The purpose of this Policy is to describe the Anju Software, Inc.’s (Anju) privacy principles set forth by federal and international regulations that govern clinical research, the EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield framework and General Data Protection Regulation (GDPR) regarding the processing, transfer and hosting of personal information in electronic, paper, or verbal formats.
Anju respects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. This includes data from its customers, sponsors, employees, clinical trial participants, healthcare professionals, researchers, data managers, physicians, regulatory affairs officers, clinical investigators, investors, business partners, and others. Anju collects, processes and uses personal information in a manner that is consistent with the laws of countries in which the organization does business. Furthermore, data is only collected for specified, explicit and legitimate purposes detailed in initial agreements and contracts in which the data subject provides consent. Data is not further processed in a manner that is incompatible with those purposes.
Data Privacy is taken seriously and is implemented in companywide Policies and Standard Operating Procedures.
COMPLIANCE OF PRODUCTS WITH REGULATIONS CONCERNING DATA PRIVACY AND DATA PROTECTION
The Anju Software products are compliant with all mandated regulations and guidance documents that govern systems used in clinical research, medical affairs, and publications.
21 CFR PART 11
Anju Software’s products, where applicable, meet 21 CFR Part 11 requirements, including electronic signatures (where applicable), audit trails, and security settings. Details are outlined in product specific documents, e.g. TrialMaster 21 CFR Part 11 Statement of Compliance.
Anju is fully compliant with all applicable Good Clinical Practice guidelines (ICH-GCP) governing international, ethical and scientific quality standards for designing, conducting, recording, and reporting trials that involve the participation of human subjects. Anju’s compliance with these standards provides assurance that the rights, safety, and well-being of subjects are protected; are consistent with the principles that have their origin in the Declaration of Helsinki, and that the clinical trial data are credible.
There are specific features in Anju’s clinical trial software products such as query management and the use of audit trails that assist in complying with ICH-GCP. The applications are designed to offer security roles and privileges to ensure the integrity and confidentiality of the data. Access to key information can be controlled at the user level so that information can only be shared with those individuals that are privileged to view such information.
User Administration is part of the software applications that are controlled by the customers. It is the customer’s responsibility to ensure that user access and user permissions within the application are administered in a GCP-compliant manner. The application itself is highly configurable to implement processes that allow our customers to maintain compliance with GCP guidance.
FDA GUIDANCE FOR COMPUTERIZED SYSTEMS USED IN CLINICAL INVESTIGATIONS
Anju’s systems contain the necessary functionality to adhere to the areas outlined in the governing document: standard operating procedures, data entry & electronic signatures, system features to facilitate the collection of quality data, internal and external security safeguards, system controls & versioning, training of personnel, records inspection, and certification.
All patient information within Anju’s eClinical systems solutions can be protected by assigning blinded patient identifiers (patient IDs) that do not contain any descriptors to identify the patient enrolled in the study. The key to identify the patients resides at the study sites outside the system and access to this information is managed by authorized personnel at these sites.
EUROPEAN GENERAL DATA PROTECTION REGULATIONS (GDPR) (REGULATION (EU) 2016/679)
According to the European Data Protection Regulation a data protection officer has been appointed. The data protection officer monitors compliance with the regulation, provides advice in regards to data protection, and acts as contact point for supervisory authorities.
ANJU SOFTWARE, INC. PRIVACY COMMITMENTS
Anju respects and follows the privacy principles as set forth by GDPR, the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Framework including the transfer of personal information in electronic, paper, or verbal formats from the member states of the European Union and Switzerland to the United States.
To confirm participating organizations, you may refer to
Other Covered Entities
The following other US subsidiaries of Anju Software, Inc. that also adhere to the Privacy Shield Principles include Anju ClinPlus LLC, Anju Sylogent LLC, Anju Zephyr Health LLC, OmniComm Systems Inc., OmniComm USA Inc., and Online Business Applications Inc.
