This Policy was last updated on 1 November, 2020
1. Addressing Privacy
ICON (ICON plc and our subsidiaries and affiliates, together “ICON”, “we”, “our” or “us”) is committed to protecting the privacy of all individuals whose information we handle.
Under data privacy laws, a “controller” makes decisions about how and why personal data is processed, while a “processor” processes personal data on behalf of the controller in accordance with their instructions. In some cases, ICON acts as a “controller” in respect of certain processing activities that involve your personal data, while in others it acts as a “processor.” Throughout this Policy we explain whether we are acting as a “controller” or a “processor” in respect of a given activity so you can understand who is responsible for your rights in respect of your personal information. For example, ICON often acts as a processor where it provides services to support the clinical trials and medical research studies of pharmaceutical companies and other parties who are trying to bring products to the market, including new drugs, therapies and medical devices (“Sponsor(s)”).
ICON’s processes and procedures are designed to support compliance with this Policy, ICON privacy notices and applicable international and local data protection laws and regulations, including but not limited to the European Union General Data Protection Regulation (the “GDPR”), the Health Insurance Portability and Accountability Act (“HIPAA”) and, the privacy and confidentiality requirements of Good Clinical Practice (“GCP”).
To help you navigate to the sections relevant to you, in section 2 “What Personal Information is Handled by ICON and for what Purposes” we have categorized our explanations based on the main categories of relationships between ICON and those it collects personal data from. In section 3 “More Information” we address issues that are relevant to most or all of the relationships between ICON and the individuals who share personal data with ICON, for example your rights as an individual who has shared personal data with ICON, who ICON may share personal data with and our obligations when sharing personal data with third parties internationally.
Additional privacy terms tailored for different methods of data collection and specific uses by certain ICON business lines and operations may apply to personal information shared with ICON. If alternative privacy terms are provided to you for a specific purpose those terms will govern the processing of personal data in relation to that purpose. For example, ICON maintains service specific privacy notices that may be provided to you for your review and consent in connection with the processing of personal data relating to those services and, if you are a participant in a research project for which ICON is providing services, there may be specific consent documentation addressing the disclosure of your personal information to ICON and clients who sponsor the research.
If you do not provide us with your personal data we may not be able to provide you with any of our services or respond to any questions or requests you submit to us via our websites. We will tell you when we ask for personal data which is a contractual requirement or is needed to perform our functions or is needed to comply with our legal obligations.
2. What Personal Information is Handled by ICON and for What Purposes
2.1 Website Visitors and Mobile ApplicationUsers:
Personal data that we ask you to provide on the Websites and Apps is often limited to e-mail address, language preference, country or location, but may include other information when needed to provide a requested service, where an employment opportunity is being processed or where services as an Investigator in a clinical trial are being offered. We collect information in several ways, outlined below:
1. On some Website pages you can register to receive information on an automated basis. The type of information you can register to receive in this manner includes general corporate information about ICON such as:
- Press Releases
- News and presentations
- SEC Reports
- Investor Relations information
- Annual & Interim Reports and other public financial information
- Other General Information updates
The personal information collected when you register to receive information on an automated basis is your name, e-mail address, employer name and occupation. You will have the option of cancelling your registration and removing your e-mail from the database on each occasion that you receive an automated e-mail alert, by clicking on an unsubscribe link on each e-mail alert message.
2. On some Website pages and Apps you may choose to provide personal information about yourself depending on your relationship or potential relationship with ICON e.g. :
- if you are interested in pursuing an employment or service provider opportunity with ICON - see 2.2 Potential Employees
- if you are interested in providing clinical trial Investigator or related services -see 2.3 Investigators, clinical site study team members and other healthcare professionals (HCPs)
- if you are interested in registering your interest in participating in a clinical trial and being included in an ICON database of potential study subjects -see 2.5 Participants in ICON Patient Databases
- if you are interested in obtaining services from or providing services to ICON - see sections 2.8 Client Personnel or Section 2.9 Vendor Personnel respectively.
3. On some Website pages or Apps you may choose to register to receive access to web casts, periodic updates or information on specific ICON services. Generally the personal information collected in such cases is your name, title, company and e-mail address. This information is collected for qualification and aggregate measurement purposes and to provide you with the service.
4. On some Website pages and Apps you can register to receive customized information. This information is generally collected on ‘Contact Us’ forms where you may choose to be contacted by ICON. The personal information collected in these cases include your name, title, company, address, and contact details and e-mail address.
