1. Background

The Alliance Foundation is a non-profit sister organization to the Alliance for Clinical Trials in Oncology. The Foundation was established to partner with the pharmaceutical industry in conducting clinical trials for oncology therapies, allowing the Alliance network to participate in industry-funded studies transparently, respecting the requirements to separate industry-funded studies from federally funded initiatives. Like the Alliance, the Alliance Foundation seeks to reduce the impact of cancer on people by uniting a broad community of scientists and clinicians from many disciplines, committed to discovering, validating and disseminating effective strategies for the prevention and treatment of cancer.

The mission of the Alliance for Clinical Trials in Oncology is to reduce the impact of cancer by:

  • Conducting high quality multidisciplinary cancer control, prevention, and treatment trials that engage a comprehensive research network
  • Furthering our understanding of the biological basis of the cancer process and its treatment, from discovery, to validation, to clinical practice
  • Providing a scientific and operational infrastructure for innovative clinical and translational research in the academic and community settings

The Alliance Foundation is part of a national clinical trials network which comprises nearly 10,000 cancer specialists at hospitals, medical centers, and community clinics across the United States and Canada. Through collaboration within the network of researchers, institutions and the industry, we develop and conduct clinical trials with promising new cancer therapies, and utilize the best science to develop optimal treatment and prevention strategies for cancer, as well as research methods to alleviate side effects of cancer and cancer treatments.

The Alliance Foundation for Trials (collectively referred to as “AFT”, “we” or “our”) respect the relationships we have with all parties involved in the research conducted and respect the privacy of our employees, patients, subjects, research partners and others whose Personal Information (see Definitions) may be processed by any of the partner organizations in the Alliance in the performance of research, including individuals participating in clinical research studies. Personal data is information that relates to a living individual who can be identified whether directly or indirectly.

AFT has implemented this policy to ensure protection of data collected during the course of research conducted by AFT and its network of partners. This policy includes definitions of Personally Identifiable Information (PII) as well as standards and requirements for collection, storage and management of this data to protect the privacy of the research participants. We train, advocate and enforce this policy within our network of partners as described in this policy and referenced procedures.

Although AFT’s research is largely conducted in the United States, we have implemented this Safe Harbor Privacy Policy to describe our approach to adhering to and satisfying the Safe Harbor Privacy Principles with respect to transfers of Personal Information from the European Union and Switzerland to the United States. To learn more about the Safe Harbor Frameworks, please visit the U.S. Department of Commerce's website at http://www.export.gov/safeharbor/.

Our network of researchers and partners are required to meet the standards of this policy, at a minimum. Their individual policies and documented processes may be used by their staff during the course of research and may be substituted for this policy. Enforcement of meeting the standards and processes defined in this policy is achieved through AFT’s Vendor Management and due diligence processes and SOPs referenced in this policy and elsewhere.

As a general policy and practice, AFT avoids the collection and management of PII data, however many of the partners in the AFT network are medical professionals who interact with individuals receiving medical care, as a normal course of their professional services. For this reason, this policy is more comprehensive than may be found in other circumstances.

AFT intends that its privacy policy and standard practices and procedures will ensure timely compliance with all international privacy laws and regulations, including, for example, the European Union, Canada, Japan, Korea, Singapore, and United States, as applicable. To monitor implementation of our policy for the protection of individually identifiable information, AFT’s operating team reviews the policy and it is adjusted in coordination between the Program Directors and the Associate Group Chair for Patient Advocacy.  AFT has established the Directorship of Statistics & Data Management, whose responsibilities, in part, are to receive, investigate, track and guide resolution of any incidents / complaints that AFT may receive or identify regarding data privacy. Incidents and resolution are reported to the Alliance Group Chair and the Alliance Board of Directors as appropriate.

The European Data Protection Directive and the implementing national laws of the 27 European Union member states (as well as personal data protection laws in non-EU countries in Europe) protect all personal data from unfair processing. Based on its charter and mission, AFT does not focus or deliberately pursue research opportunities outside of the United States, however, we respect the EU Safe Harbor laws as a standard and understand that our research will frequently incorporate European collaboration or participation. Therefore, EU Safe Harbor guidance and law are considered in this policy.

