Veramed Technical and Organisational Measures

1. Confidentiality (Article 32 Paragraph 1 Point b GDPR)

Company shall ensure the following:

  • Physical Access Controls
    • Policy that covers Office Security (POL-HR-002) to prevent unauthorized persons from gaining access to data processing systems including the following measures to prevent physical access:
      • Key and key fob physical entry control system to offices.
      • Documented distribution of keys and key fobs to employees.
      • Accompanying guests in the building at all times.
      • Reporting unauthorised access to Veramed Office immediately to Management.
    • Staff are required to read the policy upon joining and document this in their training record.
  • Systems Access Controls
    • Policy that covers IT Security (POL-IT-002) to prevent unauthorized persons from gaining access to systems including the following measures to prevent electronic access:
      • Securing portable Equipment
      • Performing a logoff or session lock for any device left unattended, to prevent unauthorised access.
      • Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passowords.
      • Use of multi-factor authentication to mitigate the risks of a user password being compromised.
    • Staff are required to read the policy upon joining and document this in their training record.
  • Data Access Control (permissions for user rights of access to and amendment of data)
    • Policy that covers IT Security (POL-IT-002) to:
      • protect IT systems with suitable anti-virus, firewall and internet security software.
  • Controlled user access to ensure personal data cannot be read, copied, modified or removed without authorization in the course of processing.
    • Standard Operating Procedure that covers user access management (SOP-IT-004) to:
      • ensure access to systems and data is controlled and approved.
  • Transmission controls
    • Policy the covers IT Security (POL-IT-002) to:
      • Require that data is only transferred using approved systems.
  • Input controls
    • Veramed is not responsible for and does not undertake clinical trial data collection or data entry.
  • Agreement Control
    • Client contracts contain detailed information on the type and scope of the commissioned data processing, the purpose and the duration of processing of the Client’s personal data.
    • Client contracts include Terms and Conditions relating to Confidentiality and Personal Data.
    • Employee contracts include a clause to comply with the company Data Protection Policy.
    • Standard Contract Clauses set out terms for international transfers of data between Veramed Ltd and its subsidiaries.
  • Data backups
    • To ensure that Personal Data is protected against accidental destruction or loss: backups are taken on a regular basis; backups are encrypted and are secured and saved separately from other data.
    • The backup retention policy means backups are stored for and deleted after:
      • one week for daily backups
      • one month for weekly backups
      • three months for monthly backups
  • Data Segregation
    • Guidance on standard folder structure (GUI-OP-003) to:
      • Ensure that data is appropriately segregated and access controlled
  • Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)
    • Veramed is not responsible for pseudonymisation of clinical trial data; the Controller is responsible for integrating necessary safeguards to protect data subject rights.
  • Encryption in transit
    • Appropriate encryption is in place when transferring data over the internet or otherwise.
    • Site-to-site VPN connections are used to protect data in transit across the internet.
  • Encryption at rest
    • Appropriate encryption is in place for data at rest including backups.

 

2. Integrity (Article 32 Paragraph 1 Point b GDPR)

Company shall ensure the following:

  • Data Transfer Control
    • All staff are obliged to ensure that personal data belonging to, or provided by, or provided to the client are handled in accordance with data protection regulations and company policies. Processes related to the transfer of study-related data using an approved method that protects the contents during transit to the authorised recipient using strong encryption (SOP-SP-004: Document and Data Transfer).
    • Processes related to the archiving or the deletion of data in accordance with data protection regulations and the contract (SOP-GB-006: Archiving and Records Retention).
  • Data Entry Control
    • Veramed is not responsible for and does not undertake clinical trial data collection or data entry.
  • International Transfers
    • Veramed shall ensure data transfers outside the EEA are completed in compliance with SOP-SP-004: Document and Data Transfer, applicable data privacy and security laws, and in conformance with SCCs in place (where relevant). Such transfers will only be carried out to perform the applicable services required of Veramed or its sub-processors (if applicable).
  • Password Security
    • All passwords must, where the software, computer or device allows:
      • be at least 8 characters long;
      • contain at least three out of the following four groups of characters – lower case letters, upper case letters, numbers and symbols;
      • be different from the previous password;
      • not be obvious or easily guessed (e.g. birthdays or other memorable dates, memorable names, events or places etc.); and
      • be created by individual Users.

 

3. Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)

Company shall ensure the following:

  • Availability Control
    • Employment of an uninterruptible power supply system or emergency power supply system.
    • Data backups (Daily for a week, weekly for a month, monthly for three months).
    • Disaster recovery procedures (REF-GB-003) designed to retrieve any accidentally deleted files.
  • Rapid Recovery (Article 32 Paragraph 1 Point c GDPR)
    • Business continuity (REF-GB-002) and disaster recovery procedures (REF-GB-003) designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

 

4. Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)

Company shall ensure the following:

  • Data Protection Management
    • An overarching, Board-level, commitment to the protection of personal data.
    • Policy that covers Data Protection (POL-GB-003) to ensure compliance with the GDPR.
    • Appoint a company Data Protection Officer, which is integrated into the relevant operational procedures.
    • Conduct data protection impact assessments (DPIAs) to identify the most effective way to comply with data protection obligations where necessary.
  • Incident Response Management
    • A disaster recovery plan (REF-GB-003) that includes the prevention, response and recovery strategies in the case of an IT security breach.
    • Processes for investigating, recording and reporting breaches that may include a risk of exposure of personally identifiable information (SOP-GB-010: Management of Personal Data Breaches).
  • Data Protection by Design and Default (Article 25 Paragraph 2 GDPR).
  • Processes to conduct risk assessments and data protection impact assessments (DPIAs) related to computer systems (SOP-IT-001) to identify the most effective way to comply with data protection.