George Clinical Pty Ltd, together with its subsidiaries worldwide (George Clinical) is committed to handling personal information (including health and other sensitive information) in accordance with applicable privacy laws, including the Australian Privacy Principles (APPs) set out in the Australian Privacy Act 1988 (Cth) and, where relevant, the EU General Data Protection Regulation ((EU) 2016/679) (GDPR). A reference to personal information includes “personal data” as defined in the GDPR.
We have adopted the APPs as the minimum standard across all of our offices worldwide. We also comply with the ICH Guidelines for Good Clinical Practice with respect to the use, protection and security of health information collected, as well as guidelines issued by the National Health and Medical Research Council of Australia (NHMRC) in respect of health information that may be accessed in the conduct of research.
We collect personal information reasonably necessary for one or more of our functions or activities as a contract research organisation. The types of personal information we generally collect may include your name, date of birth, address and other contact details such as your telephone numbers and email address. Depending upon the purpose of our interaction with you, we may collect additional personal information. More details about the personal information we collect (and why) are provided below.
We (or an approved third-party operating on our behalf) will collect personal information and health information (and at times, other sensitive information) from individuals who participate in human research studies and clinical trials undertaken or managed by George Clinical.
Such collected may include:
The information is collected for the purposes of medical research and analysis pertaining to the research study or trial, to comply with laws and regulatory guidelines relating to medical research and clinical trials, and to substantiate the findings and publication of research results.
We may also collect personal information of health practitioners and health providers who are involved in the care of study participants (e.g. general practitioners, physiotherapists, other healthcare service providers). Such information collected may include name, address, contact details, professional qualifications, experience, and interaction records with us (as part of the particular research study or trial). This information is collected for the purpose of administration, management and operation of George Clinical and the particular research study or trial.
We may also collect the personal information of medical experts, researchers and other professionals advising on, overseeing, or assisting in the conduct of a particular research study or trial. Such information collected may include name, address, contact details, professional qualifications and experience, and registration information.
As part of the ordinary course of business operations, we may capture and record personal information from our dealings with partners, business alliances and service providers. Such information is collected for administrative, management, and audit purposes.
We may collect personal information (e.g. name and contact details) from those who contact us (by phone or in person) or access our websites (refer to ‘How do we collect and hold your personal information’ section below). Such information is collected in order to deal with you and improve our services.
You may also supply personal information to us when applying for open positions, and we may collect your personal information from third-parties (e.g. referees) as part of the assessment and recruitment process. Such information collected may include educational and academic background, work history, skill-set and capabilities. We may collect similar personal information from volunteers who apply to work with George Clinical.
Where lawful and practical, you will be given the option to deal with us without identifying yourself or by using a pseudonym (e.g. when inquiring about the activities that George Clinical undertakes).
We aim to collect your personal information directly from you:
We may collect your personal information from a third-party, such as your medical or health provider (e.g. GP, hospital) and an information document (including requisite privacy disclosures) will be given to you by that provider.
When accessing our websites, we may make a record of your user service address and internet provider name and address, the date and time of your visit, the pages you accessed and any documents downloaded, any website visited prior to accessing our site and the type of browser used. This information (which is unlikely to contain personal information) is collected to monitor the activity on our websites (including the popularity of certain pages and information presented on our websites, and linkages to information), to consider improvements to the delivery, presentation and types of information on our websites (including cost/benefit analysis), and ensure the protection of our intellectual property and reputation.
We hold personal information in paper-based and electronic records and systems.
Personal information collected in paper-based documents may be converted to electronic form for storage (with the original paper-based documents either archived or securely destroyed).
George Clinical uses physical security and other measures to ensure that personal information is protected from misuse, interference and loss, and from unauthorised access, modification and disclosure.
Personal information held in paper-based form is generally securely stored at our offices, with archived records held at an external storage facility. Our databases and their contents remain at George Clinical and stay with data processors or servers acting on our behalf and responsible to us.
We maintain computer and network security by using firewalls, user identifiers and passwords to control access to our computer system.
