The privacy notice applies to all data about transfers of value – payment or benefits in kind - that the ABPI receives from pharmaceutical companies in connection with the Disclosure UK transparency initiative.
This privacy notice explains:
Who is the ABPI?
In this policy when you see the words, “we”, “us, “our” or “ABPI”, it refers to the Association of the British Pharmaceutical Industry (“ABPI”).
The ABPI represents innovative research-based pharmaceutical companies, large, medium and small in the UK. The ABPI manages Disclosure UK, the publicly accessible database that shows transfers of value from pharmaceutical companies that are signatories to The ABPI Code of Practice for the Pharmaceutical Industry (“ABPI Code”), made to healthcare professionals.
The ABPI is a company limited by guarantee with registration number 09826787 and its registered office at 7th Floor Southside, 105 Victoria Street, London SW1E 6QT. For the purposes of EU data protection law, the ABPI is a “data controller”.
What is personal data?
In this policy the words, “personal data” means any information that identifies you, for example, your name and address. It also includes transfers of value made to you by a pharmaceutical company(s) for activities that you have been engaged in with them.
How we keep your data secure
We have put appropriate organisational safeguards and security measures in place to protect your data from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal data to those employees, representatives and third parties who have a business need to know it. They are only permitted to access your data on our instructions and will always be subject to a duty of confidentiality.
Any third party who is contracted to process your personal data on our behalf must have security measures in place to protect your data. We have put in place procedures to deal with any suspected personal data breach. We do not allow third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
If you would like more information about the third parties that the ABPI works with in order to deliver the Disclosure UK database, please contact us using the contact details below.
The data we collect about you
The following groups of personal data are collected and processed by the ABPI:
- Identity Data – your title, full name, specialty, role, principal practicing address;
- Transfer of Value – The amount – in payment or benefit in kind - received from pharmaceutical companies.
We also collect, use and share aggregated data, such statistical data for any purpose. Aggregated data is derived from your personal data but it is not considered to be personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate transfers of value data from all healthcare professionals shown in the publicly accessible database, to provide an overall picture of how the pharmaceutical industry is working with healthcare professionals.
How we collect your data
Your personal data is provided to us by the pharmaceutical company(s) that you have worked with.
The legal basis for processing your personal data
The law requires us to inform you of the legal basis for collecting and processing your personal information where we are the data controller. We may process your personal data using more than one lawful basis. The grounds that are most likely to be applicable to the processing of your personal data are:
Consent: If you have given the pharmaceutical company that you worked with permission to disclose to the ABPI, the transfer of value made to you for that work, the ABPI relies on this consent to undertake the processing activities that the ABPI carries out for the purpose of the Disclosure UK initiative.
Legitimate Interest: The pharmaceutical company that you worked with may have a legitimate interest in processing your personal data, in particular in order to meet their obligations under the ABPI Code in publishing details of payments and benefits-in-kind made to healthcare professionals, and considers that processing of your personal data, including the transfer of your data to the ABPI to be reasonable and without undue risk to you and the ABPI also relies on this assessment as the basis for the collecting and processing of your personal data. The ABPI also has its own legitimate interest in processing the personal data that we receive from pharmaceutical company(s) in order to administer our business, which includes running the Disclosure UK platform. Furthermore, society as a whole has a legitimate interest in understanding the financial relationships that healthcare professionals may have with the pharmaceutical industry.
How we use your data
Transfers of value that you have received from different pharmaceutical companies are collated and published on Disclosure UK – a publicly accessible database managed by the ABPI.
In order to validate and collate your personal data for publication on the database, the ABPI uses your personal data to contact you, provide you with information and to respond to any queries that you may raise with us through the disclosure process.
As explained above, your personal data is also aggregated with the data of other healthcare professionals for statistical analysis purposes.
We will only use your personal data for the purposes for which we collect it.
For how long will your personal data be kept?
The ABPI Code states that information about payments made to individuals must be published on Disclosure UK for a period of three years from the data of disclosure. After this time, the ABPI securely destroys the dataset that is older than three years and instructs its service providers to do the same.
How we share your data
We may share your personal data with the parties set out below for the purpose of collating and managing the Disclosure UK database:
- The pharmaceutical company that made a transfer of value to you, so that the company can validate the information to be shown on the database;
- Third party service providers that we use to support the operation of the Disclosure UK database.
When the process of validation is complete, your personal data is published on Disclosure UK – a publicly accessible database.
Under certain circumstances, you have the rights set out below under data protection laws in relation to your personal data:
- Access to Personal Information – You have a right to obtain access to the personal information that we hold about you.
- Change Inaccurate Information – You have a right to correct inaccurate personal information and to update incomplete personal information.
- Request to Delete Your Information – You have a right to request that we delete your personal information if you believe that we no longer need your information for the purposes for which it was provided; or we are not using your information in a lawful manner; or we have requested your permission to process your personal information and you wish to withdraw your consent. Please note that if you request us to delete your information, we may have to stop engaging with you.
- Request to Restrict the Processing of Your Information – You have a right to request that we restrict the processing of your personal data if you believe that any of the information that we hold about you is inaccurate; we no longer need your information for the purposes for which it was provided but you require the information to establish, exercise or defend legal claims; or we are not using your information in a lawful manner. Please note that if you request us to delete your information, we may have to stop engaging with you.
- Request Your Personal Data in a Portable Format – You may have the right to ask us to provide your personal information in a portable format.
- Object to the Processing of your Personal Information – You have a right to object to the processing of your personal information unless we can demonstrate compelling and legitimate grounds for the processing.
- Withdraw Consent – Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time.
- Make a Complaint - You have a right to lodge a complaint with your national data protection regulator if you feel that your personal data has been unlawfully processed.
How to contact us
If you have any questions on this policy or wish to exercise any of these rights please contact us here: firstname.lastname@example.org
We will try to respond to your request within one month, although occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests, in this case we will notify you and keep you updated.
We may need to request specific information from you in order to help us to confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.
Last updated: 27 June 2018