UNDER CONSTRUCTION

Data Protection Policy

1. Introduction

This Data Protection Policy explains how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and Good Clinical Practice (GCP) guidelines. We are committed to protecting the privacy and security of all individuals who use our clinical trial management system.

Data Controller: [Organisation Name] is the data controller responsible for personal data processed through this system.

Last Updated: [Date]

2. Scope and Purpose

This policy applies to all personal data processed through the GTG Web clinical trials management system, including:

  • Registered user accounts and authentication data
  • User access logs and system activity
  • Email communications

Note: Clinical trial information displayed on this platform is predominantly publicly available data sourced from clinical trial registries. This policy focuses on personal data collected from registered users of the system.

3. Legal Basis for Processing

We process personal data under the following lawful bases:

  • Legitimate Interests (Article 6(1)(f)): To provide access to clinical trial information for healthcare professionals and researchers
  • Contract (Article 6(1)(b)): To provide registered user accounts and system functionality
  • Consent (Article 6(1)(a)): Where explicitly requested for specific communications or optional features
  • Legal Obligation (Article 6(1)(c)): To comply with applicable healthcare and data protection regulations

4. Personal Data We Collect

4.1 Registered Users

When you create an account, we collect:

  • Name and email address
  • Organisation affiliation
  • Role and access permissions
  • Account approval status
  • Password (stored as a cryptographic hash only)

4.2 System Usage Data

  • Login timestamps and authentication logs
  • IP addresses for security purposes
  • System activity logs for audit trails
  • Error logs for system maintenance

4.3 Public Clinical Trial Data

The system displays publicly available clinical trial information that may include:

  • Trial protocols and descriptions
  • Site locations and contact information
  • Investigator names (where publicly registered)

This information is sourced from public registries and is not considered personal data under our control for the purposes of this policy.

5. How We Use Personal Data

We use personal data for the following purposes:

  • Account Management: Creating, maintaining, and authenticating user accounts
  • Access Control: Implementing role-based permissions and data access restrictions
  • System Security: Monitoring for unauthorised access and maintaining audit trails
  • Communication: Sending account-related notifications and system updates
  • Compliance: Meeting regulatory requirements for audit trails and data governance
  • Service Improvement: Analysing system usage to enhance functionality (anonymised where possible)

6. Data Retention

We retain personal data in accordance with the following schedule:

  • Active User Accounts: Retained whilst account remains active
  • Inactive Accounts: Reviewed annually; deleted after 2 years of inactivity
  • Audit Logs: Retained for 7 years in accordance with GCP guidelines
  • Security Logs: Retained for 2 years
  • Deleted Accounts: Personal data anonymised or deleted within 30 days of account closure

Retention periods may be extended where required by legal, regulatory, or contractual obligations.

7. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption: Data encrypted in transit using HTTPS/TLS and at rest where appropriate
  • Access Controls: Role-based access control with least privilege principle
  • Authentication: Secure password hashing using industry-standard algorithms
  • Audit Trails: Comprehensive logging of data access and modifications
  • Regular Updates: Security patches and updates applied promptly
  • Backup Procedures: Regular encrypted backups with secure storage
  • Incident Response: Documented procedures for data breach management

8. Data Sharing and Third Parties

We do not sell or rent personal data to third parties. We may share data with:

  • Service Providers: Hosting providers, email services, and IT support (under data processing agreements)
  • Legal Authorities: Where required by law or to protect legal rights
  • NHS and Healthcare Bodies: Where required for regulatory compliance or audit purposes

All third-party processors are required to implement appropriate security measures and process data only in accordance with our instructions.

9. International Data Transfers

Personal data is primarily stored and processed within the United Kingdom. Where data is transferred outside the UK, we ensure:

  • Adequate safeguards are in place (e.g., Standard Contractual Clauses)
  • The recipient country provides an adequate level of protection
  • Explicit consent is obtained where required

10. Your Rights

Under UK GDPR, you have the following rights:

  • Right of Access: Request copies of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data (subject to legal obligations)
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a structured format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent

To exercise these rights, please contact us using the details below. We will respond within one month of your request.

11. Good Clinical Practice (GCP) Compliance

This system supports clinical trial management in accordance with ICH GCP guidelines. We maintain:

  • Audit trails for all data modifications
  • Version control and data integrity measures
  • Access controls aligned with study roles and responsibilities
  • Documentation retention in accordance with regulatory requirements

12. NHS Data Security Standards

Where applicable, we align our practices with NHS Data Security and Protection Toolkit requirements, including:

  • Staff training on data protection and security
  • Regular security risk assessments
  • Incident reporting procedures
  • Business continuity and disaster recovery planning

13. Cookies and Tracking

We use essential cookies to maintain session authentication and system functionality. These cookies are necessary for the system to operate and do not track users across other websites. For more information, see our Cookie Policy.

14. Data Breach Notification

In the event of a data breach involving personal data, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours where required
  • Inform affected individuals without undue delay where there is a high risk to their rights and freedoms
  • Document all breaches and remedial actions taken

15. Children's Privacy

This system is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

16. Changes to This Policy

We may update this policy periodically to reflect changes in our practices or legal requirements. The "Last Updated" date at the top indicates when changes were last made. Continued use of the system following updates constitutes acceptance of the revised policy.

17. Contact Information

For questions about this policy or to exercise your data protection rights, please contact:

Data Protection Officer:
[Name]
[Organisation Name]
[Email Address]
[Postal Address]

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk
An unhandled error has occurred. Reload 🗙