Research Participant Privacy Notice
Medicys Limited is committed to protecting the privacy of the information we collect from each market research participant. The following Notice outlines how we use that information. This Notice was established in 2018 and was last updated on June 8, 2021.
Medicys Limited is a member of, and complies with, the Codes of Conduct and Legal and Ethical Standards as prescribed by the BHBIA, EphMRA and ESOMAR. These guidelines are extremely comprehensive, and act as a pillar of our key business processes (including how we protect the rights of respondents, handle data, and record adverse events and product complaints).
PURPOSES FOR DATA PROCESSING
Medicys Limited is an independent company headquartered in the United Kingdom, conducting genuine research studies for a broad range of clients (market research agencies and management consultancies) and in many different healthcare subject areas. Our primary role is to recruit market research participants.
Most importantly, we use your information only for the administration of market research activities. We do not engage in further marketing activities, including the sale and marketing of products or services, and as such your details will not be passed to third party vendors for this purpose. We are simply interested in your opinions.
We use Personal Data that we collect directly from our research participants, publicly available websites and publications or from vendors or list suppliers, for the following business purposes, without limitation:
Maintaining and supporting our services (medical market research fieldwork services, including the recruitment of market research participants), delivering and providing the requested services including payment of honoraria to our research participants, and complying with our contractual obligations related thereto; satisfying governmental reporting, tax, and other requirements; storing and processing data, including Personal Data, in computer databases and servers located in the United Kingdom, the EEA and US (cloud-based services, forms, IT, telecom and streaming services) ; verifying identity of our research participants; as requested by our research participants; for other business-related purposes permitted or required under applicable local law and regulation; and as otherwise required by law.
LEGAL BASES FOR DATA PROCESSING
Our legal bases for the processing of your Personal Data are:
1) your consent; 2) any other applicable legal bases, such as our legitimate interest in offering services (participation in market research events and studies) of value to you (see our Legitimate Interests Assessment here)
Medicys Limited has responsibility to maintain records relating to our research activities, in accordance with the regulatory environment, client requests and suggested industry guidelines, and will retain respondent information and data according to the following retention guidelines:
Initial registration and join us information for as long as your panel membership is active and for a period of 5 years thereafter to allow you to re-activate your participation without loss of data.
All information collected during the research process, including survey results, will be retained by Medicys Limited for a period of 24 months, except audio and video recording, which will be retained for a period of 12 months.
Honorarium payment information will be kept for 6 years.
We will also retain your information as necessary with our legal obligations, to resolve disputes and enforce our agreements, for as long as is permitted under applicable law. This may include the consent form / recruitment agreement you signed prior to your participation and any information detailed in connection with adverse event reporting, both of which may be kept indefinitely for accounting and/or auditing purposes
To discuss our policy toward retention, please do e-mail: email@example.com
COLLECTION AND USE OF PERSONAL DATA
Before we confirm your participation in a market research interview, we will ask you a series of questions the answers to which will be used to ascertain your appropriateness for the market research study. If you qualify for participation, you will receive an invitation, usually via e-mail. Following your participation, you will receive an honorarium as reward for your input and time.
To manage this process, and the associated research activities, we collect and retain securely personal information about you. We only ask for personal data necessary to the research process be collected.
Such information might include: Your name; contact details including postal address, email address, phone and fax number; job title; GMC Reference Number; details of your medical specialty, and interests; certain demographic information, such as your DOB and gender; in the case of healthcare professionals, the name of your hospital or practice, and trust; in the case of patients and caregivers, any medical conditions that you may declare for market research purposes, and your financial information for the purpose of incentive payment.
We also collect non-identifying data, such as survey results and pre-screening data, which on its own cannot identify you.
We may also ask you if you are satisfied that you do not need, or that you have already obtained, any consent from your employer, organisation or professional association to participate in market research.
This Notice does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. The use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible.
Methodologies We employ three key research methodologies: Face to Face (interviews, focus group discussions, ethnography) normally held at a market research venue or in person at home or at a neutral venue; Telephone (interviews) where we would call you, and conduct the interview by phone; Online (a survey completed on your device, usually in the form of a questionnaire that you can complete in your own time); Video (interviews) conducted using a video conference service (with webcam).
Before each interview we will provide you with a Recruitment Agreement outlining the nature and purpose of the study, and your role in the research process
Recordings and Observation of Research On occasion the interviews may be audio and video recorded. You will be made aware if this is the case at the time of recruitment, and why it is proposed. Recorded data provided to our clients without your consent will be anonymized.
