About this privacy notice
ICON plc. (“ICON”, “we”, “us”, “our”) is committed to protecting your privacy.
This privacy notice tells you what personal information we collect and how we collect it. It explains what we use your personal information for, why we use it, and how we protect your personal information. This notice also describes certain rights you have in respect of your personal information.
This notice is intended for research participants or potential research participants and general users of our website.
In some cases, this notice will not apply to your circumstances, and we will provide you with a separate privacy notice instead. For example, this privacy notice does not apply to you:
- if you are a healthcare professional or a business partner. Please see the Business Professionals Privacy Notice instead.
- if you are a job applicant. Please see the Job Applicant Privacy Notice instead.
- if you are a user of the ICON Digital Platform app. The IDP Privacy Notice is available to you in the IDP Digital Platform instead.
- if you are a subscriber to, or an author of publications made available via, Mapi Research Trust services. Please see the MRT Privacy Notice instead.
- if you choose to participate in a medical research study that is taking place at one of ICON's clinics (also called a "study site"). If this is the case, we will provide you with a separate privacy notice as part of the Informed Consent Form, prior to you agreeing to take part in the study.
Who is the data controller of your personal information?
ICON is the "data controller" of your personal information for the purposes set out in this notice. This means we determine how your personal information is used and processed for the purposes described in "How do we use your personal information? section.
In circumstances where ICON acts on a third party's instructions (this means ICON is acting as a "data processor"), that third party is the data controller of your personal information, and their privacy notice will apply to you instead of this one.
Contact information and your privacy point of contact
You can submit questions or comments to our Global Data Protection Officer at Data_Privacy_Officer@iconplc.com.
You may also contact our Data Protection Officer by writing to us at: Global Data Protection Officer, ICON plc South County Business Park, Leopardstown, Dublin 18, D18 X5R3, Ireland.
To exercise your rights as outlined in the "What are your rights regarding your personal information?" section, please follow this link and complete the Data Subject Rights form.
What personal information do we collect about you? How do we collect it?
"Personal information" is any information relating to you which allows you to be identified directly or indirectly. Personal information can include a name, an email address, an identification number or any other details that are specific to you.
Depending on the purpose for using your personal information, we collect and process information from you, including:
(a) Basic information – your name, surname (including prefix or title), country or location, as well as your preferred language;
(b) Contact information – information that enables us to contact you, e.g. your email, mailing address, and telephone number;
(c) Technical and network activity information – information about your device and your usage of our websites, apps and systems, including your IP address, browser type, operating system, domain name, access times and referring website addresses; and
(d) Health information – whether you are interested in participating in a clinical trial, your health status and health conditions, your medical records, clinical trial results, medical history of your 'blood' relatives, race and ethnicity information, genetic information and health information inferred from information that you have provided to us.
We collect this information directly from you:
a) when you use our websites, apps and systems.
b) when you get in touch to provide information, for support or to provide feedback.
c) when you use our public hotline, EthicsLine, to report any concerns or questions.
d) as part of an interview or screening telephone call.
We collect and process information from third parties, including:
a) from our third-party service providers.
b) from trial sites where you are participating in a medical research study.
You can choose not to give us personal information when we ask you for it. If you decide not to give us your personal information, it may restrict our relationship with you. For example, we may not be able to provide you with our services or respond to communications from you via our website.
If you provide any personal information relating to another person, you are responsible for ensuring that:
a) this person is made aware of the information in this notice; and
b) this person has given you their permission to you sharing their personal information with us.
How do we use your personal information?
We use your personal information:
a) to deliver the information or services offered by our websites and apps.
b) to identify and authenticate your rights to access our websites and apps.
c) with your consent, to screen and match you to clinical trials and research projects based on your preferences and individual needs.
d) to respond to your queries and requests.
e) to process, manage and respond to any questions or concerns you raise via ICON's EthicsLine.
f) to protect the security of our websites and apps.
g) to comply with our legal obligations.
h) to analyse therapeutic trends and gather anonymised geographic statistics.
i) to improve our products and services.
j) to carry out interviews regarding your experience for a specific disease.
We will not use your personal information for purposes that are incompatible with the above purposes, unless it is required or authorised by law, or it is in your vital interest (such as in case of a medical emergency).
How do we share your personal information?
We may disclose personal information we collect about you to other parties. We will only do this for the purposes set out in "How do we use your personal information?". These third parties are:
a) Third party service providers - We may share your personal information with our third party service providers that provide web hosting services, cloud storage services, clinical trial sites, laboratory services, concierge services, and home health clinician services on our behalf.
b) To our affiliates and subsidiaries – We may share your personal information within our group of companies for the purposes described above.
c) For legal, security and safety purposes - We may have to share your personal information in response to authorised requests of government authorities or where required by law.
d) In connection with a corporate transaction - As part of any merger, sale, joint venture, transfer, or other disposal of all or any portion of our business (including as part of any bankruptcy or similar proceedings), we may transfer your personal information to other parties involved in these transactions. Under these circumstances, all parties will enter into a confidentiality agreement to protect personal information and must only use personal information for the purpose it was collected for in the first instance.
e) With your consent - We may share your personal information with other third parties with your consent. For example, if you have consented to us screening and matching you to clinical trials and research projects, we may (with your consent) share your health information and contact information with the site where a relevant clinical trial is being conducted.
Will we transfer your personal information outside your home country?
We may need to transfer your personal information internationally including to/from the USA and elsewhere. We will only transfer your personal information for the purposes set out in "How do we use your personal information?".
We implement appropriate measures to protect your personal information when we transfer your personal information outside of your home country, such as data transfer agreements that incorporate standard data protection clauses. The data privacy laws in the countries we transfer it to may not be the same as the laws in your home country.