Anju informs individuals about the purposes for which it collects and uses personal information. The notice is provided in clear language in a conspicuous manner. The use of the data is limited to the purpose first identified and no more information is collected than is required to satisfy the business purpose. Any personal information that is related to the use of the Anju software products or personal data developed in specific medical or pharmaceutical research studies is the responsibility of the customer, as the controller.
Anju may collect the following types of personal information:
- Information about employees collected during the hiring process such as first name, last name, contact email, phone number, address, education, and work history.
- Personal information from customers (such as an e-mail address, system information, telephone numbers, and problems descriptions) in order to communicate with customer and to provide online technical support and troubleshooting. If any customers choose to correspond with us through electronic communication (e.g. email, online chat, or instant messaging), we may retain a copy of the electronic communication together with the customer’s email address and our responses. We provide the same protections for these electronic communications that we employ in the maintenance of information received by mail and telephone.
- Information about users of our software systems that helps us conduct business, such as the types of products, geographic locations and demographics.
- Transaction Information about how the user interacts with Anju, including purchases, inquiries, customer account information, and information about the use of the Anju website and applications. We collect this information when users visit our website, call the Anju main line, use our applications or contact us, such as for customer service purposes.
- Anju customers may choose to include personal data among the customer data stored at Anju’s data centers in the US or shared with Anju in connection with its provision of services. Before processing any information on behalf of its customers located in the EU, the EEA or Switzerland, controllers and processors enter into a processing contract with the customer responsible for the personal data in compliance with applicable data protection law. Under this contract, the customer agrees to comply with all applicable data protection laws. Anju processes only the personal data that its customers have chosen to share with the Company. Anju has no direct or contractual relationship with the subject of this personal data (the “Data Subject”).
- Anju also provides hosted software services to its customers around the globe. Customers using hosted services are responsible for managing the data that they store at Anju’s data centers. These responsibilities include determining the type of information that is stored, how that information will be used, to whom it will be disclosed, and for what purposes. However, as a security measure and to ensure that our hosted services and network remain available to all customers, Anju may use software tools to monitor network traffic or to identify unauthorized attempts to upload or change information, or otherwise cause damage.
- Anju informs individuals about the type of third party to which Anju discloses information, if any, and offers individuals the choices and means for limiting the use and disclosure of their personal information.
Anju understands that it can only process data under the following principles:
Personal data shall be:
- Processed lawfully, fairly and in a transparent manner.
- Collected for specified, explicit and legitimate purposes and not further processed.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Anju offers individuals the option of choice as to whether their personal information is disclosed to a third party. Individuals can request the data in a structured, commonly used and machine readable format and may also choose to not have their data shared if the purpose is incompatible with the original purpose of data collection. Anju provides individuals with a reasonable mechanism to exercise their choices, including the ability to rectify any incorrect data, the ability to request to be forgotten (as long as it does not contradict legal requirements), and the ability to withdraw consent and opt out.
If sensitive personal information is to be disclosed to a third party or is to be used other than the purpose originally authorized, Anju will give individuals explicit (opt in) choice and will disclose the information only after explicit consent of the individual.
Individuals are provided readily available mechanisms to exercise choice whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected.
Individuals may email firstname.lastname@example.org to exercise this option.
Anju ensures by written agreement that our agents and third-party providers follow the same privacy principles and data protections principles as Anju.
Personal data is only shared by Anju with third parties who require it for specific business purposes. Data is transferred only for the scope of purpose it was initially intended and not for any other reasons. These third parties must agree to abide by the same of level of privacy protection as required by Privacy Shield principles.
Where Anju has knowledge that an agent is using or disclosing personal information in a manner contrary to this Policy, Anju will take reasonable steps to prevent or stop the use of disclosure. Third party vendors may include Data Centers who store employee contact information such as name, email, phone number of a select group of employees as part of the approved access list. The employees in the list have limited access to the data center to provide maintenance of servers. These typically involve members of the IT department and the individuals responsible for conducting third party vendor audits.
Another example is the Customer Relationship Management (CRM) tool, where all change management and project management activities are recorded. Employee and customer contact information such as name, title/role, email, phone number and communication details are stored in this tool.
