EMB Statistical Solutions, LLC (graphic) Powered by Experience (image)

EMB Privacy Policy

EMB is a singular organization whose mission is to provide data management and statistical support for clinical trial studies in the pharmaceutical industry. EMB operates within the confines of pertinent laws, regulations and guidelines issued by United States (US), European Union (EU), and Japanese drug approval agencies. EMB possesses and follows strict operating procedures for the processing of clinical trial data for clinical research, and these procedures are audited yearly by our various clients for scope, training and adherence.

EMB does have the procedures and policies in place to comply with the original EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Information transferred from European Union and Switzerland, respectively, to the United States.

In July 2020, the European Court of Justice (CJEU) issued a judgement that the Privacy Shield framework no longer provided adequate safeguards for the transfer of personal data to the US from EU.

In June 2021, the European Commission adopted the two sets of standard contractual clauses (SCCs) to replace the Privacy Shield data transfer scheme: one set for controllers and processors and another for transferring personal data to third parties.

In March of 2022 it was announced EU and the US have agreed “in principle” to a new framework for cross-border data transfers. EMB will work to transition to this agreement after it is published.

Limitations

Adherence to the Privacy Shield Principles may be limited (1) to the extent required or allowed by applicable law, rule, or regulation; (2) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (3) to protect the health or safety of an Individual. Also, this policy may not apply or may be limited when Personal Information is collected or processed under an agreement that contains the requisite Standard Contractual Clauses approved by the European Commission with respect to the Personal Information.

Notice

EMB does not work directly with clinical subjects. EMB is the recipient of partially de- identified clinical research data. Name, address, and other primary identifiers have been removed and replaced with an arbitrary code number. If primary identifiers are ever sent to EMB, procedures are in place to document this deviation and return the information. It is in EMB’s interest not to possess such data.

Secondary identifying information such as birthdate, race, medical history, medications, adverse events, laboratory results and geographical location of clinical sites are commonly reported. This information is generally provided in electronic format. EMB protects this information by ensuring that all data received or transferred by EMB is encrypted. Only the clinical data necessary to support the research study is collected and processed.

EMB manages and/or analyzes clinical research data in support of drug or device development in the pharmaceutical industry. In all cases, EMB is under contract with the study sponsor to perform these services. The study sponsor details in the contract the scope of work, and as such is termed the “controller”, whereas EMB is termed the “processor”.

EMB contracts state that clinical data is the intellectual property of the study sponsor. As such, data transfer to third parties must be authorized and is a highly controlled and documented event. If such data transfer does occur, the third party is part of the clinical research support team (e.g., medical writers, pharmacokinetic scientists). Additionally, our procedures require any data transfer be done in a secure and encrypted manner.

Except in extremely rare cases, all individuals who participate in a clinical research study must sign a consent form. EMB does not write or review these consent forms but assumes the consent forms comply with regulatory guidelines. The guidelines are detailed and include but are not limited to (a) the purpose of the study, (b) the procedures a subject will undergo, (c) the type of data collected, and (d) the rights of the Individual. While EMB does not see the consent form, a standard data field is the date when a subject consented, and its presence is a standard data exception check in the industry. Thus, EMB has assurances of subject consent.

The data originates with source documents (e.g., subject’s medical records) that reside outside EMB. A team of individuals, external and unassociated with EMB, ensures the data EMB receives accurately reflects the source documents. A subject who wishes to view, verify, or alter their data must first begin with the source documents. Any change in the source documents then propagates to EMB data along an auditable and well- defined procedure supported by laws, regulations, and guidelines. EMB cannot originate such requests.

Choice

EMB supports the rights of Individuals to choose whether their Personal Information is to be (a) disclosed to a third party, or (b) used for a purpose materially different from the purpose for which it was originally collected.

However, EMB need not provide choice when Personal Information is disclosed to a third party that is under contract and acting as an agent to perform tasks on behalf of and under the instructions of the study sponsor.

EMB is prohibited by contract and confidentiality agreement to process Personal Information about Individuals for purposes other than those for which the data was originally obtained. For subjects in clinical trial studies, industry standard requires them to sign a consent form (“opt-in”) detailing the purpose for data collection and their rights. The subject also has the right to withdraw from the clinical trial study (“opt-out”), but the forms and procedures reside with either (a) the clinical site where the subject is assessed or (b) the sponsor of the study. Subject status in a clinical trial study (“in” or “out”) is an important component of the study’s audit trail and propagates to EMB along established and well-defined procedures. EMB cannot originate this change.

