Privacy Policy - acne trials

Princeton Consumer Research (PCR) Policy on Protection of Private Information

To comply with the following Protection of Privacy Regulations:

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) – US Dept. of Health and Human Services
General Data Protection Regulation (GDPR) proposed by the European Commission
Personal Information Protection and Electronic Documents Act (PIPEDA) – Office of the Privacy Commissioner of Canada
“Personal Health Information Act” (PHIA) in Manitoba

PCR Collects Subjects personal identifying information in two ways. One is during subject recruitment for clinical studies using the ARCs system in the USA and Canada and the Participants Database system in the UK. The other is information collected at the sites during the conduct of clinical trials.

Definition of Personal Protected Information (PPI) (also known as Personal Health Information (PHI)) collected at PCR

PPI can include the following: Name, Address, Phone number (including cell phone), email address, emergency contact information, age (Date of Birth), gender, race/ethnicity, medication, health information, skin type, and other demographic information necessary to conduct clinical research. Additionally, in the USA, a subject’s Social Security Information is collected for IRS reporting purposes.

PCR follows a code for the protection of personal information which includes the following:

1. Accountability

The Senior Vice President of PCR will be the designated Privacy Official for the company. Since the company operates at several testing facilities and uses an online database for subject recruitment, the following positions are designated as the secondary privacy officials.

ARCS Recruiting System (USA and Canada) – The Supervisor of Recruiting is the designated ARCS Privacy Official for the company who will be responsible for the security of information obtained in relation to recruiting of subjects for clinical trials using ARCS.

Participants Database System (UK) – The Supervisor of Recruiting is the designated PCR Recruiting Privacy Official for the company in the UK who is responsible for the security for information obtained using the in-house recruiting system for clinical trials.

Clinical Trial Data – The Site Director of each of PCRs testing facilities will be the Site Privacy Official at each testing facility. PCR Policy on Protection of PPI Page 2 of 7

Date: 17May2018

2. Identifying purposes

PCR conducts clinical research studies on behalf of sponsor companies to test the safety, efficacy and acceptability of their products. People who want to sign up as research participants (subjects) must agree to provide PCR with accurate contact information, demographics and personal medical history in order to qualify for specific research studies. PCR uses online database programs, ARCS and the Participants Database system (PCR In-house system) to help in its recruitment for research studies. In addition, subjects in the USA must provide their SSI number for IRS reporting purposes.

Information collected in ARCS®: ARCs is a software system designed by the Marketing Systems Group to develop and maintain panellist recruitment information and assist PCR in recruiting panelists for various studies conducted at Princeton Consumer Research in the USA and Canada. Name, Address, Phone Number, email address and demographic information (age, gender, race, ethnicity, skin type, etc.).

Information collected in Participants Database (UK): Participants Database is a software system designed in-house to develop and maintain panellist recruitment information and assist PCR in recruiting panelists for various studies conducted at Princeton Consumer Research. Name, Address, Phone Number, email address and demographic information (age, gender, race, ethnicity, skin type, etc.) PCR uses the Participants Database system to help in its recruitment for research studies in the UK.

For USA, Canada and UK Study Participant Recruiting: Potential Panelists can click on the website or can be asked directly by an authorized recruiter that has access to the program on their password protected computers. Potential panelists complete a series of questions (name, address, phone number, DOB, gender, email, how they want to be notified of studies). Subjects can continue to fill out additional demographic information (Skin type, allergies, general medical history, general medication types taken) but they are not required to provide this information, it just helps us in our general database information for future study recruitment.

When the basic information has been completed, subjects are able to log in using their email address and password that they create to edit their details or remove themselves from the database. Only authorized PCR users of the system have access to the program (which is loaded onto their password protected computers) and have to log in under their username and password to access the system.

Clinical Study Information:

For each clinical study, each subject is identified using their three-letter initials (First, Middle and Last Name) and an assigned screening/subject number. None of the subject’s direct personal identifying information is shared with the sponsor of the study nor any regulatory agencies (except as required by law). Data collected is identified with the subject’s initials and screening/subject number when shared with the sponsor company or regulatory authorities.

The demographic information collected by PCR is used by sponsor companies to prove that their products were tested in specified individuals (target populations) for their products intended purpose(s). The data provided to sponsors only identifies individuals by their initials/subject number. All other contact information remains confidential with the testing facility. Under specific circumstances some subjects will be asked to provide their first name and age for marketing purposes (ads, videos, testimonials) but these subjects will be asked in PCR Policy on Protection of PPI Page 3 of 7

Date: 17May2018

advance in a separate release form for permission for this information to be shared with the sponsor company.

Additionally, subjects in the USA only, must provide their SSI number for tax reporting purposes for compensation that they receive as a result of their study participation. When at the testing facility subjects are required to fill out a W-9 form. This information is retained in a secure area at the testing facility and only used by the accounting department for payment of taxes on study stipends as required by law.

