What is the purpose of this document?

NeRRe Therapeutics Limited (“NeRRe”) sponsors clinical research studies, including in the United Kingdom and the European Union (“Research Study/Studies”). NeRRe is committed to protecting the privacy and security of the personal information provided by the participants of our Research Studies.

The purpose of this privacy notice is to describe to previous and potential participants how we collect and use personal information about them during and after their participation in a Research Study, in accordance with the General Data Protection Regulation (GDPR).

We use information from participants in order to undertake the Research Study and act as the data controller for the Research Study. This means that we are responsible for looking after participant information and using it properly.

Why do we process participant personal information?

Health and care research should serve the public interest, which means that we have to demonstrate that our research serves the interests of society as a whole. We do this by following the UK-policy-framework-health-social-care-research.

We use personally-identifiable information to conduct research to improve health and care. As a pharmaceutical company we have a legitimate interest in using information relating to participant health and care for research studies, when they agree to take part in a Research Study.

This means that we will use participant data, collected in the course of a Research Study, in the ways needed to conduct and analyse the Research Study.

We may also have a legitimate interest in using information relating to participant health and care in order to enable the investment in, or acquisition or sale of, all or part of our business or assets by a third party.

In other situations, we may also process participant personal data where:
– we have obtained participant prior consent;
– the processing is necessary to perform our contractual obligations towards participants or to take pre-contractual steps at participant’s request; or
– the processing is necessary to comply with our legal or regulatory obligations.

To safeguard participant rights, we will use the minimum personally-identifiable information possible.

How do we collect participant personal data?

Information will be collected from participants by a third party for the Research Study in accordance with our instructions. Participants are made aware of the identity of this third party.

The third party will keep participant names and contact details confidential and will not pass this information to us. The third party will use this information as needed, to contact participants about the Research Study, and make sure that relevant information about the Research Study is recorded for the care of participants, and to oversee the quality of the Research Study. Certain individuals from NeRRe and regulatory organisations may look at the medical and research records of participants to check the accuracy of the Research Study.

NeRRe will only receive information without any identifying information. The people who analyse the information will not be able to identify participants and will not be able to find out names or contact details.

What type of personal information do we process?

We will process health data about participants that has been collected as part of the Research Study. As stated above, this will only be health data which does not contain any identifying information. This may include any relevant health information from:
– The participant’s medical history;
– Assessments made during the Research Study including physical exams, laboratory measurements and other test results; and
– Records about any medications received during the Research Study.

How do we share this personal data?

In some circumstances, we may have to share participant personal data with third parties, for example where we are required by law or where we have another legitimate interest in doing so.

This could include, for example, sharing:
– to third-party service providers (such as the Clinical Research Organisation(s) who might manage various elements of the trial as well as cloud storage providers, provision of IT services, contractors and consultants);
– to parties to whom we provide clinical development services to and/or other entities within our group;
– in the context of the possible acquisition, fundraising or restructuring of the business.

We may also need to share participant personal information with regulatory authorities or to otherwise comply with the law.

We require third parties to respect the security and confidentiality of participant data and to treat it in accordance with the law. For example, third parties are required to take appropriate security measures to protect personal information in line with our policies. We will, where possible, only share anonymised data, and/or ensure that access to the data is password protected and restricted on a strict need-to-know basis.

We only permit third parties to process participant personal data for specified purposes and in accordance with our instructions.

We may need to transfer participant personal information outside the EU for one or more of the above purposes. If we do, participants can expect a similar degree of protection in respect of their personal information, for example ensuring that the third parties have joined the EU-US Privacy Shield, or by agreeing standard contractual clauses with the third parties.

Further information about these protective measures can be requested from the Clinical Data Privacy Manager.

How secure is participant personal data?

We have put in place measures to protect the security of participant information. All personal data is held on a secure cloud server with limited and password protected access.

We have put in place appropriate security measures to prevent participant personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to participant personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal information on our instructions, and they are subject to a duty of confidentiality. Details of these measures may be obtained from the Clinical Data Privacy Manager.

We have put in place procedures to deal with any suspected data security breach and will notify participants and any applicable regulator of a suspected breach where we are legally required to do so.

How long will we retain participant personal data?

We will only retain your personal information in accordance with legal requirements.

Participant rights in connection with personal data

By law participants have certain rights in relation to the personal information that we collect about them. The general rights are for a participant to:
• Request access to the personal information
• Request correction of the personal information that we hold
• Request erasure of the personal information
• Object to processing of the personal information
• Request the restriction of processing of the personal information
• Request the transfer of the personal information to another party

However, please note that rights to access, change or move information are limited, as we need to manage participant information in specific ways in order for the research to be reliable and accurate. If a participant withdraws from the Research Study, we will keep the information about them that we have already obtained. To safeguard participant rights, we will use the minimum personally-identifiable information possible.

If you have participated in a NeRRe sponsored Research Study and would like to exercise your rights in relation to your data, please contact the Clinical Data Privacy Manager in writing.

Clinical Data Privacy Manager

We have appointed Elizabeth Ballantyne as a Clinical Data Privacy Manager to oversee compliance with this privacy notice. Any complaints about our handling of personal data, or questions about this privacy notice or how we handle personal data, should be addressed to the Clinical Data Privacy Manager – clinicalDPM@nerretherapeutics.com. All Research Study participants have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

Any questions about this Privacy Notice should be sent to the Clinical Data Privacy Manager, e-mail clinicalDPM@nerretherapeutics.com