In some cases, even if an Individual opts-out of disclosures of their Personal Information, EMB may still disclose such Personal Information (i) if required to do so by law, (ii) if disclosure is required to be made to law enforcement authorities, or (iii) if disclosure is necessary or appropriate to prevent physical harm or financial loss to an Individual or in connection with an investigation of suspected or actual illegal activity.

Accountability for Onward Transfer

If the third party is acting as either a controller or agent, the Onward Transfer will comply with the Notice and Choice principles found in this policy. In all cases, the third- party organization will have signed a confidentiality agreement. If the third party is neither the sponsor nor an agent of the sponsor, they will be under contract with EMB for specified work to facilitate the current scientific investigation. Since the sponsor owns the clinical research data as intellectual property, EMB and any organizations contracted by EMB are prohibited from using the data for any other purpose.

When EMB contracts with another organization for processing clinical data, we are required to certify that the organization can fulfill its obligations. Standard procedures require a due diligence audit prior to work beginning, and periodically require a repeat audit, as necessary. The audit would include but is not limited to ensuring: (a) employees are qualified and properly trained, (b) adequate procedures are in place to complete the work following industry guidelines, and (c) data security measures are appropriate. If all aspects are satisfied, they are compliant with the Privacy Policy described in this document. If the organization is lacking in any regard, they must remedy the deficiencies in a timely manner; otherwise, they will not be utilized. An organization which can no longer meet its obligations is required to notify EMB and will be replaced.

If EMB learns that any organization can no longer protect data in accordance with the Privacy Shield principles, EMB will take appropriate steps to stop and remediate unauthorized processing.

Security

To satisfy sponsor and industry requirements, EMB utilizes strong security measures while personal data is in transit, rest, and use. For all external data transfers, EMB procedures require encryption using one of several approved methods. During rest, all EMB devices are monitored, periodically backed up, restricted by physical and logical access controls, and encrypted. In addition, data stored on our server have a detailed audit trail. During use, access controls are strongly enforced on controlled devices following secure practices. Any changes to an Individual’s data must include an audit trail.

EMB employs a security specialist and utilizes strong security measures. Thus, it is unlikely yet possible that an unauthorized third party could compromise our environment and improperly use an Individual’s Personal Information. If such a breach is ever detected, the sponsor of the study would be notified. For subjects in a given study, EMB lacks sufficient information for notification and must rely upon the sponsor to assess and notify as needed.

Data Integrity and Purpose Limitation

When processing personal information, EMB is under contract to only perform those operations described in the scope of work section to fulfill the study purpose. Personnel who process the data must be trained, have signed confidentiality agreements, and have the appropriate industry expertise to complete the task. Any transfers and changes in data must follow procedures and create an audit trail.

When data is no longer in use, it may be archived. Archived data is encrypted. Restoring archived data is an auditable event and must either satisfy requirements of the study sponsor or government regulators.

Access

EMB fully supports an Individual’s rights to access Personal Information. A person wishing access must contact either (a) the sponsor of the study or (b) the clinical site where clinical data was collected. The reason for this is given below.

Recourse, Enforcement and Liability

In compliance with the EU-US and Swiss-US Privacy Shield Principles, EMB commits to resolve complaints about an Individual’s privacy and our collection or use of Personal Information. A person having privacy issues or seeking recourse must contact either (a) the sponsor of the study or (b) the clinical site where clinical data was collected. The reason for this is given below.

Changes to this Policy

This policy may be amended from time to time, without notice, to be consistent with the requirements of applicable laws and regulations. The revisions will take effect on the date of publication of the amended policy.

Contact Information

Questions or complaints related to this policy, data processing or data collection should be submitted to Quality Assurance at the address below or via email at privacy@embstats.com.

EMB Statistical Solutions, LLC
Attention: Director, Data Quality Assurance
55 Corporate Woods
9300 W 110th St. Suite 550
Overland Park, KS 66210
United States of America

Approval date: 24May2022.

EMB Services Therapeutic Areas Our Team About EMB Connect With Us Privacy Policy Home


EMB Statistical Solutions, LLC   |   55 Corporate Woods, 9300 West 110th Street, Suite 550, Overland Park, Kansas 66210   |   913.322.6555