2. AFT’s Data Privacy Policy

Scope: 

This Policy applies to all Personal Information, either in electronic or paper format, received by AFT and/or its partners in the U.S. as well as from the EU or Switzerland, including Personal Information relating to investigators or participants in clinical trials where AFT is leading the conduct of the trial.


Limitations to Scope:

Adherence to this Policy may be limited to the extent required to meet a legal, regulatory, governmental, national security or public interest obligation. Also, this Policy may not apply or may be limited when Personal Information is obtained by AFT or its partners:

  • Under an agreement that contains the requisite Model Contract Clauses approved by the European Commission with respect to the Personal Information; or
  • When necessary for the performance of a contract (e.g., an employment contract) between an Individual and AFT.


Definitions: 

For purposes of this Policy, the following definitions shall apply:

“Partner” means any partner in the Alliance network or third-party that uses Personal Information provided to it by AFT to perform tasks on behalf of and under the instructions of AFT.

“Individual” means any natural person participating in one of more studies whose Personal Information is shared with AFT.

“AFT” means the Alliance Foundation for Trials, its partners, researchers, management and participants.

“Personal Information” means any information or set of information that identifies or could be used by or on behalf of AFT to identify an Individual. Personal Information does not include information that is anonymized such that an Individual cannot be identified. AFT bases our definition of Personally Identifiable Information (PII) on data identified in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The following specific data elements are of high priority concerning this policy and data security and management SOPs.

  1. Names
  2. Geographic subdivisions smaller than a state, includes county, city, street address, precinct, zipcode, and equivalent geocodes (first three digits of a zip code excluded if the geographic unit formed by combining all zip codes with the same first three digits contains >20,000 persons)
  3. All elements of dates (except year); all ages >89 and all elements of dates (including year) indicative of such age (may aggregate into a category of age >90)
  4. Telephone numbers
  5. Fax numbers
  6. E-mail addresses
  7. Social Security Numbers
  8. Medical record numbers
  9. Health–plan beneficiary numbers
  10. Account numbers
  11. Certificate and license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Medical device identifiers and serial numbers
  14. Internet universal resource locators (URLs)
  15. Internet protocol (IP) addresses
  16. Biometric identifiers including finger and voice prints
  17. Full-face photographic images or comparable images
  18. Other unique identifying number or characteristic

“Principles” mean the enumerated principles outlined in the Safe Harbor Framework, which must be followed in order for an organization to be certified under the Safe Harbor Framework. 

“Safe Harbor Framework” includes either or both of the U.S.-EU and the U.S.-Swiss Safe Harbor programs as administered and enforced by the U.S. Department of Commerce.

“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or personal sexuality. In addition, AFT will treat as Sensitive Personal Information any information received from a third party where that third party treats and identifies the information as sensitive. 

“European Union (EU)” means for the purposes of this Policy all countries within the European Economic Area (EEA).

“European Union Data Protection Directive” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.


Principles:

The privacy principles in this Policy are based on the U.S.-EU and U.S.-Swiss Safe Harbor Privacy Principles. As previously stated, AFT’s geographic scope of research is within the United States, however, the EU Safe Harbor principles are used as a respected guidance both in terms of rigor and with the understanding that partnerships and data transfers may include the EU. Therefore minimum standards should support those processes.

Notice: Where AFT (and therefore it’s partners) collects Personal Information directly from Individuals, it will explain the purposes for which it collects and uses Personal Information about the Individuals, the types of non-agent third parties to which AFT discloses that information, and the choices and means, if any, AFT offers Individuals for limiting the use and disclosure of Personal Information about them. This explanation will be provided as soon as practicable and, in any event, before AFT uses the information for a purpose other than that for which it was originally obtained. Where AFT receives Personal Information from its network, partners, subsidiaries, affiliates or other entities in the EU or Switzerland, including when acting as a study manager processing Personal Information under the direction of a sponsor, it will use such information in accordance with the notices provided by such entities and the choices made by the Individuals to whom such Personal Information relates. AFT may not need to furnish notice where the processing in question is necessary to respond to a government inquiry; is required / authorized by applicable laws, court orders or government regulations; or is necessary to protect the safety of the individual or AFT’s legal interests and providing notice would interfere with the above requirements.