Our staff must comply with privacy and confidentiality terms as part of their employment with us. To be an approved third-party of George Clinical, that party must be subject to similar privacy and confidentiality laws, or have a professional and/or contractual obligation of confidence.
We may also disclose your personal information as directed or permitted by law or court order.
Depending on the circumstances and the location where the study or research program is being conducted or coordinated, the above-mentioned may involve a cross-border disclosure. Our studies are often internationally based and our staff, agents, service providers, collaborators and research partners may be located overseas, e.g. Canada, the United Kingdom, the European Union, India and China. This will be explained in the study protocol and information documents.
personal information will be de-identified (and aggregated with others) before disclosure.
We may also disclose your personal information to our approved third party service providers, and as directed or permitted by law or court order.
We have put in place measures to protect the security of your information, and to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access (by physical and technical safeguards) to your personal information to those staff, related parties, and approved third-parties (e.g. agents, service providers, collaborators and research partners) who have a business or legal need to know.
We have also put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
If you are located in the European Economic Area (including the United Kingdom) (collectively the EEA) you will have certain rights under the GDPR:
|Rights||What does this mean?|
|The right of access||You have the right to obtain access to your personal information that we hold about you.|
|The right to rectification||You are entitled to have the personal information that we hold about you corrected if it is inaccurate or incomplete.|
|The right to erasure||This is also known as “the right to be forgotten” and enables you to request the deletion or removal of your personal information if there is no compelling or legal reason for us to keep using it.|
|The right to restriction of processing||You have the right to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.|
|The right to object to processing||You have the right to object and ask us to stop processing your personal information.|
|The right to lodge a complaint||You have the right to lodge a complaint about the way we process your personal information with a supervisory authority in the EEA.|
|The right to request transfer||You have the right to request us to transfer personal information we hold about you to another party, in a machine readable format.|
|The right to withdraw your consent||You have the right to withdraw your consent to us processing your personal information.|
These rights are not absolute and may not apply in all circumstances.
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
Please contact us should you require any additional information about the legal grounds we rely on for any specific processing activities that involve your personal information.
We may transfer your personal information outside the EEA to other countries where our databases are held or where our approved third-parties (e.g. agents, service providers, collaborators and research partners) are located. This may be in Australia, United States and other countries, some of which may not be deemed to provide an adequate level of protection for your personal information under GDPR. However, to ensure that your personal information does receive an adequate level of protection, we will put in place appropriate measures to ensure that your personal information is treated in a way that is consistent with and meets GDPR requirements: this may include the EU Model Clauses, EU Commission approved Binding Corporate Rules, and reliance on the US Privacy Shield.
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
You may request access to, or seek correction of, your personal information that is held by George Clinical, or exercise other rights available under GDPR, by writing to the Privacy Officer:
Address: Level 5, 1 King Street, Newtown, NSW 2042 Australia; or
If you are located in the EEA you may also wish to write to our EU-based Representative:
Address: George Clinical (UK) Limited (No. 08951276) of Centrum House, 36 Station Road, Egham, Surrey, TW20 9LF, United Kingdom, Tel no: +44 7789 376 306
We will generally not charge a fee for such requests, but we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Typically, we will respond to your request within 10 – 20 business days, but sometimes we may require more time depending on the circumstances.
In your request, please ensure that you provide a reply address, so that we can contact you if we are unable to locate your personal information, if we need to verify your identity, or if we cannot carry out your request (in which case, we generally tell you why).
Please set out your complaint in writing to the Privacy Officer:
Address: Level 5, 1 King Street, Newtown, NSW 2042 Australia; or
Please provide sufficient information, so that the Privacy Officer can consider your concerns and contact you. Typically, we will respond to your complaint within 10 – 20 business days.
If you are not satisfied with our response, or you consider that we may have breached the Australian Privacy Principles or the Privacy Act 1988 (Cth), you are entitled to make a complaint to the Office of the Australian Information Commissioner. The Office of the Australia Privacy Commissioner can be contacted by telephone on 1300 363 992 or full contact details can be found online at www.oaic.gov.au.