Effective: 1st April 2020

Purpose

This policy is designed to provide a global baseline across the Company with regards to the protection of Personal Information. It sets out the Company’s commitment to ensuring that the processing of all Personal Information is carried out with integrity and in accordance with all relevant data protection law. While it seeks to define our core purpose and principles without reference to any specific personal information protection regime, the Company recognizes that in certain jurisdictions the applicable regulations may impose additional, specific requirements: Where this is so, we manage the processing and storage of Personal Information in accordance with all such applicable laws.

Scope

This corporate policy applies globally, to all employees, consultants, contractors, and vendors of Amplity Health, or of any of its current or future subsidiaries, affiliates, successors or assigns (collectively, the “Company”). All company workers are expected to comply with the policy. Failure to do so may lead to disciplinary action for misconduct, including dismissal or termination of contract.

The Policy covers:

• The processing and storage of Personal Information in electronic or paper format, including that belonging to employees, contractors, suppliers, clients, healthcare professionals, clinical investigators, patients, medical research subjects, consumers and other individuals where the Company is the Controller of their Personal Information.
• The processing and storage of Personal Information on behalf of our clients where the Company is a Processor of that information.

The policy does not cover the management and use of Personal Information in the form of electronic information (cookies, etc.) that is collected automatically during use of Company Websites. This is covered in a separate ‘Online Privacy Policy’ document.

Responsibilities

The Company has defined this and other related policies to ensure the delivery of good privacy and data protection practices. These are:

• Data Privacy Policy (this document)
• Online Privacy Policy
• Document Retention & Destruction Policy
• Access Control Policy
• Data Back-up Policy
• Data Classification Policy
• Information Security Policy

Policies are supported by Standard Operating Procedures (SOP) and Guidelines.

Principles

The Company is committed to the principle of ‘Privacy by Design’ and seeks to ensure that good data protection practice is embedded in our culture and processes.

The Company complies with the fundamental principles of Personal Information protection set out below:

1. Lawfulness, Fairness and Transparency

   We are clear, open, and honest about our use of Personal Information:

   • It is processed lawfully and in a manner that is not detrimental, unexpected, or misleading to the Data Subject.
   • Through appropriate Privacy Statements and Notices, we ensure that Data Subjects are aware of why and how their Personal Information is processed and used, of the lawful basis for processing and their rights under applicable data protection law.

2. Choice

   • We provide clear, conspicuous, and readily available mechanisms to enable Data Subjects to exercise their statutory rights to choose how their Personal Information is used.
   • We facilitate, in good faith, any legitimate request from a Data Subject who wishes to exercise their rights under applicable data protection legislation.

3. Limitation of Purpose

   Personal Information is only collected when necessary, and for specified, explicit, and lawful purposes. It is not processed in a manner that is incompatible with those purposes, unless subsequently authorized by the Data Subject.

4. Data Minimization

   Only Personal Information that is adequate, relevant, and limited to what is necessary in relation to the stated purpose is collected.

5. Accuracy

   Personal Information that we hold is accurate and, where necessary, kept up to date. Reasonable steps are taken to ensure that inaccurate Personal Information is recognized and erased or rectified without delay, having regard to the purposes for which it is processed.

6. Storage Limitation

   Personal Information is kept in a form which permits identification of Data Subjects for no longer than is necessary to fulfill the legitimate purpose, or to comply with legal obligations.

7. Integrity and Confidentiality

   Personal Information is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.

8. Accountability

   The Company takes full responsibility for complying with all relevant legislation by adopting this Policy and the other supporting Policies mentioned. Appropriate technical, organizational, and administrative measures are implemented and maintained, and records are kept to monitor and demonstrate compliance. Where relevant, the Company utilizes voluntary codes of conduct and certification schemes to maintain and improve the quality of delivery.

Rights of Data Subjects

The rights of Data Subjects vary across the globe and depend on the relevant data privacy legislation. The Company commits to ensuring that Data Subjects understand their rights under any applicable regime, to providing access to allow those rights to be exercised, and to responding to all legitimate requests in full compliance with the relevant laws. These may include:

1. Disclosure or Access:

   • The right to request information about whether and how Personal Information is being processed.
   • The right to be allowed access to that Personal Information and to be provided with a copy in a readily usable and transferable format (portability).
   • The right to obtain the following information: the purpose of the processing; the categories of Personal Information processed; the recipients to whom Personal Information has been disclosed or will be disclosed; the retention period; the source of the Personal Information if not collected directly from the subject and; the existence of any automated decision making based on Personal Information.

2. Rectification:

   • The right to allow a data subject to rectify inaccurate Personal Information concerning them.

3. Erasure (“the right to be forgotten”):

   • The right to have data erased (subject to certain statutory limitations) and to have confirmation of erasure.

4. Restriction of Processing:

   • The right, under certain circumstances, to ask for processing to be restricted.