  • Purpose of Collection and Use of Personal Information: For Individuals participating as subjects, clinical investigators or other study personnel in research studies being managed by AFT, Personal Information may be used in order to carry out the applicable studies and other study-related services. This may include the transfer of such Personal Information to the applicable study sponsor, business partners and third party service providers performing services related to the study (e.g., study data management, clinical research monitoring services, etc.). AFT may also use the Personal Information to comply with our legal obligations, policies and procedures and for internal administrative purposes.
  • For Individuals who are employees or potential employees of AFT, we will process Personal Information to carry out and support our human resources functions and activities, administer employee participation in benefits, compensation and human resources plans and programs, manage employee performance, implement, investigate and report on compliance and discipline procedures and matters, and comply with our legal obligations, policies and procedures.
  • For Individuals sharing Personal Information with AFT in order to inquire about or otherwise make use of our services, we will use such Personal Information in order to provide the requested information, products, and/or services. Such uses may include processing requested transactions, improving the quality of our services, sending communications about our products and services, enabling our business partners and service providers to perform certain activities on our behalf and complying with our legal obligations, policies and procedures and for other internal administrative purposes.

Choice: AFT will offer Individuals the opportunity to choose whether their Personal Information is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Individual. Unless required or authorized by law, AFT will not process Sensitive Personal Information about Individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the Individual unless the Individual affirmatively and explicitly consents to the processing (“opt-in”). In some cases, even if an Individual opts-out of disclosures of their Personal Information, AFT may still disclose such Personal Information if required to do so by law, if disclosure is required to be made to law enforcement authorities, if we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity. AFT also may transfer Personal Information in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, AFT will direct the transferee to use Personal Information in a manner that is consistent with this Policy AFT will provide Individuals with reasonable mechanisms to exercise their choices.

Onward Transfers: Transfers between AFT partner organizations and to third parties are covered by the provisions in this Policy regarding notice and choice. AFT may also share an Individual's Personal Information with Agents, contractors or partners of AFT in connection with research that these individuals or entities perform for, or with, AFT. AFT may, for example, provide an Individual's Personal Information to Agents, contractors or partners for hosting our databases, for data processing services, or to send to that Individual the information that he or she requested. AFT will obtain assurances from all partners and third parties that they will safeguard Personal Information consistently with this Policy. Examples of appropriate assurances that may be provided include: a contract with provisions obligating these third parties to provide at least the same level of protection as is required by the this Policy and relevant Safe Harbor Principles, being subject to standards required in this Policy, related AFT and partner SOPs, the EU Data Protection Directive, Safe Harbor certification by these third parties, having Binding Corporate Rules approved by the European Commission, or being subject to another European Commission adequacy finding (e.g., Andorra, Argentina, Canada, Faroe Islands, Guernsey, Jersey, Isle of Man, Israel, Switzerland, New Zealand, Uruguay). Where AFT knows that an Agent, contractor, vendor, or partner is using or disclosing Personal Information in a manner contrary to this Policy, AFT will take reasonable steps to prevent or stop the use or disclosure and report this disclosure as required by policy and applicable law.

Access and Correction: Upon request, and as required by law, AFT will provide Individuals with reasonable access to the Personal Information that AFT holds about them, subject to permitted exemptions. In addition, upon request, AFT will take reasonable steps to provide Individuals with a means to correct, amend, or delete Personal Information that is found to be inaccurate or incomplete. AFT when acting as a CRO has no direct relationship with participants in a clinical trial and any such Individuals who seek access, or who seek to correct, amend, or delete their inaccurate Personal Information should direct his or her query to the relevant study sponsor or investigator which has transferred such Personal Information to AFT for processing.

