Effective Date: May 14, 2018
Prelude Dynamics is a Software as a Service (SaaS) provider who offers a Clinical Trial Optimization Platform (CTOP) VISION™, for the conduct of clinical trials. The software includes electronic data capture (EDC), data analysis (CDMS), and clinical trial management (CTMS) functionality in a premium custom built, template pre-built or do-it-yourself platform. Our clients are pharmaceutical companies and Contract Research Organizations (CROs), hereinafter referred to as “Sponsors”, who contract with us to implement our Clinical Trial Optimization Platform to collect, store, report on, analyze and export clinical trial information for sponsor-specific projects. The information collected by VISION™ is digitally transferred to, and stored in two SSAE-16 compliant data centers located in Austin, TX, and can be accessed by our Sponsors and other authorized users via the Internet. The information gathered is used solely for the purpose of the Sponsor’s clinical trials and is ultimately transferred to our Sponsors, who hold rights and responsibilities with respect to that information. Per contract, Prelude Dynamics is explicitly prohibited from disclosing any trial-related information to third parties without explicit authorization or as required by law.
“Sponsor” means any individual, corporation, or other entity which contracts with Prelude Dynamics to perform services involving the transfer, processing, or reporting of clinical trial information on behalf of and under the instructions of said ”Sponsor”.
“Personal Information” or “Information” means information that (1) is transferred from the European Union (“EU”) or Switzerland (“Swiss”) to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual.
Prelude Dynamics is dedicated to ensuring the privacy of Sponsors, their staff members, and clinical trial participants.
As a SaaS provider, it is the duty and responsibility of our Sponsors to notify individuals of how their information will be used and/or distributed to third parties. As a contracted agent of the Sponsor, we have no authority, and in fact are prohibited from, distributing data concerning an individual to anyone other than the Sponsor (or their agents as directed). Should the CTOP be used in any way to document or provide notice, we will work with the Sponsor to ensure that the notification provided is complete and easily understood, and refrain from allowing the trial to register any individuals until we feel that the notification provided sufficiently complies with this principle.
i. Notice of participation in the Privacy Shield
ii. Types of Personal Data Collected
Personal data is collected by Sponsor organizations as required for the conduct of clinical studies in which the participant might participate. The type of personal data collected varies from study to study. Generally, all efforts are made to include only de-identified data, however in some cases personal information is used to track participants. The personal data might include: name, contact information, demographics such as race and gender, and sensitive medical information such as medical or health conditions, medications, and mental health status.
In some cases, only a patient key is used to identify the individual. In this case, only the principal investigator has access to identifiable personal information. If this is the case, the information that is transferred or contained within CTOP is exempt from the Privacy Shield as it does not contain any identifiable personal information.
iii. Commitment to the Privacy Shield Framework
Prelude Dynamics is committed to uphold the principles and framework set forth by the EU-US and Swiss-US Privacy Shield framework and its principles. Please see section i. Notice of Participation in the Privacy Shield.
iv. Purpose and Use of Personal Data
Sponsors have different reasons for collecting personal information. Generally, the purpose for collecting it is to be able to identify the participant across study visits and to be able to communicate important information with the participant. Because CTOP access is permission-based, only certain roles have access to personal data. During data analysis only de-identified data is used.
v. Contact for inquiries and complaints
Questions, comments or complaints regarding the Prelude Dynamics’ EU-US and Swiss-US Privacy Shield Principles or data collection and processing practices can be communicated using one of the methods below.
Attn: VP Quality Assurance
3906 Manchaca Rd
Austin, TX 78704
Privacy Shield organizations must respond within 45 days of receiving a complaint.
vi. Third parties and disclosure of information
It is the duty and responsibility of our Sponsors to notify individuals of how their information will be used and/or distributed to third parties. As a contracted agent of the Sponsor, we have no authority, and in fact are prohibited from, distributing data concerning an individual to anyone other than the Sponsor (or their agents as directed) per our contract without explicit authorization or as required by law.
