Quintiles Global Data Protection Program

At Quintiles, given the nature of our work, the protection of personal data, particularly patients’ personal health information, and customer confidential data, is critical for our company and our customers. With regard to personal data and customer confidential data, Quintiles has been widely acknowledged for our long-established and robust global data protection program that follows the “Privacy by Design” concept. In fact, Quintiles Global Chief Privacy Officer has been designated (June 2014) as Privacy by Design (PbD) Ambassador for Canada. In this regard, Quintiles has issued global corporate policies: (1) “Protection of Personal Information” (QCP_RB_CDP0005), which sets forth Quintiles’ commitment to protecting personal information in accordance with applicable laws and regulations, regardless of the location, nature, source, or form of such information, and (2) “Data Confidentiality” (QCP_RB_CDP0007), which sets forth Quintiles commitment to protecting the confidential and proprietary information of Quintiles and our customers, vendors or business partners.”

In accordance with these global corporate policies for the protection of personal and confidential information and to follow Privacy by Design, Quintiles chartered the global Council on Data Protection (CODP), which serves as Quintiles’ “privacy office” and internal privacy board, reporting to the Office of the General Counsel. The Chair of the Council serves as Quintiles’ global Chief Privacy Officer and the Vice Chair is the Head of European Data Protection. The Council includes members and advisors from a representative cross-section of operations and across geographies and lines of business, including quality assurance, clinical operations, human resources, product development, commercialization, IT, legal and regulatory affairs. Council members include the company’s Global IT Security Officer, the head of Global Security, and privacy officials from several Quintiles’ regions, including our Japan Privacy Officer, Southeast Asia Privacy Officer, Privacy Officer for China, and our Commissioner of Data Protection for Germany. Further, the Council seeks advice and guidance from independent members and outside advisors from a variety of backgrounds.

One of the fundamental roles of the CODP is to serve as a contact point for privacy and confidentiality inquiries and “information incidents” regarding privacy and confidentiality of data and security issues pertaining to identifiable information controlled and / or processed by Quintiles. The CODP has designated a Privacy Incident Response Team (PIRT) to manage the handling of information incidents in accordance with an Information Incident Response Plan (IIRP). Quintiles conducts periodic security breach simulations with an external monitor to determine whether enhancements may be needed for the IIRP.

Quintiles intends that its corporate privacy and confidentiality policies and standard practices and procedures will ensure timely compliance with all applicable local and international privacy laws and regulations and customer contract provisions. Should an employee violate the company’s privacy or confidentiality policy, that employee is subject to discipline up to and including dismissal. The Council has developed a global “Privacy Awareness Basic Training” Self-study course through “Learning Curve”, which is mandated for all Quintiles’ employees on the company’s privacy and confidentiality policies and procedures. This course is part of Quintiles’ CORE Compliance Curriculum and is implemented and tracked through the Enterprise Compliance Office.

In addition, the Council is charged with monitoring the company’s compliance with all applicable international data protection laws, regulations, and applicable guidance, including, without limitation and as applicable, the HIPAA privacy regulation, the EU Data Protection Directive, Japan’s Personal Information Protection Act (PIPA), Korea PIPA, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Though Quintiles is not a covered entity under HIPAA, many of the company’s services are provided to HIPAA covered entities. Accordingly, the company has decided voluntarily to implement several of the HIPAA privacy standards, and has put into place many administrative and technical safeguards that meet or exceed the HIPAA standards.

Quintiles must meet the requirements of the EU Data Protection Directive for the protection of personal data in the EU. Moreover, to permit the transfer of personal data outside the EU to Quintiles facilities in other countries, Quintiles must meet the “adequate level of protection” requirement of the Directive. For the transfer of data outside of the EU and Switzerland to our United States facilities, Quintiles certified adherence (effective 05 January 2005; with annual recertification) to the U.S.-EU Safe Harbor Privacy Principles and also certified to the U.S.-Swiss Safe Harbor in 2011. To monitor compliance with the company’s certification to the Safe Harbor, Quintiles Council on Data Protection conducts periodic, random reviews of Quintiles’ sites receiving personal data from the EU. For onward transfers of personal data to third parties, e.g., vendors (subcontractors), we require that these third parties demonstrate that they provide at least the same level of data protection, by requiring completion of a Vendor Privacy Assessment and execution of a Vendor or Subcontractor Privacy and Security Certification Standard. With respect to “adequacy” for the transfer of personal data from the EU to Quintiles sites in countries other than the U.S., Quintiles requires execution of EU “Model Contracts”, that is, Data Transfer Agreements (DTAs). For more information about Quintiles’ U.S.-EU and U.S.-Swiss Safe Harbor certification, see: https://safeharbor.export.gov/companyinfo.aspx?id=25930.

On the Quintiles public website at http://www.quintiles.com/privacy/privacy-policy-statement/ is where Quintiles describes its global privacy policy.