Occasionally your research interview will be directly observed either in person via a one-way mirror or video link, or via audio-video conferencing or teleconference. We will obtain your consent for this to happen, at the pre-screening process of each project. Those viewing the session must observe the confidentiality of all information exchanged, and client observers will be introduced openly and honestly to you.
Audio and Video recordings may also be used for the purposes of Pharmacovigilance, quality control and auditing
Proprietary Information On occasion during a study or interview, proprietary information regarding products, services and their development may be disclosed. In participating, all such information must be kept confidential, and not disclosed to third parties, or used for any other purpose. Acceptance of this requirement for confidentiality is required to participate in the research process.
Software/App Installation With online type surveys, or during telephone interviews, we may ask that you install software or apps or screen sharing capability for use during the interview e.g. to view materials and stimuli, or to manage your contribution, or we may use electronic identifiers (cookies) to ensure a survey completed no more than once.
Specifically, for Online Surveys: Depending on survey specific configuration, browser cookies (known as session cookies) and other tracking methods such as flash, HTML5 Local Objects and Etag, may be used to track your survey participation solely for the purposes of deduping (removing duplicate responses). When a survey page is generated by you via a link we send you, a unique internal session ID is included in the web page body as the primary method of tracking your activity once the survey has started. To achieve this, the server hosting the survey will automatically recognize your domain name, and IP address/s. However, no other personal information about you is revealed in this process.
Specifically, for Screen Sharing and online communities/diaries: Information about a participant may be collected and stored to fulfill the service as requested by our client(s); Additional data may be collected during the screener sharing process, including usage and log data about how the services are accessed and used; information about the device you are using the Services on; IP addresses; location information; language settings; what operating system you are using; unique device identifiers and other diagnostic data to help us support the Services. Our preferred service is: Join Me
Specification, of web-conferencing, tele-conferencing and video conferencing: In normal circumstances, a meeting code or ID will be provided in advance of the interview. The services used include: Zoom, Focus Vision Intevu, ZipDx, BT Conferencing, Mercuri, MR View (the proprietary system used by Medicys Ltd) and Civicom.
Research with Persons under 16 years of age: Research with persons under 18 will only take place with the explicit, written consent of the parent or legal guardian.
Live Chat We collect data about visitors of websites using the Crisp chat client. This data is collected anonymously and is not directly bound to any identifiable user, whether it be its personal identity, or its network information. We use a third party chat service for this purpose: Crisp Chat
DISCLOSURE OF YOUR INFORMATION
In certain circumstances your information may be disclosed to others who are assisting us in undertaking the research study. In such situations we take reasonable precautions to ensure that the privacy protections afforded by this Notice are echoed by the recipient of the disclosed information.
Adverse Event Reporting For example: We are obliged by law to report all Adverse Events or Product Complaints that arise during a study, and will inform you at the point of recruitment if your consent is required to waive the confidentiality afforded you under this policy. Everything else you contribute during the interview will remain confidential.
Sub-contracting For example: We may need to employ the services of sub-contracted suppliers in the completion of the study. In such cases only the minimum of data needed to complete the task will be shared. In such cases, all suppliers will be obliged in writing to maintain the privacy of your information in accordance with this Policy and agree to provide adequate protections for the Personal Data that are no less protective than those set out in this Notice.
Such suppliers could include: Moderators (the person/s that conducts the actual interview); Transcribers (the person/s that transcribes and/or translates the audio recordings taken at the time of the interview); Support Staff (the person/s at a research venue, who check you in and welcomes you); Data Support Staff (the person/s managing the aggregated survey results); Translators (person/s that translates your verbatim responses into the language of any observers); IT/Telephone Services (person/s managing our consent templates and processes, our video conferencing services, our screen sharing services etc.)
Incentive Fulfillment Normally, you will be paid an incentive for your time: this will be in the form of cash, bankers draft, electronic fund transfer or voucher. Depending on the incentive form, in some cases your personal information may be transferred to third parties such as Fast Pay, Amazon or Western Union to enable them to perform the incentive fulfilment process on behalf of Medicys Limited. In order to pay your incentive, we collect information including your method of payment preferences, contact details and banking details. The information we collect, and the system we use to collect it is: Cognito
Securing your Consent We always obtain your consent in advance of an interview or study. Such consent may be collected orally (via the screening process), prior to or during the interview (by the moderator or project team) or in advance using our online electronic document system. The system allows for each participant to receive a copy of the consent document they have signed. In order to obtain your electronic consent, and then for you to have a copy delivered to you, we ask for you to verify your e-mail address. The system we use is: Signable
Contacting you We may contact you by text, say to facilitate your participation or confirm your invitation. The system we use is: Textlocal
Sponsors of the research For example: Medicys Limited may need to release your personal identifying information to our immediate client for purposes of conducting the interview. In such cases, your confidential information will only be used for the purpose of conducting an interview and will be kept confidential by agreement. How we use your contribution for a particular client study will be explained fully during the screening process. We shall obtain your written consent to the key aspects of the research process before you participate.