While Prelude Dynamics will not authorize access to any study data, the Sponsors might assign access to agents acting on their behalf. The responsibility for ensuring Sponsor agents abide by the Privacy Shield is the Sponsor’s responsibility.
vii. Limiting use and disclosure of personal data
Sponsors are responsible for notifying and obtaining consent from all participants prior to disclosing their personal data to third parties. CTOP provides role based permissions which enable the Sponsor to limit access to personal identifiable information. Additional information about choice to opt-in or opt-out is located in the Choice section below.
ix. Independent dispute resolution
If you have not received a timely or satisfactory response to your question or complaint from Prelude Dynamics, please contact the EU Data Protection Authorities or the Swiss Data Protection and Information Commissioner. Prelude Dynamics agrees to cooperate with them to resolve any issues that might arise.
x. Investigation and Enforcement
The Federal Trade Commission has jurisdiction over Prelude’s compliance with the EU-US and Swiss-US Privacy Shield.
xi. Binding Arbitration
Under certain limited conditions, individuals may invoke binding arbitration before the Privacy Shield Panel created by the U.S. Department of Commerce and the European Commission. Information on your rights under the privacy shield is located at https://www.privacyshield.gov/Individuals-in-Europe and additional information about when binding arbitration can be invoked is located at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
xii. Response to lawful requests for information
In rare cases, personal information may be disclosed in response to lawful requests by public authorities. Such requests must be approved by the Sponsor and include requests made to meet national security or law enforcement requirements.
xiii. Liability in cases of onward transfers to third parties
The Sponsor retains all rights and responsibilities with respect to onward transfers. Our Sponsors transfer data to Prelude Dynamics for storage and processing, but we are contractually prohibited from releasing this information to anyone other than the Sponsor unless specifically authorized to do so, or are obligated to do so for legal reasons. This means Prelude Dynamics’ is held harmless related to liability in cases of onward transfers to third parties by the Sponsor.
Use of Personal Data, Purpose and the Choice to Participate
Trial participants, by their participation, are volunteering to supply certain medical information to support the Sponsor’s study goals. Participants may or may not be compensated by the Sponsor for participation. The Sponsor determines the study design, content, goals, and end usage of collected information.
a. Opportunity to opt-out of third party disclosure
Our contractual Sponsors are obligated to provide individuals with the ability to choose (opt out) whether their Personal Information will to be disclosed to a third party or used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Individuals will typically opt out by communicating directly with our Sponsors. When notified by a Sponsor that an individual has chosen not to give permission, or has revoked their permission to use their Personal information, we will suppress that data from view. FDA 21CFR11 and GCP rules dictate that clinical trial data (including the audit trail) can never be deleted until the required retention period has expired.
Should an individual contact us directly with an opt-out request, we will notify the Sponsor on the individual’s behalf and proactively work with the Sponsor to resolve the individual’s issue or request.
Note: It will no longer be possible to remove an individual’s data when a trial has already been completed (locked and archived).
b. Disclosure to third parties acting as agents to Sponsor
Prelude Dynamics has no authority to disclose data to any third parties unless required by law.
c. Obtaining affirmative expressed consent for sharing of sensitive information with third parties
For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), our contractual Sponsors must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, Prelude Dynamics will treat as sensitive any personal information received from our contractual sponsors where our contractual sponsor identifies and treats it as sensitive.
Accountability for Onward Transfers
The Sponsor retains all rights and responsibilities with respect to onward transfers. Our Sponsors transfer data to Prelude Dynamics for storage and processing, but we are contractually prohibited from releasing this information to anyone other than the Sponsor unless specifically authorized to do so, or are obligated to do so for legal reasons. Our contract with Sponsor organizations will require the Sponsor to uphold the EU-US and Swiss-US Privacy Shield Principles.
a. Secure data storage
Prelude Dynamics hosts its Clinical Trial Optimization Platform in two SSAE-16 compliant data centers hosted in Austin, TX to ensure the data from physical loss.