In the UK certain studies require subjects to be identified in a secure database by their National Insurance Number which is logged into a tracking system to make sure subjects are not enrolled in more than one clinical trial at a time. This information will only be collected for certain studies and is not a requirement for study participation. Subjects are asked their permission to provide this information. If subjects do not give permission this does not affect their participation status.

These study specific data requirements concerning Personal Protected Information are outlined in the Informed Consent Form (ICF) in the USA and Canada and in the Patient Information Sheet/Informed Consent in the UK.

3. Consent

ARCS: Upon registering on the ARCS database subjects are asked the following:

“You have indicated that you want to register as a participant in consumer product testing studies at Princeton Consumer Research (PCR). In order to register in our database, PCR needs to collect personal information about you (Name, Address, Phone#, email address, age, date of birth, ethnicity, race, medical history, current medication, etc.). In order for you to register in our database you need to agree to let PCR collect and store this information about you and to allow us to contact you when studies are being recruited. Additionally, the recruiting database may transfer this information to our USA/Canadian sites. Do we have your permission?”

Subjects must answer yes to continue in the registration process. If a subject does not agree to this stipulation he/she cannot register in the database.

Study Data: Before any study specific data is collected on a subject, the subject is given an Informed Consent Form/HIPAA(USA) or Informed Consent Form/XXX(Canada) or the Informed Consent Form (UK) to read. The ICF explains the study, the procedures to be performed, the data collected, and the risks associated with participating in a study. The form also includes information about what happens to a subject’s Personal Protected Information and how it will be used. The form also outlines how the data will be stored and that it may be reviewed by the sponsor and/or regulatory agencies. Subjects will have a discussion with a trained employee about the form where they can ask questions and then are asked to sign and date the form. This form is witnessed and a copy of the signed form is provided to the subject. If a subject does not agree to provide written informed consent or provide answers to the requested information for the study, the subject is not eligible to be enrolled on the study.

4. Limiting collection

Only the PPI required by the study protocol or in the recruiting database will be collected from subjects. The data collected for the study will be retained as required. No additional data will be collected or stored about the subject unless it is required for the conduct of the study or as part of the registration process in our databases for recruiting or as required by state/federal/country regulations. PCR Policy on Protection of PPI Page 4 of 7

Date: 17May2018

Information contained in the online profile for each subject registered in the databases is limited to generalized demographic information. Study specific questionnaires filled out by subjects are limited to the approved protocol requirements and are specific to the study requirements.

5. Limiting use, disclosure, and retention

Collected information access is limited to employees of PCR. Access to information in the recruiting databases are restricted to PCR employees given access by the system administrator (Supervisor of Recruiting) and can only be accessed by PCR staff using their user ID and password. Subject data in the recruiting programs are accessible by subjects using their online ID and password. Only the subject themselves or designated PCR staff have access to a subject’s information stored online. Information retained in the ARCS and PCR Recruiting systems will be retained as long as PCR operates as a clinical research facility. Individual subject data in the database can be removed upon request.

Study information collected on subjects will be retained as part of the study source documentation. Information retained as part of the study in the study records will be retaining in the site archives for the research facility for a minimum of 2 years or according to the retention requirements of the sponsor/regulatory authorities in each country where the testing was conducted.

Any information collected that is no longer needed (e.g. appointment sheets) that contains PPI will be shredded to destroy any identifying information. Study data retained electronically on Drop Box will be accessible only to authorized personnel with valid user ID and password. Study information retained on Drop Box will be maintained indefinitely but this data is de-identified (only Initials and Subject Number) will be maintained as long as PCR operates as a clinical research facility.

6. Accuracy

Subjects can review their registration information at any time they log into their profile to check for accuracy. If changes are necessary (e.g. updated phone number), authorized PCR personnel can update the information as directed by the subject at any time.

Subjects complete a study registration form for each study they participate in which is kept with the study records and is used to contact the subject while on the study. Medical History and Current Medications are collected as well as demographic information for each study individually. No updates are made to the online profiles of the subjects unless requested by the subjects.

7. Safeguards

The online recruiting systems utilized by PCR is limited access controlled. When the panelist registers on the website for PCR recruitment, the system assigns them a User ID and Password. This ID and password allows only the individual to access their own information. Authorized PCR Staff members have the ability to access subject account information in the system. The Recruiting Supervisor is the only one who can grant access to the program for approved PCR staff.

Study records containing PPI are kept in a limited access area under lock and key.

8. Openness

Potential Subjects will be notified of the need to collect PPI for the recruiting database and for participation in research studies.

Emails that are sent by the recruiting system for upcoming studies allow subjects to “Unsubscribe” thereby removing them from the email list used by the recruiting system. PCR Policy on Protection of PPI Page 5 of 7

Date: 17May2018

In the ICF subjects are informed of the ability to revoke their permission for the collection of information and directed on the process of how to do this. Once a study has been initiated, the information collected up until the date of discontinuance by regulation has to be retained, however, no new information will be collected per the procedure outlined in the ICF.

9. Individual access

Subjects have a right to access their PPI collected by PCR. Subjects can access their on-line profile by logging into the system using their User ID and Password. Subjects may request for their information to be removed from the online recruiting platform at any time by contacting the site. The request will be implemented by the Recruiting Supervisor in 30 days from the receipt of the request.

