This Privacy Notice was updated on 28 January 2022.
The changes affect patients participating in a Patient Support Programme operating throughout Novartis Ireland (“Programme”).
This Privacy Notice has been updated to i) consolidate privacy information for all Programmes, and ii) detail the change to the period of retention of records following completion of a Programme from five years to six years.
Effective Date: 28 January 2022
This Privacy Notice is addressed to patients that participate in a Novartis Ireland Patient Support Programme (hereafter referred to as the “Programme”). The Programme is available to patients prescribed certain Novartis treatments. Novartis Ireland will process information about you which constitutes “personal data”. At Novartis Ireland we are committed to the responsible use of your personal data and consider privacy a very important matter.
For the purposes of this Privacy Notice, (“Novartis Ireland”) refers to Novartis Ireland Limited registered at Vista Building, Elm Park Business Campus, Merrion Road, Dublin 4, D04 A9N6 with Company Number 11931, Novartis Ireland is responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as a “controller”.
In this Privacy Notice, “we” or “us” refers to Novartis Ireland as defined in this Privacy Notice. The purpose of this Privacy Notice is to provide you with transparent information on how Novartis collects, uses, and discloses your personal data in the context of providing any or all of the services within the Programme.
We invite you to carefully read this Privacy Notice, as it contains important information for you. Should you have any questions or concerns in relation to the processing of your personal data, we invite you to contact [email protected].
1. Collection of personal data
Your personal information collected may either be directly provided by you or provided by your health care professional, where you have agreed to participate in a Programme.
For the purposes listed within this Privacy Notice we will collect your name and contact details (email address, mobile phone number, home address). Depending on the service(s) you receive, we may also collect and use the following categories of personal data:
- your date of birth;
- your gender;
- your patient identifying number;
- your medical history and the name of the treatment you have been prescribed;
- details of your communications and interactions regarding the Programme and your other uses of the service (including recording of telephone conversations for staff training and quality purposes);
- how often you dispose of your treatment injector pen into your Smart Sharps Bin; and
- details about any side effects or product complaints that are reported to Novartis Ireland
2. For which purposes do we use your personal data and why is this justified?
2.1. Legal basis for the processing
We will not process your personal data if we do not have an appropriate justification foreseen in the law. For the purpose of the Programme, we will only process your personal data if:
- we have obtained your prior consent, which is the main legal basis upon which we collect and use your personal information in the context of your participation in the Programme. Your consent is entirely voluntary and you can withdraw your consent at any time. Please note that withdrawal of your consent will not affect the lawfulness of our use of your personal information up to the time you withdrew your consent, and that we will need to archive your personal data after withdrawal in order to comply with our legal and regulatory obligations (e.g. in relation to adverse event reporting or if needed for legal claims);
- the processing is necessary to comply with our legal or regulatory obligations; or
- the processing is necessary to protect your vital interests or those of another person.
2.2 Purposes of the processing
We will always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose.
We process personal data to provide the services within the Programme which may include any of the following but are not limited to:
- Pre-Screening Laboratory Service – Provides pre-screening blood tests to patients in their home prior to their first treatment dose.
- Chest X-Ray Service – Provides chest x-rays for patients that require them prior to their first injection.
- Sharps Bin Service – Provides a “smart” sharps bin or regular sharps bin delivery and collection service for disposal of injector pens.
- Nurse Support Service – Provides education and support throughout treatment via at- home nurse visits, virtual support visits i.e. telephone or in the hospital setting.
- Routine Blood Screen Service - Provides routine blood tests to patients prescribed a treatment included within the Novartis Ireland Support Programme in their home.
In addition to the specific purposes identified above, we also process your personal data for the following general purposes:
- for pharmacovigilance purposes (tracking of side effects) and following up with you or your healthcare professional;
- providing you with adequate and updated information about disease, drugs, as well as our product and services;
- answering any questions or requests you may have;
- managing our IT resources, including infrastructure management and business continuity;
- ensuring compliance (such as complying with our policies and local legal requirements, conducting audits and defending litigation);
- archiving and record-keeping; and
- any other purposes imposed by law and authorities.