b. Secure communication and access
All communications with our servers are implemented via secure, encrypted https protocol and a dedicated firewall appliance. The data center itself is manned 24/7/365 and stringent authorization and entry procedures are in place. The VISION™ system itself requires a role-permission based user ID/password combination to be entered before access to the system is granted. Issuance of such user IDs and passwords is the responsibility of the Sponsor and Sponsor representatives with strict need-to-know for a specific trial. While every effort has been made to reasonably safeguard Personal Information, we cannot absolutely guarantee the security of Information transmitted via the Internet. While every effort is made to detect and prevent unauthorized access to data on our servers, new electronic threats emerge every day. Prelude Dynamics will notify its’ Sponsors within 72 hours in the event a breach is detected.
c. Safeguard for Alteration and Destruction
CTOP utilizes a field by field audit trail to track who (user name and role) has entered the data and the time of the data entry or modification. Regular backups per standard operating procedures help ensure data safety and retrieval.
All participants using the CTOP VISION™ system, regardless of role, are expected to have and maintain anti-malware software on their local computers. They are also required to safeguard their ID and password.
Data Integrity and Purpose Limitation
i. Limited to Collection of Relevant Information
Our Sponsor organizations are responsible for ensuring that personal information collected is limited to the information that is relevant for the purposes of processing, and that the personal information collected is not processed in a way that is incompatible with the purposes for which it has been collected or authorized by the individual.
ii. Accuracy and Integrity of Data
Our Sponsor organizations are responsible for assuring data integrity at the time of data entry or during monitor review. Prelude Dynamics adds to this assurance by providing a comprehensive audit trail of data entered, and VISION utilizes comprehensive error and constraint checking to encourage correctness at data entry time. In addition, the data transmission protocol utilizes advanced technology to guarantee that the data transmitted to our secure server is identical to the data entered. If any participant believes information collected is in error, they should contact their Sponsor representative as soon as possible.
iii. Data Retention
Our Sponsors are responsible for maintaining archived data files in compliance with federal regulations set forth by the Food and Drug Administration Agency. Additionally, per our contract, Prelude maintains a copy of the archived data for the timeframe specified in the contract. All archived data files in Prelude’s possession are safeguarded either in a fire proof safe or a secure server located in the data center with only key officers within the organization having access.
a. Individual’s access to their personal information
All requests for access to personal information should be directed to the appropriate Sponsor. When necessary, Prelude Dynamics will assist the Sponsor in compiling a read-only copy of the personal information requested.
b. Individual’s access to treatment information when participating in a clinical trial
Participants in clinical trials may not be given access to information about treatment they might be receiving if doing so would jeopardize the validity of the research study and results. If the participant has agreed to participate in a blinded study, the right to access this information is foregone until the end of the trial. At which time, the individual may request the information from the physician or health care provider from which treatment was received.
c. Individual’s ability to correct their personal information
All request to change or correct personal information should be directed to the appropriate Sponsor. The Sponsor personnel or appropriate study personnel will be able to make changes to the individual’s personal information.
Recourse, Enforcement and Liability
After communicating with the Sponsor, Prelude Dynamics encourages individuals to raise complaints directly with us prior to proceeding to an independent recourse mechanism for resolution. We agree to give prompt and courteous attention to complaints about an individual’s privacy, and to address them in a timely manner.
In addition to self-assessment, Prelude Dynamics commits to cooperate and comply with both European Data Protection Authorities (DPAs) and the Federal Data Protection and Information Commissioner of Switzerland in the investigation and resolution of complaints brought under EU-US and Swiss-US Privacy Shield Principles. We will comply with any advice given by these authorities where the authorities take the view that our organization needs to take specific action to comply with the EU-US and Swiss-US Privacy Shield Principles and will provide these authorities with written confirmation that such action has been taken.
The contact information for the above-mentioned authorities can be found at:
EU DPAs: https://www.privacyshield.gov/Individuals-in-Europe
Swiss FDPIC: http://www.edoeb.admin.ch/kontakt/index.html?lang=en
Prelude Dynamics is not liable under the Privacy Shield Principles as we merely transmit and cache information. As is the case with the Directive itself, the Privacy Shield does not create secondary liability. To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal data, it would not be liable.