Privacy Policy

VCTC policy documents are designed to provide VCTC's customers with an understanding of VCTC's position and policies in relation to regulations and key aspects of our services.

VCTC Ltd ('we' and 'us') is a trading name of The VCTC Limited ICO Registration Reference "ZB379736" and our registered DPO is DPO@istormsolutions.co.uk.

VCTC are committed to protecting and respecting the privacy of subjects, nurses, customers, suppliers and employees, and this includes their personal and health related information. This policy, together with our terms of use, and any other documents referred to on it, sets out the basis on which any personal data (or personal information) we collect or that is provided to us, will be processed by us.

As an organisation, the VCTC have a responsibility to safeguard all personal data that it holds. The company is responsible for ensuring compliance with the UK Data Protection Act 2018 (incorporating GDPR) applicable data privacy and data protection regulations with regards to employee data, business information and data concerning trial subjects (patients) i.e. those data required by VCTC to conduct trial visits in the patient's home.

Types of personal data we collect and from where:

Personal information can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person. For example this could be your name and contact details. Here are some examples we might use:

• Names
• Contact information
• Medical History and Records
• Demographic information such as location, age, date of birth
• CVs/Resumes

We acquire data from various businesses and locations including from yourselves when you access our site or where you provide your information directly to us. We also acquire data from 3rd parties such as Clinical Trial providers or your GP.

Our Lawful Basis we rely on for any processing of data is your explicit consent.

VCTC acting as a Data Controller:

VCTC Employee Data

VCTC acts as Data Controller as it retains control over the purposes for processing personal data about its employees and the manner in which it does this. This is covered further via and internal employee privacy notice.

Customer Data

VCTC acts as a Data Controller as we hold a database of individual business contacts and this data is used to send updates and news to them on a regular basis. VCTC can only store this data if the individual has consented ("opted in").

VCTC acting as a Data Processor/Sub-Processor:

Trial Participant Subject Data

VCTC acts as a Data Processor where clinical trial data are concerned. VCTC processes personal information that is needed in order to support the clinical trial in question as per relevant agreements that are in place with the controllers. The controller of the data will determine how VCTC process this data, the security VCTC will provide, training of staff and retention. To find out more about how VCTC works as a processor for your data in this manner please see our clients' websites and privacy notices.

VCTC will comply with the expectations of the controllers in how they handle and process your data and in regards to the onboarding of any sub-contractors if agreed with the controller. All documents used by VCTC and its subcontractors in the provision of the service are reviewed and approved by the trial Sponsor (Controller), or their delegate.

Third Party Study Personnel

VCTC acts as both a Data Controller and a Processor where third parties supporting trials are concerned. In order to perform our services and to conform to ICH-GCP, VCTC is obliged to confirm that individuals from any third parties are suitably qualified and competent to do so. As such, VCTC holds CV's/resumes and forwards these on to customers (Controller). Furthermore, we may also store contact details of healthcare professionals who support our Services. Under ICH-GCP, VCTC are also required to store and archive information relating to our services, individual rights still apply to this data.

Data protection principles:

VCTC are legally obligated to process data only where it can comply with the principles laid out in Art 5 of the UK GDPR, this state data must be:

• Processed lawfully, fairly and in a transparent manner in relation to individuals.
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Adequate, relevant and limited to what is necessary.
• Accurate and, where necessary, kept up to date.
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Processed in a manner that ensures appropriate security of the personal data.

Clinical Trial Site Services

VCTC provides a service to the clinical research community, thereby falling under the regulations of this industry.

Informing Trial Participants Subjects of Access to and Collection of Personal Data

All trial participants subjects must be made aware of what happens to the personal data collected about them during a trial and also who has access to it. Reference to the release of their information to VCTC will be made in the Patient Information Sheet and Informed Consent (PIS/IC) or assent form, signed by individual trial participants subjects.

VCTC take responsibility for requesting from their client the version of the PIS/IC that will be used in a trial and reviewing it to ensure that information is contained in the document with regards to 3rd party access. If it is not possible to incorporate this in the principal version, a specific PIS/IC will need to be submitted for ethics review and approval and signed by all trial participants subjects. All staff receive training by VCTC on their responsibilities for the handling and management of personal data.

VCTC Access to Trial Participant Subject Data

Within VCTC, access to personal data is limited to only those personnel who are assigned to a specific trial within VCTC. All documents used as part of VCTC's service that do not require personal subject details use a unique identifier (number) instead of the participant's subject's name provided by the trial site – this is typically the number of the trial site and a unique number assigned to each trial participant.

Data Subject Access Rights

You can request a copy of the personal information that we hold about you at any time and we will arrange for a copy to be issued to you, free of charge, within 1 calendar month. We will ask you for proof of your identity before we disclose any information if we are unsure of your identity.

If you believe that the information we hold about you is incorrect you can ask for it to be corrected. If you believe we are processing your personal information without a legal basis, you can ask us to stop. You can also ask us to delete your personal information from our systems.

If you decide to move away from us for any reason, you can request for your personal data to be transferred to a new provider on your behalf.

To action any of the above, please send an email to: DPO@istormsolutions.co.uk.

Personal Data Breaches

VCTC is required to report certain types of personal data breach to the relevant supervisory authority within 72 hours of becoming aware of a breach. If the breach is likely to result in a high risk to data subjects' rights and freedoms, we must also inform those individuals without undue delay.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

VCTC's DPO will determine if a breach has occurred and will inform the appropriate authorities and customers in accordance with local requirements.

Retention of data

VCTC will only process data for as long as relevant for the purposes it was collected. Once the data is no longer required for the purpose with which it was collected, VCTC will remove the data from its systems or pseudonymise/anonymise the data so you can no longer be identified by it for example, for archiving purposes. VCTC may at times retain information but will only do so where required by law or where the information has been anonymised.

Contact us

In the event that any individual or organisation has a complaint with regard to how VCTC has handled their personal information, please contact us at:

VCTC The VCTC, 10 Pear Tree Close, Hartshorne, Swadlincote, DE11 7AQ
Address: https://www.thevctc.com/
Email: dpo@istormsolutions.co.uk

Changes to this privacy notice

This privacy Notice was updated: September 2024

VCTC Limited reserves the right to update this privacy notice at any time, and we will provide you with notification when we make any substantial updates. We may also notify you by alternative means, periodically, about the processing of your personal information.