Bertrand Law In France (for HCPs) we are obliged to comply with the regulations on transparency. Your details including your name and last name, occupation, specialty and qualifications together with your professional address, you licence number, together with details of the compensation you have received will be posted on the following public website: https://www.transparence.sante.gouv.fr
Anti-Gift In France, in order to comply with the new French regulatory Anti-Gift law framework we are currently using the “information notice for declaration purposes” as provided by ASCOS and as shared with EphMRA (www.ephmra.org). As such, incentive payments are being declared anonymously to the relevant order (CNOM, CNOP etc). For those from public and/or university hospitals evidence of permission may be required, and may be submitted via the IDAHE, EPS etc. platforms if requested.
Disclosure (HCPs only, If a Client Company is aware of your identity) In accordance with the ABPI Code of Practice certain information must be publicly disclosed if an honoraria or expenses is paid for your participation, and the client company (the pharmaceutical company sponsoring this research) is aware of your identity. This information includes your name and practice address. The purpose of disclosure is to enhance the transparency surrounding the relationships between the pharmaceutical industry and the healthcare profession. If you do not give your permission for this, you may still participate in the market research and your personal data will not be passed on for disclosure purposes. In this case the pharmaceutical company is obliged to publicly disclose aggregate information relating to honoraria and expenses. Your market research responses remain confidential and anonymous whether you consent to your name and practice address (i.e. your personal data) being used for disclosure or not.
Physician Payments Sunshine Act (HCPs only) The MR studies we manage are administered in accordance all applicable law and practices including Section 6002 of the Patient Protection and Affordable Care Act (also known as the “Physician Payments Sunshine Act”). Please note that the MR studies are conducted in a manner that will minimize the risk of you becoming unblinded (known to commissioning client company). However, in the unlikely event that your identity becomes known to anyone from the commissioning client company, the payment will then become reportable and as such we will need to share your contact details and incentive that you would be given, with the study sponsor to assist with their annual reporting requirements.
Please be aware that in rare situations, it may be necessary disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
CHOICE WITH RESPECT TO USES AND DISCLOSURES OF PERSONAL DATA
Medicys Limited recognizes that EU individuals have the right to limit the use and disclosure of their Personal Data, and we are committed to respecting those rights.
We offer individuals the opportunity to opt out of disclosures of Personal Data to a Third Party or the use of Personal Data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual.
We comply with data privacy principles in respect to disclosures of Sensitive Data including, when applicable, obtaining the explicit consent (i.e., opt in consent) of an individual prior to disclosing Sensitive Data to a Third Party or using Sensitive Data for purposes other than those for which it was originally collected or subsequently authorized by the individual.
At any point you can ask to withdraw, request access to the information we currently hold, amend or rectify that information and request that we no longer contact you or retain your information, without cost to you.
Sometimes, personal data is transferred outside of the EEA for the purposes of market research analysis, data storage, survey collection and data analysis and for the payment of incentives. By submitting your personal data, you acknowledge and agree to the fact that your personal data may be stored, processed and transferred outside of the EEA. You also acknowledge that the transfer of personal data via the Internet is not entirely secure, though we will do our best to ensure its protection. Furthermore, the personal data we store is protected by security measures and processes, in order that your data be protected from disclosure or nefarious access.
Where necessary, further transfers of personal data will be outlined via our market research participant consent process. For transfers of personal data (video and audio files, contact telephone numbers of the purpose of interviewing) to client agencies located outside the EEA: In this situation your personal data is protected under an appropriate privacy mechanism and/or EC adequacy decision and/or by EU approved standard contractual clauses and/or binding corporate rules and/or by Confidentiality Agreement, held by our client. We will always request your consent for this to happen. For any questions, do e-mail: firstname.lastname@example.org at any time.
Medicys Limited has designated the IT Department to oversee its information security program. The IT Department shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to email@example.com
Medicys Limited will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. Medicys Limited personnel will receive training, as applicable, to effectively implement this Policy. All information we retain is treated as strictly confidential, managed only by key members of our team.
