NCT Holdings, Inc. [also referred to as ‘VeraSci‘, formerly known as ‘NeuroCog Trials (NCT)’ and ‘NCT Linguistics (NCTL)’] is a clinical and cognition assessment services company that offers eCOA (electronic Clinical Outcome Assessments), Consulting, Site/Rater Screening, Rater Training and Certification, Scale Licensing, Translations, Data Review, Statistical Analysis services to companies for clinical trial data that is collected from global sites.
The Federal Trade Commission has jurisdiction over VeraSci’s compliance with the Privacy Shield. VeraSci. submits to being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation, or any other U.S. authorized statutory body with regards to our self-certification and implementation of the Principles and acknowledges the right of the EU individual to invoke binding arbitration, at no cost to the individual, in filing a complaint disputing VeraSci’s adherence to these practices with the EU DPA (European Union Data Protection Authority). The authority of the Swiss FDPIC (Federal Data Protection and Information Commissioner) will substitute for that of the EU DPA’s authority throughout the Swiss – U.S. Privacy Shield.
“Cookies” means small pieces of data stored by your Internet browser on your computer’s hard drive when visiting a website to make the site run better and/or to provide information to the website owners. Now commonly used, cookies can be controlled through web browsers, including the option to delete them from browser history once no longer visiting a website if desired.
“EU-US Privacy Shield” means the EU-U.S (including UK) and Swiss-U.S. Privacy Shield Frameworks that were designed by the U.S. Department of Commerce, the European Commission, the Swiss Administration and the UK Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union, the UK, and Switzerland to the United States in support of transatlantic commerce.
“GDPR (General Data Protection Regulation)” means a new regulation that replaces the current European Union (EU) Data Protection Directive 95/46/EC. The Regulation will apply to all EU Member States and is effective as of May 2018. The GDPR brings harmonization by applying the same set of Data Protection rules across the Europe.
“Local Language Experts (LLEs)” means VeraSci employees or contractors who provide translation services to VeraSci and their sponsors for test data, queries for the data or translation of other project materials including instructional videos and manuals.
“Personal Information” or “Information” means information that (1) is transferred from the EU, the UK, and Switzerland or other countries to the United States; (2) is recorded in any form; (3) is about or pertains to a specific individual; and (4) can be linked directly or indirectly to that individual.
“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or ideological beliefs or activities, trade union membership, genetic information, biometric data processed as a means of unique identification, or that concerns an individual’s health, social security measures, or as relates to the commission of a criminal offense or sanctions thereof.
“Site Rater” will mean the clinical site staff that is trained to conduct cognitive and clinical test assessments and to collect the information from those assessments which will be transferred to the Study Sponsor and VeraSci to be used for clinical trials.
“Study Sponsor” will mean a party that VeraSci has entered into a formal agreement with where VeraSci will provide assistance in processing cognitive or other clinical data that will be used to support a clinical research study.
“Third Party” means any party that has entered into an agreement with VeraSci for the purpose of collecting, processing, translating, analyzing or storing personal data either manually or electronically. VeraSci stipulates in any agreement with a third-party agent that the third party must subscribe to the Privacy Shield Principles and Framework to ensure data privacy is preserved.
“Translation Client” means any party that has entered into an agreement with VeraSci for the purpose of translating personal data either manually or electronically.
“VeraSci Certified Linguists” means VeraSci employees or contractors who provide translation services to VeraSci or other clients. VeraSci Certified Linguists specialize in translation, interpretation, voice-over, training and localization. The primary distinction between LLEs and VeraSci Certified Linguists is that VeraSci Certified Linguists are required to pass a more stringent nationally and internationally recognized certification process.
