Data Privacy & Protection Policy

TABLE OF CONTENTS

• Data Privacy & Protection Policy
  • Purpose
  • Scope
  • Market Research & Data Subjects
  • Definitions & Classifications
  • Exceptions
  • Enforcement
• Data Privacy & Protection Procedures
  • Purpose
  • Administration & Review
  • Data Retention & Security
  • Employees
  • Handling & Delivery
  • Informed Consent
  • Jurisdiction
  • Limited Access
  • Logging
  • Notifications & Reporting
  • Sanctions for Non-Compliance
  • Third Parties
  • Website
• Appendix A: Terms & Definitions

 

Data Privacy & Protection Policy

Purpose

Brado has published this policy and associated procedures to define standards related to the privacy and protection of personal data and confidential information as disclosure, misuse or loss has ethical, legal and financial ramifications. Brado is committed to ensuring information, both physical and electronic, is kept secure and access is restricted to authorized personnel on a “need to know” basis. While the Information Technology (IT) Department is primarily responsible for keeping data secure and private, every user shall adhere to policy and exercise due diligence.

Brado recognizes the right of individuals to privacy with respect to the processing of personal data. This policy is designed to ensure Brado complies with all applicable laws concerning privacy and protection. Regulations may include the Health Insurance Privacy and Portability Act, as amended (HIPPA) and the European Union’s General Data Protection Regulation (GDPR) as well as specific states’ laws.

Likewise, confidential information and/or personal data shared by clients, partners and vendors shall be treated with a level of care equal to that applied to Brado’s own. However, in some cases, a client’s Master Service Agreement (MSA) takes precedence over this policy and should be consulted as the situation warrants.

Safeguarding protected data has elements of physical security, access control, document retention, and security incident response. Thus, this policy incorporates by reference Brado’s IT Policies specifically addressing those topics.

Scope

This policy applies to the use of all Brado’s servers, workstations and networks (hereafter “systems”). Any private information (electronic and/or paper/hard copies) that is accessed, processed or stored by Brado and its employees, agents, associates, vendors or contractors acting on behalf of or at the direction of Brado (hereafter “users”) is included.

This Policy is part of the suite of Brado’s IT Policies developed for the benefit of users of Brado’s systems. This document is also made available upon request to clients, data subjects or other third parties with an interest in the protected data managed by Brado.

Market Research & Data Subjects

Brado is committed to safeguarding personal information collected from those who share their contact information, demographic details, experiences and opinions (“data subjects”) when participating in qualitative market research studies. Participation in all Brado’s studies is voluntary and data subjects may opt out at any time. They are provided an Information Sheet describing the project and asked to sign a Confidentiality, Consent & Waiver Agreement that clarifies the obligations of each party, including the requirements for mutual confidentiality. This informed consent document explains that personal information will be collected, managed in accordance with applicable laws and used for the business purpose as defined.

Brado will not transfer personal data outside the U.S. unless the receiving organization ensures an adequate level of protection for the privacy of data subjects.

Definitions & Classifications

In the interest of readability and clarity, Brado policies use the term “protected data” to encompass all the following categories of private information:

• Confidential Information that is intended for use only within Brado and disclosure to third parties may cause adverse impact. It includes sensitive data relative to Brado’s business and employees that is intended only for internal use. Likewise, non-public information shared by third parties is recognized as Confidential Information.
• Personally Identifiable Information (PII) as specifically defined by various states’ laws; PII identifies an individual and disclosure infringes upon that individual’s privacy rights.
• Protected Health Information (PHI) as defined both by HIPAA and various states’ laws.
• Personal Data and Sensitive Personal Data as defined by GDPR.

 

Legal definitions are included in the Appendix. However, definitions and interpretations vary by client and jurisdiction, so Brado chooses to utilize the broadest possible classification. As data of various sensitivity classifications is inevitably combined, Brado considers “protected data” as the most restricted level and the controls used for the entire system are the same for all above categories.

Exceptions

Brado’s business model includes a full range of marketing services, including but not limited to, market research and data analytics. The client data managed or processed by Brado is data “at rest” and Brado does not develop software that manages assets or conducts transactions for clients. Therefore, certain security requirements are not applicable to our business; including but not limited to, DMZ Hosts, externally facing servers, and data logging. These topics or procedures are not addressed herein.

