study participants’ spouses, partners, care givers, and relatives if they are involved in their participation in a study e.g., parents of children, or spouses involved in the care of an incapacitated partner.
In relation to ICON’s delivery of CRO services to Sponsors, the Sponsor is in control of how and why your personal data is processed and as such is the “controller,” ICON is a “data processor”. ICON’s role as processor may include the transfer of such personal information to the applicable Sponsor, its corporate affiliates, business partners and third-party service providers performing services related to the study.
The purposes for which study participant personal data will be used by Sponsors and ICON will depend on the nature of the study and will be addressed in study specific documentation and in particular in study participant documentation that is reviewed prior to participation in a study. Study participants should look to that documentation to understand how their personal data is processed in a study. In general, personal data will be processed for the purposes of assessing eligibility to participate in a study, administering the study, monitoring the study, analysing data to assess the overall safety and effectiveness of the study therapy, and drawing conclusions regarding the effectiveness and viability of the study therapy.
2.5 Participants in ICON Patient Databases
Certain ICON services involve databases of persons who may participate in clinical trials and medical research studies (“Patient Recruitment Databases”) managed by Sponsors. Once a person is recorded in these databases ICON may contact them for further screening and potentially refer them to suitable clinical trials or research studies matched to their areas of medical interest.
In order to match such people to appropriate clinical trials or research studies ICON will process personal data on the basis of the person’s explicit consent, such as names, addresses and contact information, which may be collected on voice recordings, as well as sensitive/special category personal information.
Examples of sensitive/special category personal data we collect include:
- Health information e.g., height and weight, physical and mental health or conditions, medical records
- Medical history of your ‘blood’ relatives
- Race and ethnicity information
- Genetic data.
Your personal data may be collected through volunteering it through one of our websites or in the context of live interview or screening telephone calls with ICON representatives. Be aware that by providing your personal information you consent to a member of our team contacting you directly by telephone or other means and adding your personal data to our Patient Recruitment Databases.
In this context, ICON is the controller of the personal data.
Uses of your personal data. The purpose of collecting personal data in Patient Recruitment Databases is to match patients to clinical trials and research projects based on the individuals’ areas of medical interest. For example, if an individual with type II diabetes expresses a desire to participate in clinical research or avail of novel treatments for type II diabetes or associated symptoms:
- they may volunteer their contact information and relevant health information to ICON for inclusion in a Patient Recruitment Database
- an ICON client or Sponsor who is developing novel treatments for type II Diabetes or symptoms may engage ICON to help refer interested potential patients who are willing to try an experimental treatment in a controlled clinical trial environment
- if the ICON client’s or Sponsor’s clinical trial eligibility criteria align with the individual’s information stored in the database and it is being conducted within their geographical reach, we can contact the individual and refer them to a suitable clinic where medical screening of potential clinical trial participants is being performed. ICON may use your personal data to respond to subsequent requests you may make of us, and from time to time, we may refer to your personal data to better understand your needs and how we can improve our websites, products and services on the basis of our legitimate interests in doing so. We may enhance or merge your personal information with data obtained from third parties for the same purposes.
2.6 Patients participating in clinical trials at an ICON owned Study Site
Certain ICON services involve ICON acting as a clinic (referred to as a “Study site”). Patients and other individuals (“study participants”) participating in a clinical trial or other medical research study (each a “Study”) may share information with study sites for various study related reasons. These reasons include activities such as medical screening to check if being a participant is appropriate for that particular individual. After an individual has undergone a medical screening and provided their consent to participate, an individual may be enrolled in that study.
Purposes and uses of personal data. The purposes for which participants’ personal data will be used by study sites and Sponsors will depend on the nature of the study and will be addressed in more detail in study specific documentation. As such, participants should look to that documentation to understand how their personal data is processed.
To give an overview, participants will likely attend the study site to be prescribed, provided with or administered with a drug, treatment or device that is the subject of the study. Study participants might attend the study site or be in contact with representatives throughout the study to enable them to collect health information that is relevant to the study or in order to monitor their health during the study. During a study, participants may be in communication with a study site for reasons such as scheduling follow up visits or referrals to other medical appointments associated with the study. Participants may also share information with study sites remotely through mobile applications e.g., where regular patient status updates are needed for the particular Study. Study sites may also process personal data relating to participants’ spouses, partners, care givers, and relatives if they are involved in the participants’ participation in a study at the study site e.g., parents of child participants or spouses involved in the care of an incapacitated participant.
- Usually, these activities are overseen by a medical doctor known as a “Principal Investigator” who is responsible for participants’ medical care at the study site. These activities and related data processing may also be administered by other members of the study team at the site under the Principal Investigator’s supervision e.g., study coordinators, nurses and other medical professionals.