Types of Information Gathered by VeraSci:
- Cognitive and Clinical Assessment Test Data for Clinical Trials: VeraSci collects, processes, translates, analyzes and stores cognitive and clinical test data from clinical trials for their Study Sponsors. This test data may be captured on paper or electronically and it may include personal information from the subject or site raters. VeraSci works with the Study Sponsor to ensure that the subjects and site raters understand what type of data is being collected and to clarify the purpose for collecting the data. VeraSci works with the Study Sponsor and site rater(s) to limit the collection of any personal data that is not relevant to the study. In these types of studies, only the Study Sponsor will have the ability to contact an individual directly in order to allow them to opt out of any disclosures of personal data that are not previously authorized.The electronic data captured for studies may include audio or video recordings of the cognitive test assessments. Audio and video recordings are used to provide feedback to the site rater on their performance of testing and to correct errors in the data that is collected. Other biometric data may be captured in order to ensure the integrity of data collected in clinical studies, however VeraSci has implemented measures to eliminate all access to this data in its original state in order never to compromise an individual’s personal information.In some cases, VeraSci may collect the data for a research study on their own (e.g. under a research grant). In these cases, VeraSci will work with an Investigational Review Board (IRB) or Ethics Committee (EC) to ensure that subjects and raters understand what type of data is collected and to clarify the purpose for collecting the data. In these types of studies, VeraSci will limit the collection of any personal data for individuals participating in the study that is not relevant to the study.
- Human Resource and Financial Information:
Most VeraSci employees are located at the VeraSci office in Durham, North Carolina, United States but our Local Language Experts (LLEs) or Certified Linguists may be located in any country. LLEs/Certified Linguists provide translation services for VeraSci and our sponsors. VeraSci collects human resource and financial information from the LLEs/Certified Linguists as needed to continue their employment with VeraSci.
For any human resources data of EU or UK citizens accessed, VeraSci agrees to cooperate and comply with the EU Data Protection Authorities (DPAs) to provide a recourse mechanism for any complaints regarding the handling of this data. Similarly, VeraSci will cooperate with the Swiss FDPIC for human resources data of Swiss citizens. Also refer to the section in this policy for “CHOICE” that provides additional options for related to the data we collect.
VeraSci’s Certified Linguistics offers translation services for their translation clients. The translation services include written/verbal translations, localization, narration, etc. for all industries.
VeraSci collects cognitive and clinical assessment test information from clinical sites for the purpose of clinical research, translations and statistical analysis. This information is collected and prepared for VeraSci’s Study Sponsors unless the research is solely conducted by VeraSci (e.g. research grants). VeraSci and the Study Sponsor use standard processes (e.g. consent forms) to inform study participants, site staff and other individuals that work with VeraSci as applicable, about the purpose of the clinical research and the intended use of data that is collected for those studies. The data that is collected by VeraSci may be shared with the Study Sponsor, a vendor (Third Party) hired by VeraSci to assist with the trial, regulatory agencies, or other affiliates, subsidiaries or agents of the Study Sponsor as required by study contracts or as required by law (e.g. lawful requests by public authorities or to meet national security or law enforcement requirements).
VeraSci will work with Study Sponsors to offer individuals the opportunity in clear and plain language to affirmatively consent or explicitly dissent (opt-out) to the disclosure of their Personal Information to a third party or for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by the individual.
For Sensitive Personal Information, VeraSci will not process any such information relating to individuals for any purpose other than that for which it was originally or subsequently authorized by the individual without first receiving prior explicit consent (opt-in), or as required or permitted, or where not prohibited by law or regulation.
VeraSci reserves the right to disclose information as required by law, or if deemed necessary to prevent physical harm, financial loss, or in connection with an investigation or legal proceeding.
VeraSci takes very seriously an individual’s right to choose regarding Personal Information, as required by applicable law, including the EU General Data Protection Regulation. VeraSci will facilitate, on behalf of the company and potentially other third parties, all reasonable and appropriate means to allow the following, as appropriate when compared with “the public interest in the availability of the data”:
- Plainly readable access to personal data, its location, and the purpose of its use
- To make easily accessible and to promptly comply with any request to transfer the data to another processor or facilitate withdrawal (opt-out) of further consent regarding continued use of an individual’s Personal Information
- To respect an individual’s right to be forgotten on request or as the data is no longer relevant to the original purposes for processing by ceasing further dissemination of the data
Prior to disclosing Personal Information to a third party, VeraSci or their Study Sponsor will notify the individual of such disclosure and allow the individual the choice to opt out of such disclosure. VeraSci will ensure that any third party for which Personal Information may be disclosed subscribes to the GDPR and Privacy Shield Principles and will enter into a contract with the third party that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles. VeraSci will take reasonable and appropriate steps to ensure that any third-party agent effectively processes the personal information transferred in a manner consistent with our obligations under the Principles, and upon notice, will take reasonable and appropriate steps to stop and remediate unauthorized processing. VeraSci will require said agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles. VeraSci will also provide a summary or representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
VeraSci will remain liable under the Principles if its third-party agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
Additionally, VeraSci will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.