Most client deliverables include evaluations of aggregate data with anonymized references and do not include PII/PHI or Personal Data.

Enforcement

Violations of this policy should be reported to the user’s supervisor, the Privacy Officer or Human Resources (HR) Department.

Brado employees who violate this policy may be subject to disciplinary action, up to and including termination. Other users in violation of this policy and related procedures may be subject to loss of visitor privileges, termination of services and/or termination of engagement from Brado. In addition, infractions of laws and regulations may involve legal action such as civil and/or criminal prosecution under state and/or federal laws.

Data Privacy & Protection Procedures

Purpose

Confidentiality and the adherence to regulations regarding protected data is addressed repeatedly in Brado’s internal and external agreements. These procedures define guidelines and processes necessary to maintain the privacy and protection of data (belonging to Brado, clients, business associates and data subjects). The Appendix includes detailed definitions of industry terms.

Administration & Review

Brado shall review and update (if applicable) the policy and procedures no less frequently than annually. This effort is directed by the leaders of the finance and information technology departments and will include the appropriate subject matter experts. Furthermore, clients often retain the right to audit Brado’s systems for MSA and regulatory compliance as related to the protected data utilized in Brado’s service delivery.

Data Retention & Security

To protect the confidentiality, integrity, and availability of information, technical safeguards to control and restrict access to the network to authorized persons are established in the Access Control Policy & Procedures.

Protected data received from or created for clients for a business service will be retained only as necessary to perform the service. Upon termination of the client agreement or business service, all protected data will be returned to the client, securely disposed of, or retained according to Brado’s Document Retention Policy & Procedures or the client’s MSA.

Controlling physical access to the buildings and facilities housing Brado’s facilities, applications, network infrastructure, and systems is necessary to safeguard the confidentiality, integrity, and availability of protected data and other sensitive information.  See the Physical Security Policy & Procedures.

Despite taking all reasonable and appropriate steps to protect the confidentiality, integrity, and availability of sensitive information, information security incidents may occur.  A consistent and effective process must be followed to ensure these incidents are remediated appropriately. The standards related to the handling of information security incidents are detailed in the Security Incident Response Policy & Procedures.

In addition to the above noted policies and procedures, Brado employs industry standard practices for safeguarding all data. This includes, but is not limited to, maintaining current anti-virus software, data encryption (at rest and in motion), regular system patching, and backup and recovery processes.

Employees

Employees with responsibilities that involve the protection of private information shall be required to read and agree to an understanding of this policy. Their acknowledgment is recorded in Human Resources (HR) records by digital signature within the IPS system upon acceptance of this policy.

Employee Confidentiality Agreement and Code of Ethics & Business Conduct

Employees sign these documents which clearly define responsibilities regarding data privacy and protection.

Background Checks

If an individual has access to protected data, background checks may be conducted at the client’s request or at Brado’s discretion.

Training

The Information Technology and Human Resources Departments shall coordinate and provide training for users concerning the handling of protected data and related regulatory requirements. In addition, employees and contractors may be required to participate in specialized training offered by clients. For example, clients often provide their own training on pharmacovigilance and the management of Adverse Event data.

Handling & Delivery

Users shall take appropriate steps to ensure that protected data is not inadvertently shared or otherwise made available to unauthorized persons. The following procedures shall be followed:

• Making additional electronic or physical copies of protected data is highly discouraged.
• Verbal discussions regarding protected data should only take place in a private setting.
• Files should be stored on the applicable departmental storage folder and should not be saved to local workstation hard drives.
• All waste hardcopies shall be destroyed according to approved document disposal procedures as explained in the Document Retention Policy & Procedures.
• Transfer of hardcopies within the office shall be personally delivered to the designated recipients and never delivered to an unattended desk or left unsecured in an open space.
• Transfer of hardcopies via commercial courier shall be sent with tracking and marked “signature required.”

When sharing or transferring protected data electronically, the following procedures regarding encryption must be followed:

• The manual encryption option must be utilized for transfer via email, i.e. the sender clicks “Encrypt” prior to sending an email.
• Transfer via removeable media requires the use of encrypted thumb drives.
• File sharing between Brado and third parties must occur via encrypted Microsoft OneDrive connections.