Certain personal data will be made accessible to the Sponsor and its agents (“Sponsor Data”). Sponsor data is used by the Sponsor to make decisions about the study, to perform research or analysis relating to the study and to make decisions about the study drug, device or treatment. Study data is generally pseudonymised, meaning names and other information that could immediately identify a participant is excluded. Instead, participants are typically identified by a code. Principal Investigators, members of their team and authorised personnel, including Contract Research Organisations appointed by Sponsors to monitor compliance and other auditors, may access Study participant identifying records in certain circumstances.
Who is the controller? Depending on the processing activity, the relevant controller may be the study site or the Sponsor. As the study site is responsible for the medical care of participants and the Sponsor is responsible for the medical research the Study concerns, ICON generally regards the Sponsor as the controller of activities in respect of Sponsor Data, and the Study Site as the controller of activities in respect of medical records which are kept by the study site.
2.7 Callers to ICON Medical Information and Pharmacovigilance Call Centers
ICON operates contact centres on behalf of our clients for the purpose of providing medical information to health professionals, patients and other interested parties on specific pharmaceutical and other medical products sold by our clients and our clients’ clinical and research studies. ICON acts as a data processor in this scenario. Some of these contact centres also collect adverse event information and deliver this to relevant pharmacovigilance professionals for processing and reporting as required by applicable regulations. Personal data on those who call or email our contact centres are only collected to process requests for information and allow adverse event reporting. Calls may be recorded for quality assurance purposes. Callers (inbound and outbound) are notified if their call is recorded.
2.8 Client Personnel
Client business representatives and agents. For individuals sharing personal data with ICON in relation to ICON services or purchases, receive or seek information from ICON, including about opportunities to participate in clinical research, we will use such personal data in order to provide the requested information and process requested transactions. We may also use personal data to improve the quality of our services, send and receive communications about ICON products and services, and to enable our business partners and agents to perform activities on our behalf to meet your inquiry, service or purchase needs.
Use of personal information of client business representatives and agents in relation to ICON activities. For individuals engaged by ICON’s clients and collaborating with ICON in connection with projects for which ICON is providing services, personal data may be used by ICON in order to carry out the applicable services and related activities. This may include the transfer of such personal data to the applicable vendors, its corporate affiliates, business partners and third-party service providers performing services related to the project (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).
2.9 Vendor Personnel
Vendor business representatives and agents. Vendor representatives may share personal data with ICON in order to provide information about services e.g., business support services, health care products and services, opportunities to participate in clinical research, health care education and patient related programs which may be available through a Vendor. ICON will use any personal data provided by the Vendor and its representatives in order to receive and assess the vendor related information, products, and/or services. Uses may include processing for requested transactions, reviewing the quality of the vendor’s services, sending and receiving communications about the products and services available through the vendor, and enabling ICON’s business partners, clients and agents to perform activities and make decisions in relation to the vendor.
Use of personal information of vendor business representatives and agents in relation to activities performed by vendors for ICON and ICON’s clients. For vendors engaged by ICON including in relation to research studies being managed by ICON and its clients your personal data may be used by ICON in order to carry out the projects, activities and other related services in connection with which the vendor is engaged by ICON. This may include the transfer of such personal data to the applicable ICON study sponsor or client, other vendors involved in a project for which a vendor is engaged and such parties’ respective corporate affiliates, business partners and third-party service providers performing services or activities related to the project or activities for which a vendor is engaged by ICON (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).
3. More Information
3.1 International and Third-Party Transfers of Personal Data
As a global business, it may be necessary to transfer personal data within ICON businesses and with agents, contractors or partners of ICON. This may involve transferring personal information outside the European Economic Area (EEA) to/from the USA and elsewhere. These agents, contractors or partners are restricted from using this data in any way other than to provide services for ICON. ICON may, for example, provide your personal data to agents, contractors or partners for hosting our databases, for data processing services, or so that they can send you information that you requested.
Regardless of whether the transfer is within the ICON group or to a third party, ICON will apply appropriate safeguards to such transfers as required by applicable law. For example, transfers to non-EEA countries will usually be governed by EU-approved “Standard Contractual Clauses” and will be subject to other appropriate technical and organisational measures having regard to the nature of the personal data.
ICON may have to share personal data in response to authorised information requests of governmental authorities or where required by law. ICON may disclose personal data where necessary for our legitimate business interests to protect the rights, property or safety of ICON or for the purposes of fraud protection. Such disclosure may, as appropriate, include exchanging information with other organisations, companies, auditors and governmental departments.
As part of, or during negotiations of, any merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including as part of any bankruptcy or similar proceedings), we may transfer your personal data to other parties involved in these transactions. Under these circumstances, all parties have entered into a confidentiality agreement and are obligated to protect any information provided as part of the transaction and not to use the personal data for any other purpose than the purpose it was collected for in the first instance.
3.2 Legal Basis for Use of Your Personal Data
3.2.1. With Your Consent: In cases where we need your consent to process your personal data, we will ask you to make a positive indication (e.g., to tick a box, sign a document, provide confirmation) that you agree to the processing. By providing consent, you are stating that you have been informed as to the nature, purpose, scope and duration of our processing. Where we may rely on consent to process your information, you have the right to withdraw that consent for that activity at any time.