5. Websites and Apps also collect certain information about your computer hardware and software. This information may include; your IP address, browser type, operating system, domain name, access times and referring website addresses. This information is used for the operation of the service, to maintain and monitor quality of the service and to provide general statistics regarding use of Websites.
If you don’t want non-essential cookies to be placed on your device, then you can easily accept or reject them in the cookie banners.
Website and App Security. Please be aware that whilst we do all that we can to safeguard the security of your personal information, the transmission of information over the internet is not completely secure and therefore you do this at your own risk. Once we receive your personal information we will implement strict security procedures with the objective of preventing unauthorized access.
Children. ICON does not knowingly collect any personal data through our Websites or Apps from individuals who are known to be under the age of 13, and no part of ICON’s Website or mobile Apps is directed towards anyone less than 13.
2.2 Potential Employees
2.3 Investigators, clinical site study team members and other healthcare professionals (HCPs)
We collect the names, contact details, and professional information of clinical trial investigators, study researchers, data safety monitoring board members, and other HCPs for the purpose of identifying and assessing suitability to assist in clinical trials and research studies and to provide services. We collect your personal data when you provide it to us directly, for example such as when you express or register an interest to participate in a study through our Websites, and also, either directly or indirectly, from publicly available sources, such as websites, directories and industry networks etc. For further information on our collection activities and uses of personal information through our Websites please refer to section 2.1 “Website Visitors and Mobile Application Users”. If you subsequently participate in a trial or study ICON manages or provides services for, we will also collect information relating to the involvement and performance of HCPs. Further information is available in our Site Data Protection Notice and Consent Form available here https://www.iconplc.com/privacy/.
2.4 Study Participants in Studies sponsored by ICON’s clients
ICON is a global contract research organization (“CRO”) that provides services to support the clinical trials and medical research studies of Sponsors. Depending on the CRO services ICON is providing to a Sponsor we process personal data relating to study participants on behalf of our Sponsors and in accordance with contracts with and instructions from the Sponsor. ICON may also, to the extent necessary, process personal data relating to study participants’ spouses, partners, care givers, and relatives if they are involved in the participants’ participation in a study e.g. parents involved in decision making of child participants or spouses involved in the care of an incapacitated participant.
In relation to ICON’s delivery of CRO services to Sponsors, the Sponsor is in control of how and why your personal data is processed and as such is the “controller,” and ICON is a “data processor”. ICON’s role as processor may include the transfer of such personal information to the applicable Sponsor, its corporate affiliates, business partners and third-party service providers performing services related to the study.
The purposes for which study participant personal data will be used by Sponsors and ICON will depend on the nature of the Sponsor’s study and will be addressed in study specific documentation and in particular in study participant consent documentation that is reviewed prior to participation in a study. As such, study participants should look to that documentation to understand how their personal data is processed in relation to a study. To provide a general overview, personal data will typically be processed for the purposes of assessing eligibility to participate in a study, administering the study, monitoring the study, analysing data to assess the overall safety and effectiveness of the therapy that is the subject of the study, and drawing conclusions regarding the effectiveness and viability of the therapy that is the subject of the study.
2.5 Participants in ICON Patient Databases
Certain ICON services involve the development and maintenance of databases of persons who may be eligible to and may wish to participate in clinical trials and medical research studies (“Patient Recruitment Databases”) managed by Sponsors. Once a person is recorded in ICON’s Patient Recruitment Databases, ICON may contact them for further screening and potentially refer them to potentially suitable clinical trials or research studies matched to their areas of medical interest.
In order to match such persons’ entered into Patient Recruitment Databases to appropriate clinical trials or research studies ICON will, on a need to know basis, request, collect and process suitable personal data on the basis of the person’s explicit consent, such as names, addresses and contact information, which may be collected on voice recordings, as well as sensitive personal information.
Examples of sensitive personal data we collect include:
- Healthcare information e.g. height and weight, physical and mental health or conditions, medical records, disabilities
- Race and ethnicity information
- Areas of interest in medical research
- Genetic data.
Your personal information may be collected through either volunteering it through one of our Websites or in the context of live interview or screening telephone calls or meetings with ICON representatives. Please be aware that by providing your personal information you consent to a member of our team contacting you directly by way of following-up with you, including contacting you directly by telephone or other means, including SMS text messages, and adding your personal information to our Patient Recruitment Databases.
