NeuroCog Trials – Privacy Policy

July 24, 2017

Introduction

NeuroCog Trials [also referred to as ‘NCT Holdings, Inc.’ that includes NeuroCog Trials (NCT) and NCT Linguistics (NCTL)] is a clinical and cognition assessment services company that offers consulting, site screening, translation, rater training and certification, data review, and statistical analysis services to companies for clinical trial data that is collected from global sites.

Protecting consumer privacy is important to NCT Holdings, Inc. NCT Holdings, Inc. (hereinafter collectively referred to as the “NCT,” “we,” “us” or “our”) complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. NCT has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. Concerning the transfer of personal data from Switzerland to the United States of America, NCT will also continue to adhere to the U.S.-Swiss Safe Harbor Framework. While NCT complies with the Swiss Safe Harbor Principles published by the U.S. Department of Commerce, we consider the Privacy Shield Principles discussed in this policy as comprehensive of both, considering they are the more stringent of the two, and will not separately codify the U.S.-Swiss Safe Harbor Principles here.

The Federal Trade Commission has jurisdiction over NCT Holdings, Inc.’s compliance with the Privacy Shield. NCT Holdings, Inc. submits to being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation, or any other U.S. authorized statutory body with regards to our self-certification and implementation of the Principles, and acknowledges the right of the EU individual to invoke binding arbitration, at no cost to the individual, in filing a complaint disputing NCT’s adherence to these practices with the EU DPA (European Union Data Protection Authority), or DMASHP (Direct Marketing Association Safe Harbor Program Committee) for Swiss complaints.

This privacy policy outlines our general policy and practices for implementing the Principles, including the types of information we gather, how we use it, and the notice and choice affected individuals have regarding our use of and their ability to correct that information. This privacy policy applies to all personal information received by NCT whether in electronic, paper or verbal format, for both non-HR and HR data.

Definitions

“Local Language Experts” means NeuroCog Trials employees or contractors who provide translation services to NCT and their sponsors for test data, queries for the data or translation of other project materials including instructional videos and manuals.

“NCTL Certified Linguists” means NCTL employees or contractors who provide translation services to NeuroCog Trials or other clients. NCTL Certified Linguists specialize in translation, interpretation, voice-over, training and localization. The primary distinction between LLEs and NCTL Certified Linguists is that NCTL Certified Linguists are required to pass a more stringent nationally and internationally recognized certification process.

“Personal Information” or “Information” means information that (1) is transferred from the EU, Switzerland or other countries to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked directly or indirectly to that individual.

“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, genetic information, biometric data processed as a means of unique identification, or that concerns an individual’s health, or as relates to the commission of a criminal offense.

“Site Rater” will mean the clinical site staff that is trained to conduct cognitive and clinical test assessments and to collect the information from those assessments which will be transferred to the Study Sponsor and NCT to be used for clinical trials.

“Study Sponsor” will mean a party that NCT has entered into a formal agreement with where NCT will provide assistance in processing cognitive or other clinical data that will be used to support a clinical research study.

“Third Party” means any party that has entered into an agreement with NeuroCog Trials for the purpose of collecting, processing, translating, analyzing or storing personal data either manually or electronically. NCT stipulates in any agreement with a third party agent that the third party must subscribe to the Privacy Shield Principles and Framework to ensure data privacy is preserved.

“Translation Client” means any party that has entered into an agreement with NCT/NCTL for the purpose of translating personal data either manually or electronically.

Types of Information Gathered by NCT:

And the NCTL website is: http://www.nctlinguistics.com/

If you visit either website, no personal information is collected unless you choose to contact us using the website ‘Contact Us’ link. The only information we collect is your ‘Name’, ‘Email’ and your ‘Question / Comments’ as it is entered by you. We only use this information to address your inquiry or comment. We will not disclose any personal data offered via the contact information on the NCT or NCTL websites.

NCT uses Virtual Visitor to collect information about how many visitors we get, where they come from and how they use our website. Virtual Visitor collects public information and provides it in a report form. It does not identify the specific individual accessing the website. The results help us to improve the services offered on our website.

