Protection of Personal Data and BTG’s Commitment to Privacy and Security
BTG’s policy sets out the principles that BTG is to adhere to in order to protect the privacy of personal information. The requirements relate to any identified or identifiable living person on whom BTG collects, stores and processes data. The purpose of BTG’s Policy is to ensure the data are treated in an appropriate and lawful manner.
Personal Data Collected by or on Behalf of BTG
Personal data includes any information or representation that can identify an individual. Such information may be in paper or digital form. Individuals whose personal identifiable data BTG may collect and use for appropriate business purposes include the following:
Patients, including research subjects
Suppliers and service providers
Physicians, pharmacists and other healthcare professionals ("HCPs")
Investigators or other researchers
BTG further classifies personal data as sensitive personal data to the extent that it relates to any of the following information about an individual:
Racial or ethnic origin
Religious or philosophical beliefs
Trade union membership
Genetics, biometrics and/or health.
BTG takes measures in an effort to ensure sensitive personal data is subject to certain additional legal data protection safeguards.
BTG’s Privacy Principles
The following principles and requirements inform BTG’s collection, storage, and use of personal data. All BTG policies and procedures that address privacy practices are developed in accordance with these Privacy Principles and are prepared with the guidance of the BTG Privacy and Legal teams.
Principle 1: BTG Will be Accountable for Protecting Personal Data
In addition to completing company assigned training and adhering to policies and procedures, BTG management communicates and assigns accountability to BTG Staff, based on each employee’s role and responsibilities.
It is not the responsibility of management alone to lead in the critical area of data protection. All BTG Staff are accountable for protecting the personal data they handle on behalf of BTG.
Principle 2: Provide Notice Before Collecting Personal Data
BTG provides advance notice to individuals about its intended collection of personal data. Examples include obtaining patient consent for clinical trial participation and providing opt-in notices prior to collecting and utilizing HCP contact information for commercial purposes.
At a minimum, individuals are told BTG is responsible for their personal data, the purpose for which it is to be processed, and the identities of anyone to whom the data may be disclosed or transferred. Additional relevant information is to be communicated at the same time, including retention periods, the legal basis for processing, and the rights of individuals to object to certain processing (such as direct marketing). BTG collects and processes personal data only for the purposes identified to and consented by the individual or purposes subsequently authorized by them.
Principle 3: Use of Personal Data Appropriately and as Intended
BTG may only process personal data lawfully where one or more of the following circumstances occur:
The individual’s consent is obtained
The data is needed for contractual reasons (e.g. in connection with a customer relationship or to perform a contract with a supplier)
An applicable law specifically says BTG can process the personal data
It is necessary for BTG’s legitimate business interests, provided that the rights of the individual are not unduly prejudiced
However, BTG is not to do any of the following:
Sell or otherwise provide copies of mailing lists or other contact details to third parties (unless certain legal conditions are met)
Use data to promote unrelated products and/or services
Disregard the express wishes of individuals
Process personal data in a way which the company knows the individual will find objectionable
BTG Staff are to collect or process sensitive personal data in limited circumstances and for limited purposes. In most cases, the individual's explicit consent to the processing of such data, for the particular purpose for which it is collected, will be required. Sensitive personal data, including health data, should not be collected or processed for the purpose of marketing or development activities or general demographic profiling without the individual's explicit consent.
An exception to this rule is if the personal data has been “anonymized." The concept of anonymisation for data protection purposes, however, is narrowly defined. Excluding Company sponsored clinical trials (operated under SOPs addressing trial subject confidentiality and privacy), employees are to consult and gain the documented approval of the BTG Data Security Team (DST) before applying this exception. Other exceptions may apply for the purposes of adverse event reporting of issues that have been identified, which could affect the safety, quality and efficacy of health products.
Principle 4: Unless permissible by law, BTG will seek Permission prior to using personal information to send marketing communications to individuals.
Independent of the above principle, in every instance, BTG gives individuals the opportunity to opt-out from receiving specific or any marketing communications at any time.
Special country specific laws apply to sending e-marketing to individuals (e.g. generic email marketing campaigns to a number of contacts/customers/clients). For European citizens, for example, BTG will ensure consent (i.e., opt-in) has been obtained and comply with all opt-out requests.