In this context, ICON is the controller of the personal data.
Uses of your personal data. As discussed earlier, the main purpose of collecting personal data in Patient Recruitment Data Bases is to match patients to suitable clinical trials and research projects based on the individuals’ areas of medical interest. For example, if an individual with type II diabetes expresses a desire to participate in clinical research or avail of novel treatments for type II diabetes or associated symptoms:
- they may volunteer their contact information and relevant health information to ICON for inclusion in a Patient Recruitment Database
- an ICON client or Sponsor who is developing novel treatments for type II Diabetes or symptoms may engage ICON to help refer interested potential patients who are willing to try an experimental treatment in a controlled clinical trial environment
- if the ICON client’s or Sponsor’s clinical trial eligibility criteria align with the individual’s information stored in our Patient Recruitment Database and it is being conducted within their geographical reach, we can contact the individual and refer them to a suitable clinic where medical screening of potential clinical trial participants is being performed. Please be aware the screening process is generally done face-to-face and will require you to supply additional personal information to us and/or the parties managing the study and separate privacy terms may apply to additional personal information collected at that stage.
ICON may use your Personal Information to respond to subsequent requests you may make of us, and from time to time, we may refer to your personal information to better understand your needs and how we can improve our websites, products and services on the basis of our legitimate interests in doing so. We may enhance or merge your personal information with data obtained from third parties for the same purposes. Any other information transferred by you which cannot be used to identify you (and which, therefore, does not constitute personal information) may be included in databases owned and maintained by ICON or its agents worldwide. ICON may also use anonymised personal data to run general statistical analysis in support of patient recruitment and similar analytical purposes.
2.6 Patients participating in clinical trials at an ICON owned Study Site
Certain ICON services involve ICON acting as a clinic or similar medical site (referred to as a “Study Site”). Study Sites may be owned by ICON, or they may be independent Study Sites with which ICON has a contractual relationship. Patients and other individuals (for convenience referred to as “Study Participants”) participating in a clinical trial or other medical research study (each a “Study”) may attend or share information with Study Sites for various Study related reasons. These reasons include activities such as medical screening to check if being a Study Participant is appropriate for a particular individual. After an individual has undergone a medical screening and provided their informed consent to participate in a Study, an individual may be enrolled in that Study.
Purposes and uses of personal data. The personal data and purposes for which Study Participants’ personal data will be used by Study Sites and Sponsors will depend on the nature of the Sponsor’s study and will be addressed in more detail in Study specific consent documentation. As such, Study Participants should look to that documentation to understand how their personal data is processed.
To give an overview, generally, if enrolled in a Study, Study Participants will likely attend the Study Site to be prescribed, provided with or administered with a Study drug, treatment or device that is the subject of the Study. Study Participants might attend the Study Site or be in contact with Study Site representatives at regular intervals throughout the Study to enable the Study Site to collect health information from them that is relevant to the study or in order to monitor their health during the Study. During a Study, Study Participants may be in communication with a Study Site and other representatives for reasons such as scheduling follow up visits or referrals to other medical appointments associated with the Study. Study Participants may also share information with Study sites remotely through mobile applications e.g. where regular patient status updates are needed for the particular Study. Study Sites may also, to the extent necessary, process personal data relating to Study Participants’ spouses, partners, care givers, and relatives if they are involved in the participants’ participation in a Study at the Study Site e.g. parents involved in decision making of child participants or spouses involved in the care of an incapacitated participant.
- Depending on the nature of the Study, usually these activities are overseen by a medical doctor known as a “Principal Investigator” who is responsible for Study Participants’ medical care at the Study Site. These activities and related data collection may also be administered by other members of the Study team at the Study Site who operate under the Principal Investigator’s supervision e.g. Study coordinators, nurses and other medical professionals.
Certain personal data will be made accessible to the Study Sponsor and its agents in accordance with the Sponsor’s study protocol (“Sponsor Data”). Sponsor Data is used by the Sponsor to make decisions about the Study, to perform research or analysis relating to the Study and to make decisions about the drug, device or treatment that is the subject of the Study. Study Data is generally pseudonymised, meaning names and other information that could identify a Study Subject is not included in the Sponsor Data. Instead, Study Participants’ are typically identified by a code. Principal Investigators, members of the Principal Investigators’ Study team and authorized personnel, including Contract Research Organisations appointed by Sponsors to monitor Study Sites’ compliance with the Protocol and other auditors, may access Study Participant identifying records in certain circumstances.
