The services offered by Genetic Alliance that utilize the Platform for Engaging Everybody Responsibly database (Free-the-Data.org, Reg4All.org and TrialsFinder.org) are provided through a collaboration between the Genetic Alliance, a non-profit leader in health and patient advocacy, and Private Access, Inc., a pioneer in privacy-management technology. A separation of duties between these two entities enables Free the Data, Reg4All and TrialsFinder to enforce a powerful security principle called "least privilege" which says that no single person or entity should be able to access information or to exercise privileges beyond what is necessary to perform that person's or entity's assigned role.
For both Free the Data, Reg4All and TrialsFinder, Private Access holds and manages all personally identifiable information and privacy preferences; and Genetic Alliance holds and manages all de-identified information in the PEER database. Powerful encryption technology is used to protect this information, and only the participant - acting through explicit privacy preferences that he or she controls through Private Access - can enable his or her information to be discoverable by searches of the PEER database, linkable to the individual's identity, and/or used by or shared with any person or entity.
Participants are able to view all of their own information held by PEER, and the privacy permissions they have set for that information.
Participants are able to make corrections to their own information held by PEER.
|Openness and Transparency||
PEER uses information only as indicated by the participant's privacy permissions. Unless required by law or subpoena, PEER will not make any of a participant's personal information, or information about his or her individual use of PEER, accessible to anyone whom the participant has not explicitly authorized. Participants may view a report of all accesses to their individually identified information held by PEER at any time.
|Individual Choice||A participant's decision to register and share his or her information with PEER gives us permission to retain and manage that information in the PEER registry until he or she removes it. However, this information will not be included in any search results, or otherwise shared with anyone else, without the participant's explicit permission. PEER uses PrivacyLayer™ technology developed by Private Access, to enable participants to choose what information will be made available in de-identified, linkable, or identified form, by whom and for what purposes it can be used. By default, all of a participant's information is encrypted and portions of the information are made usable for search and discovery only by the participant, when he or she gives the appropriate permission. The only parties - including Genetic Alliance and Private Access - who can decrypt and access an individual's health information or associate that information with the individual are the participant him/herself and any person or entity to whom the participant has expressly given permission through PrivacyLayer™. Participants can change their choices at any time. The decision to allow (or not allow) a requested use of, or access to, a participant's data is always based on the privacy preferences in effect at the time such use or access is attempted.|
|Collection and Use||
Registration requires participants to provide some minimum amount of personal contact information, including at least a valid email address. This personal information is retained by Private Access and is used only by privacy administrators in cases that require them to contact a participant to obtain clarification about his or her privacy preferences. This personal contact information is not shared with anyone (including Genetic Alliance) unless the participant expressly requests, through his or her privacy preferences, that the information be shared.
All information collected and stored in the PEER database is provided directly by participants, through their responses to questions, or is health information participants have asked their healthcare providers to send to us. The only information PEER collects in the background without the user's explicit permission are data used to manage the user session, metrics used to improve our services, and audit data. Data collected to help us manage the user session are stored in cookies held by the user's browser; all session information is deleted from the participant's computer or mobile device immediately when he or she logs off, or after several minutes of inactivity. PEER collects general (not user-specific) metrics such as length of time spent on the site and the universal resource locator (URL) of the site that referred the user to PEER. We aggregate these measures with those of other participants and use these statistics to help us improve our services. To enable us to maintain system security and to detect potential malicious code activity and intrusions, we record all security-relevant events in an audit trail.
With the participant's explicit permission, we also may collect information that will help us identify, and enable participants to use social sharing and networking options that may be of value to the participant.
|Data Quality and Integrity||
No one changes a participant's data in PEER other than the participant to whom the data relates. PEER uses technical measures to assure that participants' data are not modified in unauthorized ways, or accidentally corrupted.
It is impossible to achieve "perfect" security because new vulnerabilities and threats appear every day; one can only strive to minimize risk to a tolerable level. Even though "perfect security" is neither achievable nor practical, PEER strives continuously, through our policies, operational procedures, and security technology, to maintain the security of the information our participants entrust to us, and the privacy and safety of our participants. Fundamental to our safeguards is our adherence to the principle of least privilege: no PEER system component (individual or entity) is given more access to information or privileges than what it needs to accomplish its assigned role. This principle is reflected in the separation of duties between Genetic Alliance and Private Access, and in the autonomous controls given to our participants concerning their information. PEER information and systems are continuously monitored and protected from unauthorized access, use, and modification. Our protective measures include physical protections, administrative processes and practices, and technical protections that meet and exceed applicable state and federal laws, and industry best practices that address the protection of electronic Personally Identifiable Information (PII) and the privacy of individuals participating in online experiences. All personal information stored in the PEER database and in Private Access is encrypted, and all sensitive information transmitted over the Internet is encrypted and sent only to authorized and authenticated recipients. Recognizing that new security threats and vulnerabilities are being discovered every day, our security team continuously monitors security knowledge bases and proactively takes action to implement protective measures to effectively manage risk.
PEER systems and practices are continuously monitored for adherence to our privacy and security policies. Any potential lapses in our protection are immediately and thoroughly investigated. All security-relevant events are recorded in the audit trail used to monitor the security of the system. Each access to the participant's account, and creation, update or application of privacy preferences (including when authorized searchers access individually identifiable information held by PEER) is recorded and made available to the applicable participant.
Version: April 4, 2013
Copyright © 2013 Genetic Alliance, Inc. All rights reserved.