Anju utilizes reasonable and appropriate physical, technical, and administrative procedures to safeguard the information we collect and process and to prevent unauthorized disclosure of data.
Anju provides services internationally and receives information from all over the world. Whenever Anju is required to transfer personal information, regardless of where this occurs. Anju protects confidentiality, integrity and availability of personal information by physical and logical security measures. This protection includes the use of firewalls, restricted access, pseudonymization, anonymization, and encryption technology. Anju has written procedures in place regulating the protection of confidential data from loss, misuse and unauthorized access, disclosure, alteration and destruction (SI-03-001 General Infrastructure and Security Policy Maintenance Procedure, SI-03-002 Desktop Security / Anti-Virus Policy Maintenance Procedure, and DC-02 Record Retention Policy).
Data Integrity is ensuring data and information is attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring and available (ALCOA+). The collection and processing of data needs to be consistent throughout the lifecycle and the various electronic systems it is processed through. These are the data quality attributes needed for various data activities, continuous improvement and overall product and data quality and apply to both electronic and paper systems.
Anju takes steps through Anju’s validation process to ensure that personal information is reliable to its use, that the data is accurate, complete and current. Anju does not process information that is incompatible with the original purposes for which it has been collected unless subsequently authorized by the individual.
Upon request, individuals will be granted reasonable access to personal information that Anju holds about them. In addition, upon request, Anju will take reasonable steps to allow individuals to correct, amend, or delete information that is found to be inaccurate or incomplete.
Anju has written procedures in place that regulate regular internal compliance audits of the privacy principles. Internal audits are conducted on a regular basis by the Anju Compliance Committee or by a third party as delegated by the Compliance Committee. The Compliance Committee is comprised of a cross-section of department and affiliate representatives across the companies, who have authority to enforce the policies that are created. The CEO has the ultimate responsibility and authority for managing all Quality Systems. Non-compliance issues are investigated, and corrective actions are put in place and followed up until resolution for any problems arising out of a failure to comply with the principles. Remedy actions could include disciplinary actions, up to and including termination of employees.
In compliance with the Privacy Shield Principles, Anju commits to resolve complaints about our collection or use of your personal information.
Anju has further committed to refer unresolved Privacy Shield complaints to the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit http://go.adr.org/privacyshield.html for more information or to file a complaint. The services of the ICDR/AAA are provided at no cost to you.
Anju has further committed to cooperate with the panel established by the EU Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.
All individuals are encouraged to please forward any complaints, issues, concerns, or questions regarding the collection, the use or disclosure of personal information to email@example.com or to:
Anju Software, INC.
Attention: Quality & Compliance Department
1414 Radcliffe Street, Suite 115
Bristol, PA 19007, USA
For non-HR data transferred from the EU or Switzerland, Anju has registered with the American Arbitration Association (AAA) as an independent recourse mechanism to resolve complaints at http://go.adr.org/privacyshield.html
For HR data transferred from the EU for use in the context of the employment relationship, Anju has registered with the EU Data Protection Authorities (DPAs) as an independent recourse mechanism to resolve complaints at http://ec.europa.eu/justice/data-protection/bodies.
For HR data transferred from Switzerland for use in the context of the employment relationship, Anju has registered with the Swiss Federal Data Protection and Information Commissioner (FDPIC) as an independent recourse mechanism to resolve complaints at https://www.edoeb.admin.ch/
NOTIFICATION OF POLICY CHANGES
The Anju organization is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
There exists the possibility, under certain conditions, for the individual to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Anju Systems, Inc. is required to disclose personal information in response to lawful requests by public authorities, including those necessary to meet national security or law enforcement requirements.
Anju Systems, Inc. acknowledges the potential liability in cases of onward transfers to third parties of personal data of EU or Swiss individuals received pursuant to Privacy Shield
RETENTION AND DELETION
Anju will retain personal information for as long as the account is needed to provide products or services; as outlined in previously stated agreements at the time of collection; and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements; or to the extent permitted by law.
At the end of the retention period, Anju will delete this personal information in a manner designed to ensure that it cannot be reconstructed or read according to its Document Retention Policy.