Informed Consent

Data subjects in qualitative studies are fully informed of their rights as research participants as well as details regarding the collection, use, disclosure, retention and other processing of their personal data. Video recordings by their very nature include personally identifiable information and classify as protected data. Brado’s Confidentiality, Consent & Waiver Agreement explains what rights have been agreed upon and shall be signed by every research participant. The Agreement should be modified as necessary, with the approval of the PG Vice President, to indicate any use that exceeds the standard.

The signed agreements are retained in the clients’ files as per the Document Retention Policy & Procedures. If a participant exercises their right to opt-out, the client must be notified per the process dictated by the MSA. The opt-out request shall also be retained in the client’s file.

If a client requests an additional consent form, Brado will acquire the participants’ signatures on the client-provided form (in addition to the Brado form) and maintain copies thereof.

For quantitative studies, informed consent is provided by the panel that provides aggregate data to Brado.

Jurisdiction

Brado considers all categories of private information to be “protected data.” See section Definitions & Classifications above in the Data Privacy & Protection Policy. Yet, it is sometimes necessary to utilize the terms and definitions appropriate to the business situation or contractual agreement. For example:

• Each office and employee are governed by the laws of the state in which they reside. States may have different definitions of protected data.
• Client organizations and individuals whose presence is limited to the United States may be subject to HIPAA, as well as the states in which they do business or reside.
• Clients with a European Union presence are obligated to comply with GDPR. Most of Brado’s pharmaceutical clients are in this group.

Terms are defined in the Appendix, including words relevant to protected data as well as other terms specific to regulatory agencies. Different governments and organizations provide varying definitions of protected data and those definitions are reproduced reference. In the Appendix, the term’s specific relevance to Brado is italicized.

Limited Access

Access and sharing are based upon the minimum necessary standard, “least privilege” or “need to know.” Only individuals requiring access to protected information based on job requirements are granted access. Access is restricted to the minimum necessary to perform an individual’s job duties.

Protected data shall not be shared or utilized beyond the scope of its original intent. When provided by clients, collected from research participants or supplied by recruiters, data is used only for the market research or other service as described in the Confidentiality, Consent & Waiver Agreement, Statement of Work and/or MSA.

Protected data internal to Brado, such as employee personnel files and confidential business information, shall not be shared without the authorization of the owner of the data and in accordance with the Employee Confidentiality Agreement.

Logging

Brado maintains and utilizes log files for security purposes. Logs are kept on critical parts of the infrastructure, with varying degrees of frequency and retention. Logs are solely used by Brado and not shared with third parties.

Notifications & Reporting

Brado’s IT Department shall report security incidents to appropriate Brado managers, which may include Finance, HR, Client Service Teams, and supervisors of relevant personnel. Brado management, as appropriate given the situation, shall notify the regulatory agencies and affected individuals and/or clients regarding any data breach or security incident within the required timeframe.

Refer to the Security Incident Response Policy & Procedures for more details.

Sanctions for Non-Compliance

Users should ask their supervisors or the Privacy Officer (see Appendix for definition) if additional clarity is needed regarding these procedures. In addition, questions can be sent to  InformationSecurity@brado.net.

Violations of these procedures should be reported to the user’s supervisor, the Privacy Officer or HR.

Brado employees who violate this policy may be subject to disciplinary action, up to and including termination. Other users in violation of this policies and related procedures may be subject to loss of visitor privileges, termination of services and/or termination of engagement from Brado. In addition, infractions against laws and regulations may involve legal action such as civil and/or criminal prosecution under state and/or federal laws.

Third Parties

Given the nature of Brado’s business, protected data will be shared with third parties and a variety of agreements are in place to address data privacy and protection. This document is available upon request to third parties that have an interest in how Brado manages protected data.

Clients & Other Business Associates.

These agreements often include the standard requirements imposed by regulatory agencies, such as HIPAA and GDPR. See the Appendix for terms and definitions. Furthermore, client MSAs and Non-Disclosure Agreements (NDAs) may include additional processes required for the care of protected data in a specific relationship. Employees are advised to consult with the Account Manager, Project Manager, or Client Partner regarding terms and conditions for a specific client or associate.

Note that these agreements often give the client or counterparty the right to audit Brado’s systems and procedures when there is "cause,” such as a security incident.

Contractors.

Brado may engage subcontractors in the provision of client services and other business activities. These individuals are held to the same standards for data privacy and protection as employees. The Independent Contractor Agreement addresses requirements for confidentiality, compliance with applicable laws and regulations as well as obligations under Brado’s IT Policies.