Who is the controller? Depending on the processing activity, the relevant controller may be the Study Site or the Sponsor. As the Study Site is responsible for the medical care of Study Participants and the Sponsor is responsible for the medical research the Study concerns, ICON generally regards the Sponsor as the controller of activities in respect of Sponsor Data, and the Study Site as the controller of activities in respect of medical records which are kept by the Study Site.
2.7 Callers to ICON Medical Information and Pharmacovigilance Call Centers
ICON operates contact centers on behalf of our clients for the purpose of providing medical information to health professionals, patients and other interested parties on specific pharmaceutical and other medical products sold by our clients and our clients’ clinical and research studies. ICON acts as a data processor in this scenario. Some of these contact centers also collect adverse event information and deliver this to relevant pharmacovigilance professionals for processing and reporting as required by applicable regulations. Personal data on those who call or email our contact centers are only collected to process requests for information and allow adverse event reporting. Calls may be recorded for quality assurance purposes. Callers (inbound and outbound) are notified if their call is recorded.
2.8 Client Personnel
Client business representatives and agents. For Individuals sharing personal Information with ICON in order to inquire about, engage or otherwise make use of ICON services or purchase, receive or seek information from ICON, including about any ICON products and services, vendors or opportunities to participate in clinical research, we will use such personal information in order to provide the requested information, products, and/or services and to process requested transactions. We may also use this personal data to improve the quality of our services, send and receive communications about the products and services available through ICON, and to enable our business partners and agents to perform certain activities on our behalf.
Use of personal information of client business representatives and agents in relation to ICON activities. For individuals engaged by ICON’s clients and collaborating with ICON in connection with projects for which ICON is providing services, including client employees, study personnel, and other consultants, contractors, managers, and agents (who are natural persons) of the client and its corporate affiliates, business partners and third-party service providers, personal information may be used by ICON in order to carry out the applicable services and related activities. This may include the transfer of such personal information to the applicable vendors, its corporate affiliates, business partners and third-party service providers performing services related to the project (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).
2.9 Vendor Personnel
Vendor business representatives and agents. Vendor representatives may share personal information with ICON in order to provide ICON information about services e.g. business support services, health care products and services, opportunities to participate in clinical research, health care education and patient related programs which may be available through a Vendor. ICON will use any personal information provided by the Vendor and its representatives in order to receive and assess the vendor related information, products, and/or services and potentially close associated contracts. Uses may include processing for requested transactions, reviewing the quality of the vendor’s services, sending and receiving communications about the products and services available through the vendor, and enabling ICON’s business partners, clients and agents to perform activities and make decisions in relation to the vendor.
Use of personal information of vendor business representatives and agents in relation to activities performed by vendors for ICON and ICON’s clients. For vendors engaged by ICON to perform services for ICON, including in relation to research studies being managed by ICON and ICON’s clients your personal information may be used by ICON in order to carry out the projects, activities and other related services in connection with which the vendor is engaged by ICON. This may include the transfer of such personal information to the applicable ICON study sponsor or client, other vendors involved in a project for which a vendor is engaged and such parties’ respective corporate affiliates, business partners and third-party service providers performing services or activities related to the project or activities for which a vendor is engaged by ICON (e.g., study data management, clinical research monitoring services, safety monitoring, etc.).
3. More Information
3.1 International and third party transfers of personal information
To operate as a global business it may be necessary to process and transfer personal information within ICON businesses and with agents, contractors or partners of ICON in connection with services that these individuals or entities perform for, or with, ICON. This may involve transferring personal information outside the European Economic Area (EEA) to the USA and elsewhere. These agents, contractors or partners are restricted from using this information in any way other than to provide services for ICON, or services for the collaboration in which they and ICON are engaged. ICON may, for example, provide your information to agents, contractors or partners for hosting our databases, for data processing services, or so that they can send you information that you requested.
Regardless of whether the transfer is within the ICON group or to a third party, ICON will apply appropriate safeguards to such transfers as required by applicable law. For example, transfers to non-EEA countries will usually be governed by EU-approved “standard contractual clauses” where appropriate and will be subject to other appropriate technical and organisational measures having regard to the nature of the personal data. For more information, please contact us.