5. Objection to processing:

   • The right to object to the processing of Personal Information (subject to certain statutory limitations).
   • The right to object to disclosure or sale of Personal Information to a third party.
   • The right to object to the use of automated decision making

   Data Subjects are not be discriminated against as a result of their choice to exercise their data protection rights.

   The Company has put in place, and maintains, SOPs and training programs to ensure adherence to this policy and to support the exercise of the rights of Data Subjects.

Sensitive Personal Information

Data privacy legislation typically identifies special categories of Personal Information, which are of greater sensitivity, and enforce additional legal obligations for processing. Sensitive Personal Information may include (depending on the applicable legislation) information regarding:

• Race or ethnic origin
• Political opinions
• Religious or other similar beliefs
• Trade union membership
• Physical or mental health
• Sexual life or sexual orientation
• Criminal allegations, proceedings or convictions
• Genetic information
• Biometric Data
• Financial information
• Official identification information

Where the Processing of Sensitive Personal Information is required, we review risk, establish and record the required lawful conditions for processing (typically explicit consent, employmentrelated obligation, or other legal obligations) and employ necessary measures to ensure privacy and security.

Information Security

The Company puts in place appropriate administrative, technical and physical information security measures to support the delivery of this policy and to protect the Personal Information in our care against threats such as loss or theft; unauthorized or inappropriate access, use or disclosure; tampering; loss of data integrity; and improper retention or deletion.

Employees are appropriately trained and expected to take steps to recognize and prevent such threats to Personal Information and to report any suspected or known threat or incident.

Transfer and Sharing of Personal Information

It is sometimes necessary to share Personal Information and to transfer it between companies within Amplity Health or to our partners, clients, service providers, and agents. This may also mean the transfer of Personal Information between locations and jurisdictions. In all cases, we apply the guiding principles above and ensure that the Personal Information for which we are responsible is adequately protected.

• Data Subjects are informed, through appropriate Privacy Statements and Notices, how we share and transfer their Personal Information.
• Administrative and technical measures are taken to ensure the security of data transfers.
• Appropriate legal instruments (such as standard contract clauses, recognized certifications, or binding corporate resolutions) are maintained to ensure compliance for the transfer of Personal Information within Amplity Health.
• Third-party agents, suppliers, contractors, and clients are bound by contractual obligation to ensure that the processing of Personal Information complies with this policy and be carried out to an equivalent standard of care.
• Transfers between data privacy jurisdictions are carried out in accordance with applicable legislation and with appropriate safeguards to ensure an equivalent standard of protection.
• Within the limitations set by any applicable law, the Company upholds the rights of Data Subjects to object to, or restrict, the transfer of their Personal Information.
• In certain circumstances, the Company may share Personal Information regardless of the choice stated by Data Subjects. Such circumstances include (i) where required to do so by law or by law enforcement authorities (ii) where, in our opinion, disclosure is necessary to protect the vital interest of the individual (iii) where there is an over-riding contractual obligation (iv) where there are reasons of public interest (v) in order to establish, make or defend a legal claim.

Retention of Personal Information

The retention period for Personal Information is determined according to the principle of “storage limitation” as described above: Accordingly, in general, Personal Information is held only as long as necessary for a specified purpose, and the Company takes reasonable steps to minimize the length of time for which that Personal Information is held.

The Company has a “Document Retention and Destruction Use Policy” to define retention periods for certain classes of document in line with statutory requirements. Personal Information contained within these specified document categories is retained on the basis of legal obligation for the stated retention periods. The Company has defined nd maintains processes to ensure that Personal Information is anonymized (de-identified) or safely deleted in line with the principle of storage limitation and the Document Retention and Destruction Use Policy

Marketing and Promotional Activities

The Company does not typically engage in marketing and promotional activities targeted at individuals or consumers for its own purposes, but may do so on behalf of our clients. In all cases, the Company complies with applicable law and ensure that the rules of consent are implemented and that the rights of the individual or consumer are upheld.

Administration and Compliance

The Company maintains a Data Privacy Management System to ensure robust governance of data privacy. This includes:

• Adoption of this Policy and definition of compliant practices.
• Documentation of the implementation of the required administrative, organizational, and technical measures.
• Analysis and documentation of data privacy risks and impacts.
• Recording of processing activities to demonstrate and monitor compliance.
• Recording, investigation, and reporting (where required) of data privacy breaches.

The Company appoints a Data Privacy Officer (DPO) to advise on data protection obligations and the implementation of necessary compliance measures, to monitor internal compliance and to act as a first point of contact for data subjects and the relevant supervisory authorities. The DPO is independent and reports to the top level of management, and is adequately supported and resourced.

Expectations and Training

The protection of Personal Information and compliance is the responsibility of all employees and others working on our behalf.

The Company ensures appropriate training to support its employees in the delivery of this policy.

Any potential or perceived violation of the principles outlined in this policy must be immediately reported to the Corporate Compliance department.

Terms and Definitions