Vendors.

If protected data is processed, stored, transmitted or otherwise shared with a vendor, Brado’s Business Associate Privacy Agreement obligates the vendor to processes and responsibilities based upon HIPAA, GDPR and other applicable laws.

Website

A privacy policy posted on the website describes the types of information Brado may collect from visitors to www.Brado.net as well as practices for collecting, using, maintaining, protecting and disclosing that information.

 

 

Appendix A: Terms & Definitions

 

Term	Definition
Breach	Unauthorized, inadvertent or accidental acquisition, access, use, alteration, deletion, theft or disclosure of protected data. See below “Security Incident.”
Confidential Information	Includes non-public information of Brado and clients, vendors or business associates: whether written, oral or in any other form, that is disclosed learned, observed or shared between parties. Exhaustive definitions are included in MSAs, NDAs and other contracts.
Data Subject (Research Participant)	An identified or identifiable natural person whose personal data is being collected, held or processed. For example, a participant in Brado’s market research studies.
Encryption	A process of encoding information into a different form to obfuscate the information from anyone without the appropriate decoding key.
Informed Consent	Participants in research studies shall freely give specific, informed and unambiguous consent, regarding the collection, use, disclosure and retention of protected data. Brado is obligated to have informed consent from every data subject illustrated by a signature on the Confidentiality, Consent & Waiver Agreement, and to retain these documents on file.
Internal Review Board (IRB)	An administrative body affiliated with a company, university or hospital that protects the rights and welfare of subjects in research activities conducted under the auspices of the institution. Also known as an independent ethics committee, it ensures that ethical standards and legalities are met. Brado’s clients may require our services to come under such a review. When creating a Statement of Work (SoW), Brado shall clarify any such requirements prior to quoting fees and timelines.
Master Service Agreement (MSA)	An umbrella contract with clients that contains the general terms and conditions (including penalties for non-compliance) of the relationship. A SoW is subsidiary to the MSA, incorporating all the obligations with the details of a specific project. Users are advised to consult a client’s MSA regarding data privacy and protection obligations as the MSA may supersede Brado’s policies.
Need to know	A term quoted in many contracts regarding protected data, suggesting a guideline for laymen when considering sharing limitations. Prior to disclosing data to another party, consider “does that party need to know for the purpose of this business transaction or service?”
Non-Disclosure Agreement (NDA)	Parties agree to maintain the secrecy of confidential, proprietary or sensitive information shared for the purposes of a business relationship by signing this legal document. It can be one-way or mutual. It is Brado’s preference to utilize Brado’s mutual NDA which should be offered as alternative when another organization suggests that a relationship includes aspects of confidentiality.
Opt-out	Research participants, as an element of informed consent, have the right to quit or opt-out of any study at any time for any reason. MSAs require that these requests are documented and shared with clients within a specific time frame, usually less than three (3) days.
Pharmacovigilance and Adverse Events	Pharmacovigilance, also known as drug safety, is the science relating to the adverse effects of pharmaceutical products. An Adverse Event (AE) means any untoward medical occurrence in a participant, which does not necessarily have to have a causal relationship with the Product under study. An AE can be any unfavorable sign, symptom or disease occurring during the time the Product was used. MSAs obligate Brado to report and document (in a very specific format) any AE of which it becomes aware, often within one (1) business day.
Privacy Officer	A role defined by HIPAA, see Security Incident Response Policy & Procedures. At Brado, this role is currently filled by the Director of Technology.
Protected Data	Herein, this term is used to encompass PII, PHI, Personal Data, Sensitive Personal Data and Confidential Information. See below for detailed formal definitions of these categories.
Protected Information, as potentially included in definitions by other states, clients or regulations	·       All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 Dates (other than year) directly related to an individual Phone Numbers Fax numbers Email addresses Social Security numbers Medical record numbers Health insurance beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers (including serial numbers and license plates) Device identifiers and serial numbers Web Uniform Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger, retinal and voice prints Full face photographic images and any comparable images Any unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Security Incident (Brado)	A violation or imminent threat of violation of Brado’s information security policies, acceptable use policies, or standard security practices. This includes a breach of protected or confidential data. Various regulations dictate specific procedures and communications processes; most clients demand notification with one (1) day.
Third Parties	Persons or entities other than Brado and Brado employees; may include clients, contractors, vendors and other business associates or affiliates.
	State Laws
Missouri Revised Statutes	Missouri Revised Statutes (RSMO) define and address state laws, including the safeguarding of protected information; but they represent the least restrictive regulations. These laws are relevant to Brado’s business practices limited to Missouri.