We will apply appropriate safeguards to such transfers as required by applicable law. For example, transfers from the European Economic Area ("EEA") to non-EEA countries will usually be governed by EU-approved Standard Contractual Clauses and will be subject to other appropriate security measures. If you are in the EEA, you can obtain a copy of these safeguards by emailing us using our contact details in "Contact information and your privacy point of contact" section.
How long do we keep your personal information?
We decide for how long to keep your personal information by considering:
a) the length of our relationship with you, and whether we need to keep your personal information to respond to or process a question or request from you.
b) what is advisable in light of our legal position (due to statutes of limitations).
c) whether there is a requirement to keep your personal information for a period required by law.
d) whether we should keep your personal information in connection with legal action or an investigation involving ICON.
For example, we hold on to information from clinical trials in accordance with the legal requirements of the country where the clinical trial takes place.
We may collect information that is not personal information or convert personal information into information which can no longer be used to identify you (such as through aggregation or anonymisation). When we do this, we may use and disclose that information for any purpose, as anonymised data is not covered under data protection laws.
How do we protect your personal information?
We use a variety of security measures and technologies to help protect your personal information. We carefully choose our service providers, and check they have security measures and technologies in place to protect your personal information.
However, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of transmissions over the internet, or of our databases. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us using our details at "Contact information and your privacy point of contact" section.
How do we update this privacy notice?
ICON may make changes to this Privacy Notice. For instance, we may need to amend this Privacy Notice if there are changes to relevant laws.
Where we have your contact details, we will notify you of any significant changes.
Additional information if you are in the European Economic Area (EEA)
Why are we allowed to collect and use your personal information?
We use your personal information only where required for specific purposes. The table below sets out the purposes for which we use your personal information and our legal reason for using your personal information in this way.
|To deliver the information or services offered by our websites and apps.
This is in our legitimate interest in order to provide our products and services to you.
In order to deliver certain products and services, we may need to process your special category data for this purpose, such as your health data. Where this is the case, we will rely on your consent to this.
|To identify and authenticate your rights to access our websites and apps.
This is in our legitimate interest, for example to ensure we have confirmed the identity of the person making a request to us.
We also process this personal information where necessary for us to comply with a legal obligation that we are subject to, for example, to make sure you are not accessing content that is only intended for healthcare professionals under applicable laws.
To screen and match you to clinical trials and research projects based on your preferences and individual needs.
|We process your personal data for this purpose on the basis of your consent.
To respond to your queries and requests.
|This is in our legitimate interest in order to respond to your query or request.
|To process, manage and respond to any questions or concerns you raise via ICON's EthicsLine.
|We process your personal information for this purpose in order to comply with our legal obligations.
To protect the security of our websites and apps.
|This is in our legitimate interest in order to protect the security of our websites, apps and IT systems. We also process personal information for this purpose where it is necessary for us to comply with a legal obligation that we are subject to. For example, this includes our legal obligation to ensure we have appropriate security measures in place to protect your personal information.
|To comply with our legal obligations.
We process your personal information for this purpose in order to comply with our legal obligations. For example, we are required by law to keep certain records for specific periods of time, and to process your requests to exercise your rights in respect of your personal information.
|To analyse therapeutic trends and gather anonymised geographic statistics.
This is in our legitimate interests in order to advance the state of our scientific knowledge, and to improve our products and services.
We may need to process your special category data for this purpose, such as your health data. Where this is the case, we will ensure we have a legal reason for this, such as obtaining your consent or this being necessary for scientific research purposes.
|To improve our products and services.
|This is in our legitimate interests in order to improve our products and services.
To carry out interviews regarding your experience for a specific disease
|We process your personal data for this purpose on the basis of your consent.
What are your rights regarding your personal information?
You have rights in respect of your personal information. The rights available to you depend on our reason for processing your personal information and the local law in your country, and there are exceptions to some rights. Depending on this, you may have:
a) The right to be informed – if we are processing your personal information, we must inform you of various details, including who is processing your personal information, why, how long we will retain it for, and if we are transferring the data to another country.
b) The right to withdraw consent – if we are processing your personal information on the basis of your consent, you can withdraw your consent to that processing at any time. If you withdraw your consent, this will not mean any processing we carried out prior to your withdrawal is invalid.
c) The right of access to your personal information – you can request a copy of the personal information we hold about you.
d) The right to rectification – you have the right to request that we correct any inaccuracies in the personal information we hold about you and complete any personal information where this is incomplete.
e) Right to erase your personal information (right to be forgotten) - you have the right to be forgotten in certain circumstances including, for example, where the personal information is no longer needed for the purpose for which it was collected. However, this right does not apply where, for example, processing is necessary to comply with a legal obligation, or for the establishment, exercise or defence of legal claims.
f) The right to restrict the processing of your personal information - you have the right to ask us to restrict certain processing activities in some circumstances, including, for example, where you challenge the accuracy of the information. Where processing has been restricted, we can only process it for limited purposes such as, for example, the establishment, exercise or defence of legal claims.
g) The right of data portability - you have the right to have your personal information returned to you or to a third party in certain cases.
h) The right to object – you have a right to object to the processing of your personal information in certain cases, for example, when we process your personal information based on our legitimate interest. In such a case we will stop processing your personal information unless we can show there are compelling legitimate grounds which override your interest.
To exercise these rights, please contact us using our contact details in "Contact information and privacy point of contact" section. We may request proof of identity, so we can verify who you are.
If you feel your data protection rights have been infringed by ICON, you may have the right to complain to your local data protection supervisory authority. A good resource for details on data protection authorities from around the world is kept at List of DPAs | pdpEcho.