If VeraSci leaves the Privacy Shield Framework at any point, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means.
VeraSci will take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. VeraSci has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the information from loss, misuse, unauthorized access or disclosure, alteration or destruction.
VeraSci will only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, VeraSci will take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use. VeraSci will adhere to the Principles for as long as it, or any contracted third-party acting on its behalf, retains such information.
As noted in the Choice section, VeraSci will allow an individual readable access to their Personal Information and allow the individual to correct, amend or delete inaccurate information, request transfer of Personal Information to another processor, or to allow access to Personal Information processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
If a complaint or dispute cannot be promptly resolved through our internal process, we agree to co-operate with the European Data Protection Authorities (DPAs) or Swiss FDPIC accordingly dispute resolution procedures.
VeraSci will respond promptly to inquiries and requests by the Department for information relating to the GDPR or Privacy Shield and will respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State, UK, or Swiss authorities through the Department and will respond to consumer complaints within 45 days of receipt of the complaint. VeraSci, in cooperation with DPAs, will respond directly to such authorities with regard to the investigation and resolution of complaints and will comply with any advice given by the DPAs where the DPAs take the view that VeraSci needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.
Information Subject to Other Policies
In compliance with the Privacy Shield Principles, VeraSci commits to resolve complaints about our collection or use of your personal information, whether of a human resources nature or not. Individuals with inquiries or complaints regarding our Privacy Shield policy should first contact VeraSci at:
Attn: Privacy & Data Protection Officer
3211 Shannon Road, Suite 300
Durham, NC 27707
Please use the following link to learn more about the Privacy Shield program and to view the VeraSci certification: https://www.privacyshield.gov
VeraSci commits to cooperate with the panel established by the EU data protection authorities (DPAs), the UK Administration, the Swiss Federal Data Protection and Information Commissioner (FDPIC), and comply with the advice given by the panel with regard to data transferred from the EU, UK, or Switzerland, whether of a human resources nature or not. To file a complaint, free of charge, regarding potential mishandling of EU, UK, or Swiss data by VeraSci for citizens of the countries listed below, you may refer to the following websites to locate the specific emails, websites, mailing addresses, and phone numbers for your corresponding country’s Data Protection Authority or the Swiss FDPIC:
- Czech Republic
- United Kingdom
- Or to contact the European Data Protection Supervisor
- Iceland https://eeas.europa.eu/diplomatic-network/iceland/3032/data-protection
- Liechtenstein https://eeas.europa.eu/diplomatic-network/liechtenstein/3032/data-protection
- Norway https://eeas.europa.eu/diplomatic-network/norway/3032/data-protection
To file a complaint regarding Swiss data privacy concerns, you may contact the Swiss Federal Data Protection and Information Commissioner to oversee any potential dispute resolution. You may reach the FDPIC via the following contact information:
Swiss Federal Data Protection and Information Commissioner
mail: Feldeggweg 1
telephone: +41 (0)58 462 43 95 (mon.-fri., 10-12 am)
fax: +41 (0)58 465 99 96
online contact form: https://www.edoeb.admin.ch/edoeb/de/home/der-edoeb/kontakt/kontaktformular.html
An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. The following is a link to Annex I for additional information:
Please note that at the first annual review, the Department of Commerce will work with the Swiss Government to put in place the binding arbitration option in Annex I of the Swiss-U.S. Privacy Shield Framework.
Version 12, Effective as of 18 Dec 2019