Security controls and measures 

Organizational security measures

• GC has robust internal Policies, SOPs and procedures on IT Security and Management of Personal Information. 
• Restricted access rights to systems based on roles and responsibilities.
• Employees are trained on privacy policies. 
• Staff, consultants, contractors and agents are bound by confidentiality agreements. 
• GC has a Privacy Committee, which meets regularly and is specifically focused on protecting Personal Information and GDPR compliance.  It handles any incidents, identifies, and addresses risks, and initiates continuous improvements.
• In relation to projects or clinical trials where personal data may be processed by GC or its Subsidiaries/Affiliates, the general procedure is (subject to directions by Sponsors or collaborating partners): 
• Pseudonymisation or anonymising personal data. 
• User authentication and role-based access control. 
• Project team member training on information security (e.g. as part of site set-up training)
• GC’s contracts with partners, vendors, suppliers, and subcontractors include privacy and data protection provisions. Where applicable, GDPR data processing clauses/agreements are also in place. 

Technical security measures 

• Authentication and access control are centrally managed via Active Directory and role-based groups.  Multi Factor Authentication is enforced for remote access.
• Key security settings are centrally managed and enforced through Active Directory Group Policy.
• Patching, anti-virus and software installation are centrally managed through Systems Centre Configuration Manager & Microsoft Intune.
• A Standard Operating Environment is enforced for client computing, including BitLocker encryption, controlled software stack, anti-virus measures and security settings.  Staff do not have administrator access and do not have the ability to disable security measures.
• Transmission of encrypted data is supported via IPSEC, SFTP, SSH and TLS. 
• All websites involving confidential information are protected by TLS encryption and user authentication. 
• GC operates its own 2 tier PKI certificate authority underpinning internal trust. 
• Strong password protected access is enforced on systems storing personal information.
• Server and cloud storage is managed by respected and high-quality providers of such services
• Need to know access rights only, regularly reviewed for all access types
• Network separation of systems that hold sensitive data

Physical security measures 

• All GC Personal Identifying Information (PII) is stored in ISO 27001 certified co-location data centres or cloud storage.  These all meet Uptime Tier III or better, with redundant controls, including power, UPS, environmental, fire suppression and physical security.
• Physical access to the Co-location data centre facilities is strictly restricted to the Co-location data centre Hosting vendors only. 
• Hard copy documents containing PII are stored in secured, limited access document storage facilities within GC offices and secure offsite storage facilities.

Administrative and network security measures 

• Privileged account access is strictly limited to essential IT staff.
• Users do not have administrative access to their computers.  
• Global IT operates a global network interconnecting all GC offices over encrypted links and providing firewalled Internet access and secure encrypted remote access to authorised staff.  A micro-segmented approach is taken with securing the most critical servers.
• Logs from the entire IT infrastructure are collected centrally and retained for 90 days.  The logs are reviewed daily for indicators of compromise.
• Spam and virus scanning are applied to incoming email.  TLS security is required for all SMTP traffic between nominated domains.  SPF, DKIM and DMARC are enabled for email.
• Comprehensive backup strategies are in place to protect all critical data and systems.
• Public cloud systems are only utilised where a security assessment can confirm they are operating to an acceptable security standard.  A data processing agreement will be entered into with the service provider if appropriate.

Data Management, Protection & Procedures

Segregation

• Projects may be segregated in separate virtual machine instances, including separate firewall DMZs where appropriate.
• Hard copy files for projects are stored in locked TMF rooms within locked compactus, away from the general staff. Each project has its own binder, which is only marked with a GC specific code to identify the file. The TMF rooms are only accessible to authorised project team members. 
• GC employees who have access to trial participant’s personal information have limited access to trial implementation or management processes
• GC employee personnel data is stored in secure databases and access to restricted to only necessary authorised employees
• Access to prospective research professional’s personal information is restricted to members of the HR team and the relevant hiring managers as necessary.
• Audit capability.

Processes to fulfil data subjects’ requests, including erasure, portability, access, restriction, rectification (as required under GDPR Articles 12-23)

• GC publishes clear accessible information relating to individual’s rights relating to GC’s management of their personal information.
• GC publishes clear accessible information how an individual can access, correct or request deletion of their personal information. 
• Contact details are published internally and externally for GC’s Data Protection Officer

Disaster recovery policy & procedures

• There is a documented Disaster Recovery Plan. 
• The plan is tested at least annually.

Procedures to deal with personal data breaches

• Relevant policies and SOPs state GC’s processes in the event of actual or suspected data breach
• GC has a standardised centralised Data Breach Reporting process and format (including suspected data breaches)
• All potential or actual data breach reports are assessed by the Privacy Committee, and further action taken if necessary including notifying relevant regulators/data subjects if required.

Responsible Officers

• The Data Protection Officer and Privacy Officer is the Group Legal Counsel 
• External privacy enquiries are directed to the following email address, which is monitored daily. 
  • [email protected]
• The Privacy Committee address privacy issues within the organisation. 
• The Global Head, IT and Business Solutions has responsibility for cyber security initiatives. 

Data Protection Impact Assessment

• All projects are required to undergo a Privacy Impact Review to determine if a Data Protection Impact Assessment (DPIA) is required. 
• All projects which undergo a DPIA are assessed to determine whether a Transfer Impact Assessment is required. 
• A register of all DPIA’s is maintained by the Privacy Committee

Data Retention

• GC does not keep Personal Information for longer than it is necessary for the processing purpose or to the extent that we are required to do so by law or relevant regulations (e.g., GCP)

Supervisory authority for privacy purposes 

George Clinical BV located in the Netherlands but operates throughout the European Union.

Details of relevant supervisory authorities can be found here.