  • Cognitive and Clinical Assessment Test Data for Clinical Trials:

NCT collects, processes, translates, analyzes and stores cognitive and clinical test data from clinical trials for their Study Sponsors. This test data may be captured on paper or electronically and it may include personal information from the subject or site raters. NCT works with the Study Sponsor to ensure that the subjects and site raters understand what type of data is being collected and to clarify the purpose for collecting the data. NCT works with the Study Sponsor and site rater(s) to limit the collection of any personal data that is not relevant to the study. In these types of studies, only the Study Sponsor will have the ability to contact an individual directly in order to allow them to opt out of any disclosures of personal data that are not previously authorized.

The electronic data captured for studies may include audio or video recordings of the cognitive test assessments. Video recordings are used to provide feedback to the site rater on their performance of testing and to correct errors in the data that is collected. Video recordings are never used to identify a subject. NCT ensures that the site staff are trained to take all measures possible to conceal the identity of the subject during these recordings. Other biometric data may be captured in order to ensure the integrity of data collected in clinical studies, however NCT has implemented measures to eliminate all access to this data in its original state in order never to compromise an individual’s personal information.

In some cases NCT may collect the data for a research study on their own (e.g. under a research grant). In these cases NCT will work with an Investigational Review Board (IRB) or Ethics Committee (EC) to ensure that subjects and raters understand what type of data is collected and to clarify the purpose for collecting the data. In these types of studies, NCT will limit the collection of any personal data for individuals participating in the study that is not relevant to the study.

  • Human Resource and Financial Information:

Most NCT employees are located at the NCT office in Durham, North Carolina, United States but our Local Language Experts (LLEs) or NCTL Certified Linguists may be located in any country. LLEs/NCTL Certified Linguists provide translation services for NCT and our sponsors. NCT collects human resource and financial information from the LLEs/NCTL Certified Linguists as needed to continue their employment with NCT.

For any human resources data of EU citizens accessed, NCT agrees to cooperate and comply with the EU Data Protection Authorities (DPAs) to provide a recourse mechanism for any complaints regarding the handling of this data.

  • Translation:

NCTL Certified Linguistics offers translation services for their translation clients. The translation services include written/verbal translations, localization, narration, etc. for all industries.

All NCT employees are expected to adhere to the privacy principles noted in this Privacy Policy and NCT has implemented security procedures to protect any data that is handled by our internal employees and any remote LLEs/NCTL Certified Linguists.

Principles

Notice
NCT collects cognitive and clinical assessment test information from clinical sites for the purpose of clinical research, translations and statistical analysis. This information is collected and prepared for NCT’s Study Sponsors unless the research is solely conducted by NCT (e.g. Grants). NCT and the Study Sponsor use standard processes (e.g. consent forms) to inform study participants about the purpose of the clinical research and the intended use of data that is collected for those studies. The data that is collected by NCT may be shared with the Study Sponsor, a vendor (Third Party) hired by NCT to assist with the trial, regulatory agencies, or other affiliates, subsidiaries or agents of the Study Sponsor as required by study contracts or as required by law (e.g. lawful requests by public authorities or to meet national security or law enforcement requirements).

Choice
NCT will work with Study Sponsors to offer individuals the opportunity to affirmatively consent or explicitly dissent (opt-out) to the disclosure of their Personal Information to a third party or for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.

For Sensitive Personal Information, NCT will not process any such information relating to individuals for any purpose other than that for which it was originally or subsequently authorized by the individual without first receiving prior explicit consent (opt-in), or as required or permitted, or where not prohibited by law or regulation.

NCT reserves the right to disclose information as required by law, or if deemed necessary to prevent physical harm, financial loss, or in connection with an investigation or legal proceeding.

NCT takes very seriously an individual’s right to choice regarding Personal Information, as far as required by applicable law, and will facilitate all reasonable and appropriate means to allow such access.