3.2 Legal Basis for use of your personal information
3.2.1. With your Consent: In cases where we need your consent to process your information, we will ask you to make a positive indication (e.g. to tick a box, sign a document, provide confirmation) that you agree to the processing. By actively providing consent, you are stating that you have been informed as to the type of information that will be processed, the reasons for such processing and how it will be used and for how long it will be kept and who else has access to it. Where we may rely on consent to process your information, you have the right to withdraw that consent for that activity at any time.
3.2.2. To fulfill a contract: In other cases we process your personal data because it is necessary to deliver a service you have requested.
3.2.3. For a Legitimate Interest: ICON may process your personal data on the basis of its legitimate interests in using your data for the purposes described in this Policy. Examples of our legitimate interests include the following:
- Processing your information in relation to employment opportunities with ICON;
- Processing your information in relation to investigator opportunities with ICON;
- To improve our services;
- To protect the security and integrity of ICON websites and mobile applications;
- To protect any ICON property or rights or obligations and/or the property, rights or obligations of third parties where ICON may have an obligation or liability in respect of these;
- To take precautions against potential liability on the part of ICON;
- To analyze therapeutic trends and gather anonymized geographic statistics; and
- To correct technical errors and to technically process your personal data.
You can object to us relying on our legitimate interest to use your personal data in these ways at any time as described under “Your Personal Data Rights” below.
3.2.4. To comply with Legal Obligations: There may be situations where we need to use your information to comply with legal obligations, applicable regulation and judicial process. For example, we are required by law to keep certain records for specific periods of time.
3.3 Your Personal Data Rights
You have certain rights in respect of the personal data that ICON holds about you. Subject to certain exemptions and local law, these rights may include the following:
- Right to withdraw consent – if we are processing your personal data on the basis of your consent, you are entitled to withdraw your consent to that processing at any time (see contact details section). However, the withdrawal of your consent will not invalidate any processing we carried out prior to the withdrawal of your consent.
- The right of access to your personal data – you can request a copy of the personal data we hold about you.
- The right to rectification – you have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete.
- Right to erase your personal data (right to be forgotten) - You have the right to be forgotten in certain circumstances including, for example, where the personal data are no longer needed for the purpose for which they were collected. However, this right does not apply where, for example, processing is necessary to comply with a legal obligation, or for the establishment, exercise or defense of legal claims.
- The right to restrict the processing of your personal data - You have the right to ask us to restrict certain processing activities in some circumstances, including, for example, where the accuracy of the data in question is contested. Where processing has been restricted, we can only process it for limited purposes such as, for example, the establishment, exercise or defense of legal claims.
- The right of data portability - You have the right to have your data returned to you or to a third party in certain cases.
- The right to object – You have a right to object to the processing of your personal data in certain cases. In such a case we will stop processing your personal data unless we can demonstrate compelling legitimate grounds which override your interest.
To exercise any of the above rights, please notify us at the address provided in section 3.6. “Inquiries, complaints and requests to exercise rights” below, unless you are a patient in a Study Site in which case please notify the relevant Study Site you are attending. We may request proof of identification to verify your identity. Where ICON is the relevant data controller, we will carefully assess your request and, subject to applicable laws and exceptions, will respond within the relevant legal time limits.
3.4 Data Quality and record retention
3.5 Information security
ICON ensures appropriate technical and organizational measures are taken to protect the personal and sensitive data you provide us with from unauthorized or unlawful processing and to protect against accidental loss, destruction or damage. ICON’s Websites, Apps and electronic databases have security measures in place to protect the loss, misuse, unauthorized access or disclosure, alteration or destruction of the information under our control. However, as effective as modern security practices are, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of our databases, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the internet.
3.6 Inquiries, complaints and requests to exercise rights
If you feel your data protection rights have been infringed by ICON, you have the right to complain to your local data protection supervisory authority. The lead supervisory authority for ICON in Europe is the Data Protection Commission in Ireland (see www.dataprotection.ie).
Questions, comments or requests to exercise your rights should be submitted to the ICON Global Data Protection Officer as follows:
Global Data Protection Officer
South County Business Park
By Email: Data_Privacy_Officer@iconplc.com.
3.7 Legal status of policy and policy changes
This Policy is not a contract, and it does not create any legal rights or obligations. ICON reserves the right to modify or amend this Policy. For instance, the Policy may need to change as new legislation is introduced or as legislation is amended. Where we have your contact details, we will notify you of any material changes. The updated Policy will be posted on https://www.iconplc.com/privacy/privacy-policy/ .
Last Updated: 1 November, 2020.