3.2.2. To Fulfil a Contract: In other cases, we process your personal data because it is necessary to deliver a service you have requested, you are employed by us, you provide a service to us or you will partake in a paid clinical trial or other medical research project.
3.2.3. For a Legitimate Interest: ICON may process your personal data on the basis of its legitimate interests in using your data for the purposes described in this Notice. Examples of our legitimate interests include the following:
- Processing in relation to employment opportunities with ICON;
- Processing in relation to investigator opportunities with ICON;
- To improve our services;
- To protect the security of ICON websites and apps;
- To protect ICON property or rights or obligations and/or the property, rights or obligations of third parties;
- To take precautions against potential liability on the part of ICON;
- To analyse therapeutic trends and gather anonymized geographic statistics; and
- To correct technical errors and to technically process your personal data.
You can object to us relying on our legitimate interest to use your personal data in these ways at any time as described under “Your Personal Data Rights” below.
3.2.4. To Comply with Legal Obligations: We may need to use your personal data to comply with legal obligations, applicable regulations and judicial process. For example, we are required by law to keep certain records for specific periods of time.
Under data protection laws around the globe, certain types of personal data, sensitive or special category data will require enhanced protection including: a more thorough consent process, or a requirement that the national law of the country specifically allows the processing of that data, or more enhanced security applied to the data, or that the personal data processed may improve the health of people in that country. The laws vary around the countries we work in and we respect the national law and adhere to the rules around the processing of sensitive data.
3.3 Your Personal Data Rights
You have rights in respect of your personal data. Our Global Policy is to extend the rights listed below to all our data subjects worldwide, unless the local law states otherwise.
- The right to be informed – if we are processing your personal data, we must inform you the who, why, what of the processing including who else may view it or use it, how long we will retain it for, and if we are transferring the data to another country.
- Right to withdraw consent – if we are processing your personal data on the basis of your consent, you are entitled to withdraw your consent to that processing at any time (see contact details section). However, the withdrawal of your consent will not invalidate any processing we carried out prior to the withdrawal of your consent.
- The right of access to your personal data – you can request a copy of the personal data we hold about you.
- The right to rectification – you have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete.
- Right to erase your personal data (right to be forgotten) - You have the right to be forgotten in certain circumstances including, for example, where the personal data are no longer needed for the purpose for which they were collected. However, this right does not apply where, for example, processing is necessary to comply with a legal obligation, or for the establishment, exercise or defence of legal claims.
- The right to restrict the processing of your personal data - You have the right to ask us to restrict certain processing activities in some circumstances, including, for example, where the accuracy of the data in question is contested. Where processing has been restricted, we can only process it for limited purposes such as, for example, the establishment, exercise or defence of legal claims.
- The right of data portability - You have the right to have your data returned to you or to a third party in certain cases.
- The right to object – You have a right to object to the processing of your personal data in certain cases. In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate grounds which override your interest.
To exercise any of the above rights, please notify us at the address provided in section 3.6 “Inquiries, complaints and requests to exercise rights”, unless you are a patient in a Study Site in which case please notify the relevant site you are/were attending. We may request proof of identification to verify your identity. Where ICON is the data controller, we will assess your request and, subject to applicable laws and exceptions, respond within the relevant legal time limits. Our Global Policy is to respond to your request within one month.
3.4 Data Quality and Record Retention
When we collect information that is not personal information or convert personal information into information which can no longer be used to identify you (such as through aggregation or anonymization), we may use and disclose that information for any purpose, as unidentifiable data is not covered under data protection laws.
3.5 Information Security
ICON ensures appropriate technical and organisational measures are taken to protect personal data from unauthorised or unlawful processing and to protect against accidental loss, destruction or damage. ICON’s websites, apps and electronic databases have security measures in place to protect the loss, misuse, unauthorised access or disclosure, alteration or destruction of the information under our control. However, as effective as modern security practises are, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of our databases, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the internet.
3.6 Inquiries, Complaints and Requests to Exercise Rights
If you feel your data protection rights have been infringed by ICON, you have the right to complain to your local data protection supervisory authority. The lead supervisory authority for ICON in Europe is the Data Protection Commission in Ireland (see www.dataprotection.ie). People residing in non-EEA countries can contact ICON’s Global Data Protection Officer and/or lodge a complaint to their own national or State body regulating data protection. A good resource for details on data protection authorities from around the world is kept at https://pdpecho.com.
Questions, comments or requests can be submitted to the ICON Global Data Protection Officer as follows:
Global Data Protection Officer
ICON plc South County Business Park
By Email: Data_Privacy_Officer@iconplc.com.
To exercise your rights outlined in section 3.3 please follow this link and complete the Data Subject Rights form.
Residents of California can alternatively ring our toll-free number 877-202-0559 to exercise their rights under the state’s privacy legislation.