Onward Transfers
Prior to disclosing Personal Information to a third party, NCT or their Study Sponsor will notify the individual of such disclosure and allow the individual the choice (opt out) of such disclosure. NCT will ensure that any third party for which Personal Information may be disclosed subscribes to the Principles and will enter into a contract with the third party that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. NCT will take reasonable and appropriate steps to ensure that any third party agent effectively processes the personal information transferred in a manner consistent with our obligations under the Principles, and upon notice, will take reasonable and appropriate steps to stop and remediate unauthorized processing. NCT will require said agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles. NCT will also provide a summary or representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

NCT will remain liable under the Principles if its third party agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Additionally, NCT will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

If NCT leaves the Privacy Shield Framework at any point, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means.

Data Security
NCT will take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. NCT has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information from loss, misuse, unauthorized access or disclosure, alteration or destruction. NCT cannot guarantee the security of Information on or transmitted via the Internet.

Data Integrity
NCT will only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, NCT will take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use. NCT will adhere to the Principles for as long as it, or any contracted third party acting on its behalf, retains such information.

Access
NCT will allow an individual access to their Personal Information and allow the individual to correct, amend or delete inaccurate information, or to allow access to Personal Information processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.

Enforcement
NCT uses a robust self-assessment approach to assure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Principles. NCT remains obligated to remedy any problems arising out of failure to comply with the Principles. We encourage interested persons to raise any concerns using the contact information provided below and we will investigate and attempt to expeditiously resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Principles.

If a complaint or dispute cannot be promptly resolved through our internal process, we agree to co-operate with the European Data Protection Authorities (DPAs) dispute resolution procedures.

NCT will respond promptly to inquiries and requests by the Department for information relating to Privacy Shield and will respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department and will respond to consumer complaints within 45 days of receipt of the complaint. NCT, in cooperation with DPAs, will respond directly to such authorities with regard to the investigation and resolution of complaints and will comply with any advice given by the DPAs where the DPAs take the view that NCT needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.

Amendments

This privacy policy may be amended from time to time consistent with the requirements of the Privacy Shield Framework and Swiss Safe Harbor Program. We will post any revised policy on this website.

Information Subject to Other Policies

NCT is committed to following the Principles for all Personal Information within the scope of the Privacy Shield Agreement. However, certain information is subject to policies of NCT that may differ in some respects from the general policies set forth in this privacy policy.

Contact Information

In compliance with the Privacy Shield Principles, NCT commits to resolve complaints about our collection or use of your personal information, whether of a human resources nature or not. European Union individuals with inquiries or complaints regarding our Privacy Shield policy or U.S.-Swiss Safe Harbor policy should first contact NCT Holdings, Inc. (NCT & NCTL) at:

Address:
NeuroCog Trials
Attn: Privacy Officer
3211 Shannon Road, Suite 300
Durham, NC 27707 Email:

Email: privacy@neurocogtrials.com

Please use the following link to learn more about the Privacy Shield program and to view the NCT certification: https://www.privacyshield.gov

Please use the following link to learn more about the U.S.-Swiss Safe Harbor Program and to view the NCT certification: https://safeharbor.export.gov/swisslist.aspx

This NCT Privacy Policy can be viewed at our website: http://www.neurocogtrials.com/

And the NCT Privacy Policy can also be viewed on the NCTL website: http://www.nctlinguistics.com/

Further Complaints: NCT Holdings, Inc. (NCT & NCTL) commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU, whether of a human resources nature or not. To file a complaint, free of charge, regarding potential mishandling of EU data by NCT Holdings, Inc. for citizens of the countries listed below, you may refer to the following website to locate the specific emails, websites, mailing addresses, and phone numbers for your corresponding country’s Data Protection Authority:

http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm:

• Austria
• Belgium
• Bulgaria
• Croatia
• Cyprus
• Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Ireland
• Italy
• Latvia
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden
• United Kingdom
• Or to contact the European Data Protection Supervisor

http://ec.europa.eu/justice/data-protection/bodies/authorities/efta/index_en.htm:

• Iceland
• Liechtenstein
• Norway

To file a complaint regarding Swiss data privacy concerns, you may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) to oversee any potential dispute resolution via the link at the following website:

http://privatim.ch/fr/les-preposes.html

Binding Arbitration

An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. The following is a link to Annex I for additional information:

https://www.privacyshield.gov/article?id=ANNEX-I-introduction