PRIVACY POLICY
1 Purpose
Curae Pharma360 Inc. and its affiliates (“Company”) may, in the course of legitimate business activities, collect, create, store, use, disclose, and dispose of Personal Data and Company Data. Personal Data and Company Data must be protected, managed, and safeguarded in a responsible and legal manner.
The purpose of this policy is to establish the responsibilities for managing the privacy of Personal Data and Company Data that Company obtains or creates in the course of legitimate business interactions.
2 Scope
2.1 This policy applies to employees and contractors of Company and its subsidiaries (collectively referred as to “Company Representatives”).
2.2 This policy applies to all Company Data and Personal Data, including Protected Health Information (PHI), that is collected, stored, used, disclosed, or disposed of by or on behalf of Company.
3 Definitions
3.1 Company Data: All data in any mode (electronic, paper, or oral) related to the Company itself, its mission, business, work, products, people, business relationships, and competitors, including external and internal communications.
3.2 Data Protection Officer (DPO): Company individual responsible for overseeing data protection strategy and implementation.
3.3 Data Subject: An identified or identifiable individual whose Personal Data has been collected or otherwise processed.
3.4 Protected Health Information (PHI): In accordance with the Health Insurance Portability and Accountability Act (HIPAA), PHI includes the following:
(1) an individual’s past, present or future physical or mental health or condition,
(2) a provision of health care to the individual, or
(3) the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
HIPAA protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
3.5 Personal Data: Company Data about an individual, in any form (electronic, paper, or oral), that is:
(1) is created or received by or on behalf of Company, and
(2) identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Personal Data is subject to state or federal laws and the laws and regulations of other jurisdictions, which typically place restrictions on the collection, use, disclosure, storage and disposal of that information. It includes, but is not limited to, subcategories of information such as Protected Health Information, defined herein.
4 Policy
4.1 General
4.1.1 Company shall not proactively collect, store, use (or access), disclose, and dispose of Personal Data, except in circumstances where it is required to conduct a legitimate Company business activity.
4.2 Data Collection
4.2.1 When collecting Personal Data, Company will collect such data lawfully, fairly, and transparently. Company will require the same of third parties that collect Personal Data on its behalf.
4.2.2 The collection of Personal Data shall be limited to data that is relevant and appropriate for purposes of (i) providing a medical product, clinical trial, or other patient services, (ii) policy or regulatory advocacy efforts, (iii) providing information regarding (including the marketing of products and services) or soliciting support (financial or other) for either of (i) or (ii), or as required by law.
4.2.3 Personal Data shall be collected in a manner that strives to ensure accuracy of data. Reasonable efforts shall be made to keep the data current or up to date.
4.2.4 Company shall collect anonymized Personal Data, or information that neither identifies nor provides a reasonable basis to identify an individual, whenever reasonably practical to do so.
4.3 Notice, Consent, and Access
4.3.1 Company will comply with applicable law regarding the provision of a privacy notice or statement to individuals about whom Personal Data is collected, maintained, used, or disclosed that explains how Company uses and discloses the Personal Data.
4.3.2 To the extent that Personal Data is to be collected, Company will identify whether, in accordance with applicable law, an intended collection, use, or disclosure of Personal Data requires that individuals be provided with an opportunity to consent or opt-out and, if so, to provide and honor those individual choices.
4.3.3 Company will honor the rights of individuals to access Personal Data about them and provide such access as required by all applicable laws.
4.4 Use and Retention
4.4.1 Company will only use and store Personal Data for legitimate business purposes consistent with this policy, legal requirements, Data Subject consent, and any applicable privacy notices provided to the individual.
4.4.2 Company shall establish reasonable policies and procedures for the retention and secure disposal of Personal Data in accordance with its legitimate business needs, applicable law, and in conformance with Company’s record retention requirements.
4.5 Data Security
4.5.1 Company shall establish, implement, and monitor reasonable administrative, physical, and technical security safeguards to protect Personal Data from unauthorized (intentional or unintentional) access, disclosure, corruption, misuse, or loss.
4.5.1.1 Administrative safeguards include requiring each Company Representative to log in to Company systems and devices utilizing their own login credentials.
4.5.1.2 Technical safeguards include limiting access to Personal Data by enforcing appropriate computer firewalls that limit system access to authorized Company Representatives.
4.5.1.3 Physical safeguards include locking doors or filing cabinets and requiring the use of door access cards.
4.6 Safeguarding Personal Data and Company Data
4.6.1 Company Representatives shall take measures to safeguard and secure Personal Data and Company Data, including, without limitation, the following:
4.6.1.1 Limiting access to Personal Data and Company Data when working remotely, while on travel for business, or when accessing Personal Data or Company Data from personal or home devices (including personal smartphones or home computers),
4.6.1.2 Take appropriate measures to assure that Personal Data and Company Data is protected and secure (e.g., multi-factor authentication),
4.6.1.3 Refrain from allowing individuals not working for Company to access Personal Data and Company Data; and
4.6.1.4 Upon request, the DPO should provide a Data Subject the ability to have their Personal Data deleted. This will not be possible in some circumstances such as clinical trials or adverse event data collected in the course of research or for reporting to regulatory agencies.