Subjects on research studies can request to review the information collected about them in writing to the Site Director at the testing facility where the study was conducted. Copies of some information can be provided to the subject (e.g. lab work results) upon completion of a laboratory results request form. Per industry standards information collected during the study concerning a subject can only be released at the conclusion of the study unless it is of a serious nature requiring medical intervention.

10. Providing Recourse

Any complaints received by PCR in regard to subject PPI violation will be documented by the testing facility’s Site Director and sent to the Senior Vice President of PCR. The SVP as the Privacy Officer will contact the subject and verify the complaint if necessary. The SVP will contact the Director of Human Resources and the Director of Quality Assurance and notify them of the complaint. All three will investigate the complaint, the extent of the violation and determine who had access to the PPI in question. Subjects will be informed of the results of the investigation and the relevant steps taken.

Processes will be reviewed and upgrades or changes to the policy or procedures will be considered based on the investigation.

If appropriate any violations of PPI discovered on a study with IRB review will be reported to the IRB per the guidelines.

11. Transfer of Data

PCR Corp operates several testing facilities in the USA, Canada and the UK. As such it is sometimes necessary to transfer information collected during the course of business (e.g. study data, payment of subject’s information, ARCs, etc.) within our organization.

When PCR Corp. transfers personal information for processing, it can only be used for the purposes for which the information was originally collected. A simple example is the transferring of personal information for the purpose of processing payments to study participants or the transfer of information contained in the ARCs system for recruiting. Or to use another example, we may transfer personal information to a report writer located at a different facility. In some cases, this may involve the transfer of personal information.

Information collected in ARCS: Name, Address, Phone Number, email address and demographic information (age, gender, race, ethnicity, skin type, etc.)

PCR uses the ARCS system to help in its recruitment for research studies. PCR Policy on Protection of PPI Page 6 of 7

Date: 17May2018

ARCS® is a software system designed by the Marketing Systems Group to develop and maintain panellist recruitment information and assist PCR in recruiting panelists for various studies conducted at Princeton Consumer Research.

Potential Panelists can click on the website or can be asked directly by an authorized recruiter that has access to the program on their password protected computers. Potential panelists complete a series of questions (name, address, phone number, DOB, gender, email, how they want to be notified of studies). Subjects can continue to fill out additional demographic information (Skin type, allergies, general medical history, general medication types taken) but they are not required to provide this information, it just helps us in our general database information for future study recruitment.

When the basic information has been completed, subjects are issued a Panellist ID and Password by the system. This ID and password only allows them or an Authorized PCR Staff member to access their account on the system. When subjects are notified that there is a potential study they might be interested in (phone call, email or text), they are instructed to log in to their account on the system using their ID and password. Only authorized PCR users of the system have access to the program (which is loaded onto their password protected computers) and have to log in under their username and password to access the system.

If a panellist forgets their username and password they must call the site – only the authorized personnel of PCR who has access to the program can look up the panellist information after they have provided their name, DOB and phone number.

Once a panellist enters in their information into the system or speaks directly to the site recruiter (if they are unable to access the system via computer/smart phone) they can complete the study screening questionnaire. Once they complete the questionnaire with all inclusion/exclusion criteria entered, the system lets them know that they have potentially qualified for the study and will ask them to make an appointment for the screening date of the study at the testing facility. If they do not qualify based on their answers to the questions, they are notified that they do not qualify for the study. Subjects may call the recruiter (authorized PCR staff member) to ask why they did not qualify. The recruiter may answer in a general way but not coach the subject as to why they did not qualify.

Information printed out from the system consists of the potentially qualified individual’s names, phone numbers and appointment times. None of the additional information provided in the ARCS system is provided to the site in print. When the subjects arrive at the testing facility, all of these initial screening questions will be verified after the panellist reads and has the Informed Consent Form and private information policy discussion with a trained staff member for the clinical trial.

None of the information provided by potential study subjects is sold or provided to outside entities for any purpose by PCR.

Information collected in Participants Database (UK): Name, Address, Phone Number, email address and demographic information (age, gender, race, ethnicity, skin type, etc.)

PCR uses the Participants Database system to help in its recruitment for research studies in the UK.

Participants Database is a software system designed in-house to develop and maintain panellist recruitment information and assist PCR in recruiting panelists for various studies conducted at Princeton Consumer Research. PCR Policy on Protection of PPI Page 7 of 7

Date: 17May2018

Information printed out from the system consists of the potentially qualified individual’s names, phone numbers and appointment times. None of the additional information provided in the Participants Database system is provided to the site in print. When the subjects arrive at the testing facility, all of these initial screening questions will be verified after the panellist reads and has the Informed Consent Form and private information policy discussion with a trained staff member for the clinical trial.

None of the information provided by potential study subjects is sold or provided to outside entities for any purpose by PCR.

Princeton Consumer Research (PCR) Policy on Protection of Private Information

Archives

Categories

Meta

Pages

Categories

Archive

Bookmarks