Security: AFT will employ reasonable technical, administrative and physical safeguards to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. When AFT is acting as the manager of research activities and processing Personal Information as an Agent under the direction of the study sponsor(s), AFT enters into a contract with such sponsors specifying the conditions under which Personal Information received from the EU and/or Switzerland are to be processed and kept secure.

Data Integrity: AFT will use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Individual. AFT will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was obtained. AFT’ employees have a responsibility to assist AFT in maintaining accurate, complete and current Personal Information. As a policy, AFT only processes Personal Information that is relevant to the research it conducts, and only for purposes compatible with those for which the Personal Information was collected. As an research partner processing Personal Information under the direction of its sponsors, AFT works with such sponsors so that the sponsors can provide a way for Individuals to correct their Personal Information.

Enforcement: AFT’ internal management has implemented internal, self-assessment procedures for periodically conducting random reviews of compliance of its relevant privacy practices to verify adherence to AFT’s Data Privacy Policy. AFT encourages individuals covered by this Policy to raise questions about the processing of Personal Information about them by contacting AFT’s operations leadership through the contact information provided to the network. Any employee or partner that AFT determines is in violation of this Data Privacy Policy will be subject to disciplinary action up to and including termination of research activities, employment or both.

Dispute Resolution: Any questions or concerns regarding the use or disclosure of Personal Information should be directed to the Associate Group Chair for Patient Advocacy and/or their immediate management. AFT will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in this Policy. For complaints involving Personal Information other than human resources data that cannot be resolved, such disputes will be referred to Alliance Board of Directors for resolution. For internal complaints by Individuals involving human resources data that cannot be resolved between AFT and an employee after following the internal review, complaint, and appeal procedures, AFT will engage third-party, objective professionals to resolve disputes pursuant to the Safe Harbor Principles.

Contact Information: Questions, comments or concerns regarding this Policy should be submitted to the AFT service center by e-mail as follows AllianceServiceCenter@allianceNCTN.org. Inquiries will be directed as appropriate.

Reservations of Rights: AFT reserves the right to share an Individual’s Personal Information as required or authorized by law or regulation or in response to duly authorized information requests of government authorities.

Chances To This Data Privacy Policy: This Policy may be reviewed and amended from time to time, without advance notice, consistent with the research requirements of AFT, related sponsors and the U.S.-EU and U.S.-Swiss Safe Harbor Privacy Principles, to ensure that an appropriate level of protection for Personal Information is maintained. All amendments will be posted on this website.

3. Policy Review and Enforcement

AFT is a network of highly qualified research institutions, researchers and professional service providers. Members of the AFT network each have Standard Operating Procedures (SOPs) and policies that cover their respective services and handing of data. AFT has developed this policy to set, communicate and enforce minimum standards. It is our expectation that our partners meet or exceed each of these policy goals and measurements throughout the conduct of their responsibilities in our research mission. In addition, AFT has incorporated our interpretation of international law and guidelines into our policy to codify the standards in which we collect, handle and transfer data, particularly PII data.

As part of our commitment to data protection, AFT’ manages its Data Privacy Program with its network of partners. The program includes, but is not limited to, the following elements:

  • Mandatory Privacy Training – web-based interactive privacy awareness training program through which is mandatory for all AFT staff. AFT audits partners in the network to ensure comparable training is in place.
  • On-going review of changing data protection legislation, and assessment of the impact on AFT
  • Assurance of Training programs: both standard modules for all partners employees, HR, Application Developers, and custom modules for ad hoc requirements as well as generic data protection education and communication
  • Guidance for clinical trials
  • Audit of partner applications and processes in their operating environment
  • Periodic review of compliance of all new/changed computer systems which process personal data prior to implementation by our partners
  • Sponsoring forums and dialog amongst management and staff on data protection topics, especially in connection with new and changing manual processes and computer applications which process personal data
  • Where appropriate, managing Data Transfer Agreements for European personal data transfers outside the European Economic Area
  • Referral of additional questions or significant issues to the Alliance Board of Directors and/or executive staff of partner organizations