.
Privacy Policy of Neorad BV (SOP425-02)
1 Purpose
The purpose of this Standard Operating Procedure is to ensure
definition of the controls needed for the identification,
confidentiality, integrity and availability of
personal information according to applicable regulatory
requirements in order to protect this information. This personal
information includes personal data concerning health.
2 Definitions and abbreviations
The following definitions and abbreviations are used in this document:
Information assets
A piece of information that has value to organisations or
person(s). Information assets take many forms and includes data
printed or written on paper, stored electronically, transmitted by
post or using electronic means, stored on media (e.g. USB-stick),
spoken in conversation.
Confidentiality
Ensuring that information is accessible only to authorized individuals and protecting from unauthorized disclosure.
Integrity
Safeguarding the accuracy and completeness of information and processing methods.
Availability
Ensuring that authorized users have access to relevant information when required.
Risk analysis
Systemic use of available information to identify hazards and to estimate the risk.
Personal data
Any information relating to an identified or identifiable natural
person: an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person
(source: regulation 2016/679).
Personal data concerning health
All data pertaining to the health status of a data subject which
reveal information relating to the past, current or future
physical or mental health status of the data subject. This
includes information about the natural person collected in the course
of the registration for, or the provision of, health care services
to that natural person; a number, symbol or particular assigned to
a natural person to uniquely identify the natural person for
health purposes; information derived from the testing or
examination of a body part or bodily substance, including from
genetic data and biological samples; and any information on, for
example, a disease, disability, disease risk, medical history,
clinical treatment or the physiological or biomedical state of the
data subject independent of its source, for example from a
physician or other health professional, a hospital, a medical
device or an in vitro diagnostic test (source: regulation
2016/679).
Information security incident
A suspected, attempted, successful, or imminent threat of
unauthorized access, use, disclosure, breach, modification, or
destruction of information;
interference with information technology operations; or significant violation of responsible use policy.
Autoriteit Persoonsgegevens
Dutch authority assigned to monitor compliance to the EU Data Protection Regulation 2016/ 679.
3 Responsibilities
The CEO is responsible for the security policy of personal
information and is ultimately responsible for an adequate level of
security. The CEO is responsible for assigning authorities.
The QA manager is responsibility for managing information security and archiving of records.
All staff is responsible for adhering to this policy, and for
reporting any security breaches or incidents to the QA manager.
Department managers are responsible for awareness training for all department staff involved
4 Procedure
4.1 Security of confidential personal information
The purpose and objective of this information security policy is
to safeguard the privacy of persons (enforced in the Netherlands
by: ‘Wet bescherming persoonsgegevens’, BWBR0011468).
The management recognizes the increasing use of modern
communication technology, complexity of and interrelationship
between automated systems used that cause a higher dependency and
vulnerability of the automated information systems, as well as the
increasing professionalism and threat of computer criminality.
Furthermore, the processing of personal data, including data
concerning health, induces specific risks and demand additional
responsibilities concerning information security.
In general, the main hazards to prevent are:
- the loss of confidentiality, integrity and availability of personal data for business reasons
- the loss of personal data for the persons involved
- infringement of applicable regulation
- financial business risks in case of information security breach
4.2 Process
4.2.1 Identification of confidential personal information
The CEO and QA manager are responsible for identification
of any confidential personal information and identification of the
applicable regulatory requirements. At NeoRad personal information is
(potentially) involved during following processes:
- Information obtained during the order handling process.
- Information obtained during customer feedback processes (e.g. PMS data, Customer complaint data)
- Information obtained during clinical investigations
- Information obtained during human resource processes
The identification of the type of personal information and applicable regulatory
requirements will be addressed during Management review.
4.2.2 Risk analysis
The CEO and QA manager are responsible for identification
and evaluation of the risks and vulnerabilities related to
confidential personal information. This analysis and evaluation on
information security risks will be done prior or during
management review (SOP561-01) or in case significant changes are
proposed.
Risk analysis is carried out considering the identification of risks concerning:
· significant trends and changes to information security risks
· known and foreseeable risks, in case of normal or abnormal circumstances
· people involved in processing personal information
· equipment used for processing or storage of personal information
· software used during processing or storage of personal information
· personal data to protect
· environment where personal data are stored or processed
· organizational roles and responsibilities
· suppliers and services needed for personal data protection
The identification of risks, or a reflection of the discussion during Management
review will be recorded.
4.2.3 Risk Control
The CEO and QA manager are responsible for identification
of the risk control measures to be implemented to reduce the
risks. These
measures should be related to the confidential information involved and the identified risks in 4.2.2.
The company identified the following risk control measures :
- Handling of personal information by limited, authorized staff only (CEO, QA/RA Manager).
- strict separation of database with personal information on network
- Anonymization of personal information before further processing
whenever possible and implement in procedure (e.g. Order handling,
Complaint handling). No documents with personal information
through whole company
- No sharing of personal information with external parties without confidentiality
agreement
- internally sharing of personal data only according to “need to know” principle
- No processing of documents containing personal data outside premises of company
- All breaches of information security, actual or suspected, addressed via the CAPA system
- Protection of personal information on agenda of Management review and Internal audit
4.2.4 Monitoring follow-up
Monitoring of the protection of confidential personal
information will be done via the management review. Protection of
personal information will be on the agenda of internal audits.
4.3 Information security incidents
All security incidents related to personal data needs to be
reported to the QA manager and addressed via the CAPA system
in order to minimize the consequences of a security incident.
The company will keep records of every incident that is able to
lead to serious adverse effects for the protection of
personal data.
The QA manager and CEO are responsible for judging the severity of
the incident and, if required, notification of it to the
authorities.
In case of a security incident the company needs to inform the
person involved whenever personal information has
been unintentionally disclosed and whenever lack of availability
of information systems may have adversely affected them. The
notification of the data breach to the subject involved should
take into consideration the nature of the incident and the actual
consequences for the person involved. Notification of the subject
is not required if the responsible has implemented sufficient
crypto graphical or other techniques in order to make the data
inaccessible for others.
In case of theft of business property containing confidential
personal information, it should be reported to the QA manager in
the same manner as other security incidents. In addition, the
police will be informed.
It is required by law that serious data breaches will be reported
to the ‘Autoriteit Persoonsgegevens’ using the
template on the website autoriteitpersoonsgegevens.nl. In general,
this needs to be done when personal data are leached and it cannot
be excluded that this data can be used by unauthorized persons.
Document ‘De Meldplicht datalekken in de Wet bescherming
persoonsgegevens (Wbp), Beleidsregels voor toepassing van
artikel 34a van de Wbp (8 dec 2015)’ shows guidance for the correct procedure.
The following information needs to be provided at least:
Ø The nature of the data breach and the authorities where
more information can be retrieved including recommendations and
measures to minimize the negative effects of the breach.
Ø A description of the observed and suspected effects of
the security breach and the measures the responsible has taken or
is proposing in order to repair the consequences.
For infringement of the duty to notify the ‘Autoriteit
Persoonsgegevens’ of data leaks, the authority may impose an
administrative fine.
4.4 Output
The outcome of this process is that personal information will be
identified and risk control measures taken in order to protect
personal data.
5 References
SOP424-01 Record Control
SOP561-01 Management Review
SOP852-01 Corrective and Preventive action
BWBR0011468 Wet bescherming persoonsgegevens
2016/679 EU Data Protection Regulation
De Meldplicht datalekken in de Wet bescherming persoonsgegevens (Wbp).
Beleidsregels voor toepassing van artikel 34a van de Wbp (8 dec 2015)