Adequate precautions are taken to protect personal data, any sensitive data and confidential information against unauthorized access including but not limited to user identification and password only access, pseudonymizing, encryption and firewall protection.
Right to Access You have the right to obtain confirmation about whether Personal Data is included about you in our databases.
Upon request, Medicys Limited will provide an individual access to his or her Personal Data within a reasonable time frame.
Medicys Limited will permit an individual to know what Personal Data about them is included in our databases and to ensure that such Personal Data is accurate and relevant for the purposes for which Medicys Limited collected the Personal Data.
You may review your own Personal Data stored in the databases and correct, update, modify, or delete any data that is incorrect or incomplete.
Your right to access your Personal Data may be restricted in exceptional circumstances, including, but not limited to, when the burden or expense of providing this access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated by the provision of such access. If we determine that your access should be restricted in a instance, we will provide you with an explanation of our determination and respond to any inquiries you may have.
You may access and modify your Personal Data by contacting Medicys Limited by phone, post or email. In making modifications to your Personal Data, you must provide only truthful, complete, and accurate information.
Rectification and Erasure You may request that we rectify or delete any of your personal data that is incomplete, incorrect, unnecessary or outdated.
Objection You may object, at any time, to your personal data being processed for market research purposes.
Restriction of Processing You may restrict processing of your personal data for certain reasons, such as, for example if you consider your personal data collected by us to be inaccurate or you have objected to the processing and the existence of legitimate grounds for processing is still under consideration.
Data Portability You may request the data you provided to us in a commonly used and machine-readable form.
Right to Withdraw Consent You have the right to withdraw your consent at any time, without affecting the lawfulness of our processing based on such consent before it was withdrawn, including processing related to existing contracts for our products and services.
To exercise any of the above mentioned rights, please contact us as set forth below. We will process any requests in accordance with applicable law and within a reasonable period.
We recommend that you include documents that prove your identity and a clear and precise description of your request. Please note that in some cases, especially if you wish us to delete or cease the processing of your personal data, we may no longer be able to provide our services to you.
Via Email: firstname.lastname@example.org Via Postal Mail: Medicys Limited, 152 Staplehurst Road, Sittingbourne, Kent ME10 1QZ, United Kingdom Via UK Phone: 44 (0) 1795 42 66 55
REQUESTS FOR PERSONAL DATA
Medicys Limited will track each of the following and will provide notice to the appropriate parties under law and contract when either of the following circumstances arise:
(a) legally binding request for disclosure of the Personal Data by a law enforcement authority unless prohibited by law or regulation; or (b) requests received from Research participants.
CHANGES TO THIS POLICY
This Policy may be amended from time to time, consistent with applicable data protection and privacy laws and principles. We will notify you if we make changes that materially affect the way we handle Personal Data, via the invitation, confirmation and project consent process we employ, and we will allow you to choose whether your Personal Data may be used in any materially different manner.
QUESTIONS OR COMPLAINTS
Via Email: email@example.com Via Postal Mail: Medicys Limited, 152 Staplehurst Road, Sittingbourne, Kent, ME10 1QZ, United Kingdom Via UK Phone: 44 (0) 1795 42 66 55
If you consider our processing activities of your personal data to be inconsistent with the applicable data protection laws, you may lodge a complaint with your local supervisory authority responsible for data protection matters.
Medicys Limited is a registered Data Controller with the Information Commissioners Office. If you have a concern about our information rights practices, you can contact the ICO using their helpline: 0303 123 1113 or visit their website: https://ico.org.uk/concerns/. Our registration number is Z1909295.
At this stage the EC (European Commission) has issued draft adequacy decisions which set out that the UK should be found adequate. The draft decisions published on Friday 19 February 2021 have now been shared with the European Data Protection Board for a “non-binding opinion”, before being presented to EU member states for formal approval. For the moment an interim solution is in place which allows organisations that transfer personal data from the EU to the UK to continue to do so, for up to six months to give time for the EC (European Commission) to approve an adequacy decision for the UK. During this extension period, transfers of personal data from the EU (and the EEA) to the UK will not be considered transfers to a “third country” provided that the UKs data protection law remains the same as it was as of 31st December 2020.
For EU data subjects, and relevant supervisory authorities, with questions or concerns please contact our EU representative lead person Marie Payraudeau, firstname.lastname@example.org, +33 (0) 6 45 50 29 98