Ground rules for Website and Mobile Applications:
************** Instructions to set up your notice **************
Below guidance and privacy notice should be followed when designing mobile phone applications or websites that actively collect, store and generally process personal data (e.g. mobile application for asthma patients to help them better take their medication; website designed for doctors and experts to register for one of our seminars; website designed to recruit patients for a trial). If you only want to use one long Notice for your mobile app or website, please remove the text “For more details on […], please click here” and “Text behind “click here” link” from the notice and include the relevant text in the long form Notice. Please note that using only a long form Notice may negatively impact the readability of the text on a smartphone and that regulatory guidelines recommend a layered approach.
Sections highlighted in yellow are authoring instructions and should be deleted prior to publishing the notice. Sections highlighted in green must remain in the Notice and completed per instructions. Text in blue is suggested text that can be generally used. Text in orange are examples only and should be changed to meet the specific circumstances for your application or website.
The Application must contain a disclosure Notice that should appear on the smartphone or web screen before the application can be installed on the individual´s (e.g: patient) phone or they enter their data in the web portal. Where this is not possible and you provide privacy information after an application is downloaded and installed, make sure that the Notice is provided before the application starts to collect the relevant personal data.
This short Notice disclosure should be
- written in plain simple language that is appropriate to the audience
- Identify the AZ entity(ies) responsible (Controller of the personal data)
- describe exactly what information about the individual the application will collect and why,
- explain who sees or has access to the information, including if it involves transfers abroad.
- and how the individual/patient can stop using the application, request access or deletion of their data.
- Pay particular attention to highlighting any actions that would be unexpected or considered onerous by the user. Equally, do not hide important information or otherwise mislead the user.
The short smartphone disclosure Notice can work alongside longer disclosure information. Regulators advocate breaking up lengthy information in this way so the individual always knows at each stage exactly what collection of personal data will take place. For instance:
- Applications related to Clinical Trials: the simple Notice in the mobile app. can work alongside the long form of informed consent provided to the patient as part of enrolling in the clinical trial
- Other types of Applications: initial notice to the user contains the minimum information required and further information is made available through links to the whole privacy policy.
The smartphone disclosure Notice should look something like this (please adapt the wording with appropriate SIMPLE description as required):
**************Text for your notice, update where applicable **************
PRIVACY NOTICE
This application has been developed and/or commissioned by Xxxxxxx (include exact name and address of the AZ Entity that developed and/or commissioned the application and that is responsible for the processing of personal data.) (“AstraZeneca”, “We”, “Us”). The application will collect certain personal data from you such as xxxxxxxxxx [list the types of personal data collected. If many, list the broad categories of data (e.g., contact details, location, online identifiers, etc.). Best to include the reason for collecting the type of data that is considered as more intrusive (e.g: GPS tracking) or sensitive (health data). Example: “we collect your full name and contact details (for communicating with patients); certain information that is relevant to the clinical study, such as gender and date of birth; and health related information such as blood pressure, cholesterol and medication (to enable you and your doctor to follow your progress)”]. Such information will be provided by you. Our need to process your personal data is based on your explicit consent or legitimate business need.
The main purpose of this application is to xxxxxxxxxxx (include simple to the point description. Example: to help patients manage their medication schedule, track their health indexes and the time spend doing physical exercise. We will also receive medical information through the application and complete health related surveys. The application is also designed to help AstraZeneca in understanding the effectiveness and progress of the patient with the medication).
All the information supplied through this application will be stored on secure servers in xxxx (include location(s)). We may also transfer your personal data to other AstraZeneca group companies and with third parties for technical support purposes, or in accordance with any legal obligations. [For more details on how we share your Personal Data, please click here.]
[Text behind “click here” link: Your data may also be shared with certain third parties such as: IT software providers involved in the development and maintenance of this Application; auditors and consultants to verify our compliance with external and internal requirements; statutory bodies, law enforcement agencies and litigants, as per a legal reporting requirement or claim; and a successor or business partner to an AstraZeneca group company in the event that it sells, divests or sets up a collaboration/joint venture for all or part of its business.]
Such AstraZeneca entities and third parties may be based anywhere in the world, which could include countries that may not offer the same legal protections for personal data as your country of residence. [For more information about how we safeguard the international transfer of your Personal Data, please click here.]
[Text behind “click here” link: Irrespective of which country your Personal Data is transferred, We would only share your Personal Data under a strict ‘need to know’ basis and under appropriate contractual restrictions (such as AstraZeneca’s Binding Corporate Rules and EU Standard Contract Clauses). You may be entitled to receive a copy of AstraZeneca’s Binding Corporate Rules and/or the AstraZeneca’s EU Standard Contract Clauses upon request by contacting AstraZeneca on privacy@astrazeneca.com.]
If you uninstall the application, personal information you have submitted through the application will be securely deleted unless AstraZeneca is required to store your personal data in accordance with local laws and the company´s Document Retention Policy. For more information on AstraZeneca’s internal Document Retention policy you may go to www.astrazenecapersonaldataretention.com .
If you have or plan to have a longer Privacy Notice/Policy associated with the Application/website, make reference to it. Example: For additional information on the way your personal data would be handled and your privacy rights, please read the Privacy Notice/Policy (add direct link) OR For additional information on the way your personal data would be handled and your privacy rights, please read the relevant section in your informed consent form.
You may contact AstraZeneca at www.astrazenecapersonaldataretention.com at any time to request access to the personal data we hold about you, to correct any mistakes or to request deletion of the same or withdraw your consent to certain types of processing of your personal data. [For more information about how AstraZeneca responds to such requests, please click here.]
[Text behind “click here” link: If such a request places AstraZeneca or its affiliates in breach of its obligations under applicable laws, regulations or codes of practice, then AstraZeneca may not be able to comply with your request but you may still be able to request that we block the use of your personal information for further processing. You may also have a right to data portability to another Data Controller under certain circumstances.]
AstraZeneca has assigned a data protection officer responsible for overseeing AstraZeneca’s compliance with EU and UK data protection laws, which you may contact at privacy@astrazeneca.com or by mail at the Global Data Protection Officer, Astra Zeneca Middlewood Court, