FoundationASSIST Patient Support Programme Processing of Personal Data Information Notice
This information notice sets out details of the personal data relating to you that we collect and how we process it in connection with the “FoundationASSIST” Patient Support Programme (the “FoundationASSIST Programme”). Roche Products (Ireland) Limited at 3004 Lake Drive, Citywest, Naas Road, Dublin 24, D24 K661, Ireland (“Roche”, “we”, “us”) is the controller of such personal data.
What is the FoundationASSIST Programme?
The FoundationASSIST Programme is a Roche patient support programme which provides financial assistance to patients in Ireland who are themselves paying for a Foundation Medicine Inc. genetic testing service ordered by their physician to reduce the cost of those services to patients (by up to a certain percentage of total cost). The amount of any financial support is based on objectively-assessed financial need. Roche has contracted with a third party service provider, Point of Care Health Services Limited (an Irish company) (“Point of Care”) to undertake these financial assessments and to have direct contact with patients in relation to the FoundationASSIST Programme.
Roche is not the controller of your personal data in relation to any genetic testing services offered by Foundation Medicine. This notice relates to the FoundationASSIST Programme only. For information on the processing of your personal data in connection with Foundation Medicine’s genetic testing services, please see the further information available in your consent form.
Roche and Point of Care will collect and process data in electronic systems, databases and manual filing systems. This data is, or may be considered to be, ‘personal data’ according to the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and other applicable data protection law.
What personal data do we process?
Processed data includes your name (and, if applicable, the name of a parent/guardian), patient unique identifier(s), contact details, number and names of people living in your household, and the outcome of any financial assessment made. In order to make that financial assessment, Point of Care on our behalf will process patient and household financial information, including – P60 Statement, Statement of income signed by patient’s/householder’s employer, Statement of income from the Revenue Commissioners or similar document, your Medical Card status, and/or any other official documentation (e.g. from employers or the Revenue Commissioners) you provide that supports proof of income for all adults living in your household. Where such supporting documentation cannot be provided, the aggregate information about your household income sought by a ‘declaration of household income form’ is also collected and processed.
In managing the FoundationASSIST Programme, Point of Care on our behalf also collects and processes call centre audio recordings of calls with patients or adult household members as well as personal data relating to any adverse event/special situation reporting required by law and regulation. The fact of your involvement in requesting support for access to a particular genetic test is also potentially indicative of a relevant health condition.
Data will be obtained from interactions between Point of Care and you directly as well as, in limited circumstances, your physician. If you are a household member of a patient making an application, financial information relating to your contribution to that household income will also be provided by the patient/applicant and processed as part of the FoundationASSIST Programme.
Purposes of Processing
The personal data referred to above will be processed for the purposes of:
- operating and administering the FoundationASSIST Programme, internal training and management of relevant personnel and maintaining appropriate business records;
- where you provide it, on the basis of your consent; and
- where the personal data relates to persons in the household of a patient/applicant, such data is processed for the purposes of our legitimate interests in conducting our business in a responsible and commercially prudent manner in connection with administering the FoundationASSIST Programme; and
- complying with our legislative and regulatory (including reporting) obligations (and industry codes and similar) in connection with the FoundationASSIST Programme, in which case the legal bases for our processing are that this is necessary:
- for the purposes of our legitimate interests in conducting our business in a responsible and commercially prudent manner; and
- to comply with our legal obligations.
In so far as necessary (given the very limited nature of the health data processed), the condition relied upon to permit the processing of the special categories of personal data is your explicit consent.
Only data necessary for legitimate business purposes will be maintained.
Recipients of Data
We may disclose your personal data to various recipients in connection with the above purposes, including:
- to Point of Care and to other third parties who we engage to provide services to us, such as professional advisers, auditors and outsourced service providers;
- to other members of the Roche corporate group (including Foundation Medicine); and
- to competent regulatory authorities and bodies as requested or required by law.
Compliance with laws and transfers abroad
Roche as data controller as well as all other companies within the Roche Group are fully committed to complying with all applicable data privacy laws, such as the GDPR and supplemental legislation in Ireland and other EU Member States, the Swiss Data Privacy Act, and other applicable data privacy laws and principles as amended from time to time.
In connection with the above we may transfer your personal data outside the European Economic Area, including to a jurisdiction which is not recognised by the European Commission as providing for an equivalent level of protection for personal data as is provided for in the European Union. If and to the extent that we do so, we will ensure that appropriate measures are in place to comply with our obligations under applicable law governing such transfers to protect the privacy and fundamental rights and freedoms of individuals. Further details of the measures that we have taken are available from the Compliance Manager, contactable at (01) 4690700.
In general, Point of Care, on behalf of Roche, will retain your personal data for the duration of the assessment of your application for support from the FoundationASSIST Programme and for a period of three years after that point. Your contact details will be retained for one year from the last time you contact us or Point of Care or you are contacted.
You are not required to participate in the FoundationASSIST Programme, but Point of Care will not be able to consider and grant any application for support under the FoundationASSIST Programme where you do not provide us with the information necessary to assess your application (i.e. your contact details and supporting household financial information or declaration of household income). Where you do not wish to participate in the FoundationASSIST Programme, you are entitled to choose instead to pay for the full cost of any Foundation Medicine testing service.
You have the following rights, in certain circumstances and subject to certain restrictions, in relation to your personal data:
- the right to withdraw your consent to any processing based on your consent;
- the right to access your personal data;
- the right to request the rectification and/or erasure of your personal data;
- the right to restrict the use of your personal data;
- the right to object to the processing of your personal data; and
- the right to receive your personal data, which you provided to us, in a structured, commonly used and machine-readable format or to require us to transmit that data to another controller.
In order to exercise any of the rights set out above or for further information, please contact the Compliance Manager, contactable at (01) 4690700.
You have the right to lodge a complaint with the Irish Data Protection Commission (email@example.com) or your local data protection supervisory authority.