In relation to email marketing, individuals must be able to 'unsubscribe' or 'opt-out' at any time by following the link at the bottom of the email. If an individual makes a particular request not to be included in BTG marketing campaigns or email circulars, BTG staff will respond appropriately and promptly to ensure the appropriate action is taken.
All marketing initiatives which involve widespread communication with our customers and potential customers must be discussed and agreed with the DPO first.
It is important to note that BTG will not share the details of customers (such as customer lists) with third parties for marketing purposes.
Principle 5: International Transfer and Disclosure to Third Parties
BTG applies the BTG Privacy Principles to wherever personal data is transferred, including across national borders, to affiliates, third parties who support BTG’s business, and partners with whom BTG does business.
When transferring personal data, where necessary (e.g., to affiliated companies, other branches, representative offices of BTG, suppliers, service providers, other third parties), BTG Staff will take steps to ensure that such personal data remains adequately protected. If transferring personal data outside of the country of collection), additional rules and requirements may apply. BTG Staff and third parties are to ensure that any such international transfers comply with the International Transfers and Third Party Processors SOP.
In most instances, sharing personal data with overseas affiliates, branches and representative offices is not in breach of DP Laws. This is because BTG has measures in place to ensure that there is an adequate level of protection over the personal data that meet the legal standards of protection. The types of controls that BTG has in place include, meeting the obligations under the BTG intra-group data transfer agreement, which is based on standard clauses endorsed by the EU data protection regulators.
Principle 6: Individuals have a Right to Access and Correction
Personal data will be processed in line with individuals' rights. BTG will address the following rights of individuals:
To request access to any data held about them
To prevent the processing of their data for direct marketing purposes
To ask to have inaccurate personal data amended
To prevent processing that is likely to cause damage or distress to themselves or others
Individuals are entitled to request and see copies of all personal data the Company holds about them, unless a specific exemption applies.
If you wish to receive access to or correct information within BTG’s possession, submit your request here.
Principle 7: Ensuring and Maintaining Data Integrity is Essential
BTG ensures that personal data is accurate, up-to-date, and relevant for the purpose for which it is to be used.
BTG takes reasonable steps to ensure that personal data is reliable, accurate, and complete. Any personal data that is no longer required for the purpose for which it was collected is securely removed or destroyed, subject to any applicable retention periods, as specified in the BTG Retention and Document Management Policy.
Principle 8: BTG Recognizes that Personal Data Requires Appropriate Levels of Security
BTG uses reasonable and appropriate safeguards to protect information against loss, misuse, and unauthorized access, disclosure, alteration, or destruction.
Through its information security policies and procedures, BTG implements physical, technical, and organisational controls to protect information, including personal data that is within BTG’s possession or control. Maintaining data security means protecting the confidentiality, integrity and availability of the personal data, and is defined as follows:
Confidentiality means that only people who are authorised to use the data can access it.
Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
Availability means that authorised users should be able to access the data if they need it for authorised purposes.
Regular training on appropriate security controls is mandatory for all BTG Staff.
Principle 9: BTG is Responsible for Reporting Data Breaches and Monitoring of Key Controls
If BTG loses, suspects, or is made aware of a potential loss of any personal data including data contained in documents, a laptop, tablet, mobile phone, or any other device that contains or permits access to any individuals' confidential information, immediate action is taken by staff per Company procedure.
To prevent and/or reduce the risk of data breaches occurring, BTG monitors key processes informing the risk of a control failure and non-compliance with Company policies and procedures. This would include auditing or investigating potential control failures.
BTG has established procedures to monitor for compliance to Company requirements, to handle inquiries, and respond to privacy or security incidents and complaints. When an incident occurs or a failure to adhere to applicable policies or procedures is identified, BTG takes measures to remediate the situation and takes appropriate measures to prevent a future failure.
Data Protection Questions or Concerns
Anyone who has questions related to BTG’s Privacy and Data Protection Program, observes potential or actual breaches may contact BTG’s Privacy and Data Protection Officer at firstname.lastname@example.org.