Personal Information (Missouri RSMO 407.1500)	An individual’s first name or first initial and last name in combination with any one or more of the following data elements, that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable: Social security number. Driver’s license number or other unique identification number created or collected by a government body. Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. Unique electronic identifier or routing code that would permit access to an individual’s financial account. Medical information. Health insurance information. Personal information does not include information that is lawfully obtained from publicly available sources, or from federal, state, or local government records lawfully made available to the general public.
Example of a state law which may obligate Brado	The California Consumer Privacy Act (CCPA) was enacted in 2018 and went into effect 1 January 2020, creating new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It’s the first law in the US to set up a comprehensive set of rules around consumer data, akin to the GDPR.
Example of a state law which may obligate Brado	Stop Hacks and Improve Electronic Data Security (SHIELD) Act, requires businesses to implement safeguards for the "private information" of New York residents and broadens security breach notification requirements. It applies to any business that maintains the private information of New York residents. For example, it adds to the list of PII biometric information, and username or e-mail address with a password that permits access to an online account. Included here as an example of “applicable laws” that may apply to Brado.
	Health Insurance Portability & Accountability Act
HIPAA	HIPAA mandates industry-wide standards for health care information and requires the protection and confidential handling of protected health information. HIPAA is organization focused and relevant only to organizations in the United States. HIPAA regulations apply to Brado employee’s personal data as well as data shared by clients or recruiters for business services.
Individually Identifiable Health Information  (HIPAA 45 CFR 160.103)	Information, including demographics collected from an individual, which: Is created or received by a health care provider, health plan, employer, or health care clearinghouse, and Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and That identifies the individual; or With respect to which there is a reasonable basis to believe the information can be used to identify the individual
Protected Health Information (PHI)  (HIPAA 45 CFR 160.103)	Individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes individually identifiable health information In education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended; In records described at 20 USC 1232g(a)(4)(B)(iv); In employment records held by a covered entity in its role as employer; and regarding a person who has been deceased for more than 50 years.
Business Associate (HIPAA)	(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who: (i) On behalf of such covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of: (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or (B) Any other function or activity regulated by this subchapter; or (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. (2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement. (3) A covered entity may be a business associate of another covered entity. This definition clarifies that Brado is obligated to the same regulations as is the Health Care Provider (HCP) or pharmaceutical company that shares protected data with Brado for the purposes of research and a Business Associate Agreement (BAA) is stipulated by HIPAA.
	General Data Protection Regulation
GDPR	A European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. As compared to HIPAA, GDPR has greater focus on individuals’ rights, patients’ consent and the timely deletion of data. Brado accepts these additional regulations in MSAs with clients who have a presence in Europe.
Personal Data (GDPR)	Information relating to an identified or identifiable natural person (‘data subject’). The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as an identification number or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. Examples include: Names (first, middle, surname, maiden, aliases etc.) Dates, not limited to birth Account data, customer numbers, license plate, etc. Contact details (telephones email, home addresses) Physical / Personal Characteristics, including voice and images Identification Numbers & Licenses Audio and/or visual recordings Financial, Income, Investments, etc. Location data Education and Training Physical and Electronic Tracking Profiling and Segmentation Opinions, beliefs, behaviors Genetic information
Sensitive Personal Data (GDPR)	Personal Data that is more sensitive and can leave individuals at greater risk if they are accessed: Race or ethnicity Trade union or political organization membership Religion or philosophy Biometric data (e.g. fingerprints, genetic makeup, retinal prints) Health, Healthcare, Health Insurance Gender and sexuality
Controller & Processor (GDPR)	‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Your company is a joint controller when together more organizations it jointly determines ‘why’ and ‘how’ personal data should be processed. ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The duties and responsibilities of each party are specified in addendums to MSAs.
Data Importer & Exporter (GDPR)	The Controller is also identified as the “data exporter” when personal data is transferred. The Processor is also referred to as the “data importer” who receives the data intended for processing on behalf of the exporter in accordance with specific terms and instructions.