We may also process your data to invite you to participate in market research where you have provided prior consent for us to do so.
3. Who has access to your personal data and to whom are they transferred?
We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.
Depending on the service you receive within the Programme, we will share your personal data with any of the following third parties:
- Point of Care Health Services Limited (“Point of Care”) – Point of Care provide a sharps bin delivery and collection service. Point of Care also manages the respective Programme online portal;
- Advanced Medical Services (“AMS”) – AMS provide a nurse support service on behalf of Novartis;
- IQVIA (“IQVIA”) – IQVIA provide a nurse support service on behalf of Novartis;
- HealthBeacon Ltd (“HealthBeacon”) – HealthBeacon provide a “smart” sharps bin or regular sharps bin delivery and collection service;
- Hibernian Healthcare at Home Ltd (“Hibernian Healthcare”) – Hibernian Healthcare performs blood tests and organises appointments at radiology centers for chest x-rays;
- Medical Safety Systems Corporate Pty Ltd trading as RxMx (“RxMx”) – RxMx manages the Novartis nurse services platform;
- your healthcare team, including your healthcare professional, specialist nurse and pharmacy; and
- third party market research companies, but only if you separately consent to us conducting follow-up research.
In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by, or transferred to the specific third parties identified above and to the following categories of recipients, on a need to know basis to achieve such purposes:
- our personnel (including personnel, departments or other companies of the Novartis group);
- our suppliers and services providers that provide services and products to us;
- our IT systems providers, cloud service providers, database providers and consultants;
- any third party to whom we assign or novate any of our rights or obligations; and
- our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.
Please note that we may have to share your data with a number of other recipients (e.g. another entity of the Novartis Group if the entity collecting the data is not the same as the one using it) but always under strict conditions.
The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.
Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request where strictly necessary.
The personal data we collect from you may also be processed, accessed or stored in a country outside the country where Novartis Ireland is located, which may not offer the same level of protection of personal data. If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to Novartis Ireland, (ii) acting in accordance with our policies and standards and, (iii) for Novartis Ireland located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the (“EEA”), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as described below.
For intra-group transfers of personal data (that is, transfers between companies which are members of the Novartis Group), the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Further information regarding the Novartis Binding Corporate Rules is located at: https://www.novartis.com/privacy/novartis-binding-corporate-rules-bcr
4. Duration of storage
We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.
The retention period for personal data collected within the context of this Privacy Notice is six years following completion of the Programme. When this period expires, your personal data is removed from our active systems.
5. How do we protect your personal data?
We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data. These measures take into account: the state of the art of the technology; the costs of its implementation; the nature of the data; and the risk of the processing. The purpose of these measures is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access and against other unlawful forms of processing. Moreover, when handling your personal data, we:
- only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes;
- ensure that your personal data remains up to date and accurate (for the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up- to-date); and
- process any sensitive data about yourself (including your medical/health related data) you provide in compliance with applicable data protection rules and strictly as required for the relevant purposes listed above. The data is accessed and processed solely by the relevant personnel, under the responsibility of one of our representatives who is subject to an obligation of professional secrecy or confidentiality.
6. What are your rights and how can you exercise them?
You may exercise the following rights under the conditions and within the limits set forth in the law:
- the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
- the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
- the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
- the right to object, in whole or in part, to the processing of your personal data; and
- the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.
Please note that Novartis Ireland is subject to legal and regulatory obligations which may limit or restrict the enforcement of your rights on some occasions. If you wish to contact us regarding our use of your personal data or you wish to exercise your data privacy rights, you may email [email protected] or write to Data Privacy, Novartis Ireland Limited, Vista Building, Elm Park Business Campus, Merrion Road, Dublin 4.
If you are not satisfied with how we process your personal data, please address your request to our Data Protection Officer at [email protected], who will investigate your concern.
In any case, you also have the right to file a complaint with the Data Protection Commission (dataprotection.ie), in addition to your rights above.
7. How will you be informed of the changes to our Privacy Notice?
Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through an individual notice through our usual communication channels (e.g. by email or via our websites).