Privacy Policy

This is the New England Survey Systems, Inc. (hereafter referred to as “NESS”) Privacy Policy for Personal Information and/or Personal Data entered by users of NESS software. NESS provides solutions for our clients for processing and storing data in support of clinical trials and medical studies. NESS clients determine what data to collect with the NESS solutions. Such data may include personal information about their authorized users, employees, and clinical trial patients. Only as instructed by our clients, NESS processes and provides access to this data. NESS does not “control” or own such personal data.

Prior to any study deployment, all data that is requested to be collected by our client or customer relating to a natural person who may be identified either directly or indirectly must be classified as personal data. Such “personal data” classification is the responsibility of the client (the “data Controller”).

Once identified by the client, access to such personal data that is processed by NESS is under strict access control rules, expressly dictated by the client, and implemented by NESS. Those data points identified by the client as personal information will be logically segregated from non-personal information. Access to personal information is defined by the NESS client (the “data Controller”).

Data sets and Data points on any forms with such personal data will default to the word “Redacted” or other artificial/pseudonymized data; the only exceptions being those entities authorized by the client to access such personal data. Access to identified personal data is restricted solely as instructed by the client.

Further, data that is processed by NESS is never transmitted outside of NESS without a Data Transfer Specification that is agreed to and signed by the NESS client.

The purpose of this Privacy Policy is to provide an overall structure for embracing the goals and procedures to maintain the privacy of individuals interacting with NESS NEForm applications and externally-facing websites. NESS does not have subsidiaries or affiliates adhering to the Data Privacy Framework Principles.

Applicable Regulations. This Policy addresses NESS compliance with the US Health Insurance Portability and Accountability Act (HIPAA) privacy rule; and with respect to data collected in the EU, the European Union General Data Protection Regulation (GDPR) (2016/679), effective 25 May 2018.

______________________________________________________________________________
(1)The terms ”Personal information” and “Personal Data” will be used interchangeably in this document
(2)Personal data that can no longer be attributed to a specific data subject without the use of additional information, that additional information being kept separately and securely.

A Data Controller determines the purpose and means of the processing of personal data. The client contracting with NESS for NEForm applications is the Data Controller.

Data NESS Collects

NESS collects personal data from the NESS public websites (NESS website www.neform.com is accessible outside of the NESS firewall). NESS may passively collect personal data such as IP addresses, log files, or cookies through the external facing website. NESS may also collect personal data, such as email addresses, given voluntarily by individuals contacting NESS through the external facing website.

The www.neform.com website is not intended for use by minors. NESS does not knowingly collect personal information of minors via www.neform.com .

Applicable Law

Except with regard to personal data collected in the EU and Switzerland, this Privacy Policy covering individuals who use NESS solutions will be construed under the laws of the State of Massachusetts, USA, without giving effect to any conflict of law provisions. Submission of any disputes not involving the personal data of EU or Swiss individuals, will be to the state and federal courts located in Boston, Massachusetts, USA. See our Data Privacy Framework notice below.

Scope

This Policy is explicitly applicable to, but not limited to, Clinical Trial Privacy issues. This Policy addresses the procession, use, and retention of Protected Health Information under the US Health Insurance Portability and Accountability Act (HIPAA) privacy rule.

This Policy addresses the processing, use, and retention of personal information collected in the European Union, under the auspices of the GDPR.

NESS does not intend to collect the personal information of minors unless explicitly required by a client and only if the process comports to this privacy policy and all relevant regulations.

How We Use Collected Information

NESS commits to protecting the privacy of all users interacting with NESS software products –web-based applications and mobile applications.

This Policy describes the Types and Purposes of personal information NESS collects, how NESS protects that information, and the conditions controlling how the information is shared.

This Policy defines Personal Information as nonpublic information relating to an identified or identifiable living individual.

Personal Information Collection: NESS client-specific applications will provide clear and conspicuous notice regarding the uses of personal information collected directly from individuals, such as through a registration process or a webpage.

Personal Information Processing: In the course of using a NESS client-specific application, a user may be requested to provide personal information. Personal information may include but is not limited to the following:

Contact information: As part of the registration process, a user may provide their name, date of birth, mailing address and email address, and phone number.

Other Information Processing: Through the use of NESS application, other information which does not reveal an individual’s specific identity or does not directly relate to an individual may be processed. Other information may include but is not limited to:

Internet Protocol (IP) address: An IP address may be collected from a user of NESS NEForm applications. The IP address may be used to monitor activities such as location.

Combined Information: If there are any instances where NESS combines Other Information with Personal information, such as combining a precise geographical location with an individual’s name, the combined information becomes Personal Information and is treated as Personal Information.

Personal Information Sharing and Use: The personal information processed by NESS may be used to contact an individual:

  • In connection with the NESS application registration
  • To respond to their comments, questions, concerns, and suggestions
  • As specified by the terms of NESS’s contracts with the data Controller.

NESS processes and retains personal information only as explicitly directed by the data Controller (NESS’s client). NESS does not own the personal information processed by NESS client-specific applications. NESS does not share personal information with third parties

NESS will immediately inform the Client (data controller), in writing:

  • Of any request for access to any Personal Information received by NESS from an individual who is (or claims to be) the subject of the data, or a request from such individual to cease or not begin Processing, or to rectify, block, erase or destroy any such Personal Information;
  • Of any request for access to any Personal Information received by NESS from any government official (including any data protection agency or law enforcement agency), or a request from such government official to cease or not begin processing, or to rectify, block, erase or destroy any such Personal Information;
  • Of any inquiry, claim or complaint regarding the processing of the Personal Information received by NESS;
  • Of any other requests with respect to Personal Information received from the client’s employees or other third parties, other than those set forth in the agreement or a request to cease or not begin processing, or to rectify, block, erase or destroy any such Personal Information.
  • NESS will not respond to those requests unless explicitly authorized in writing by the Client.

Information Access, Revision and Opting Out:

An individual may choose to ‘opt out’ of receiving communication from NESS and/or request removal of their contact information. An individual with issues about access, correction, amendment, deletion or restriction of use of personal information must direct those concerns to the data Controller (NESS’s Client) who in turn authorizes NESS to take appropriate action. NESS cannot withdraw any previous disclosures made with the individual’s authorization. NESS reserves the right to retain and disclose an individual’s information as permitted or required by law or regulation. If you have any questions regarding this Privacy Policy, please contact dataprivacy@nesurv.com .

For EU and Swiss Individuals: Data Privacy Framework Notice for Personal Data Transfers to the United States

Any Personal Information collected about EEA or Swiss individuals via NEForm applications are processed in the United States by NESS.

NESS complies with the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to The Data Privacy Framework. NESS has certified that it adheres to the Data Privacy Framework Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification page, please visit https://www.dataprivacyframework.gov/

With respect to personal data received or transferred pursuant to the Data Privacy Frameworks, NESS is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Pursuant to the Data Privacy Frameworks, EU and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also may correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Data Privacy Framework, should direct their query to dataprivacy@nesurv.com . If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice or opt-in choice before we share your sensitive data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to dataprivacy@nesurv.com .

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

NESS currently does not transfer any data or allow access to personal data by third party business partners or service providers. NESS does not plan to transfer personal information to third parties. The Data Privacy Framework provision regarding liability for the actions of agent processors does not apply because NESS does not transfer personal information to third parties.

NESS’s accountability for personal data that it receives in the United States under the Data Privacy Framework and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, If NESS was to transfer personal data to third parties, NESS remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless NESS proves that it is not responsible for the event giving rise to the damage.

In compliance with the Data Privacy Framework Principles, NESS commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Data Privacy Framework. European Union and Swiss individuals with Data Privacy Framework inquiries or complaints should first contact NESS by email at dataprivacy@nesurv.com .

In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, NESS further commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF to BBB National Programs, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information or to file a complaint. The services of BBB National Programs are provided at no cost to you.

If your Data Privacy Framework complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Data Privacy Framework Annex 1 at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction

Personal Information Transfer

The data Controller (NESS Client) is responsible for complying with laws and regulations regarding notice, disclosure and/or obtaining prior consent prior to transferring personal information to NESS for processing. NESS transfers personal information only as directed by the data Controller (NESS Client). NESS does not share personal information with third parties.

Choice and Consent

An individual providing NESS with their information, must choose to consent and agree to the terms of this Privacy Policy. NESS applications are hosted in the United States and in Frankfort, Germany.

Security

NESS makes every effort to ensure the integrity and confidentiality of personal information under NESS’s control and uses state-of the art security procedures to protect personal information throughout its lifecycle. NESS uses physical, electronic and administrative procedures to safeguard an individual’s personal information from unauthorized destruction, alteration, disclosure, or access and to protect personal information from loss or misuse.

Breach Notification

In the unlikely event that an individual’s personal information is acquired (or is reasonably believed to have been acquired) by an unauthorized person, as required by applicable law, NESS will promptly notify the individual by e-mail, fax, or U.S mail. Working with law enforcement –if applicable- NESS will determine the scope of the data breach, and will investigate and restore the integrity of the NESS data system.

Changes to This Privacy Policy

NESS reserves the right to change this Privacy Policy at any time by posting a new privacy policy at this location; NESS will provide notification of any material changes through our Sites at least thirty (30) business days prior to the change taking effect. Therefore, you are responsible for periodically checking our Privacy Policy for changes.

Contact Us

Individuals whose personal data NESS processes have the right under Data Privacy Framework to access, correct or delete their personal data.

You may contact us at dataprivacy@nesurv.com or by mail at:

NESS
1415 Beacon Street,
Brookline, MA 02446 USA
Attn: Data Protection Officer

NESS · 1415 beacon st brookline, ma 02446 · (617)738-1800 · support@neform.com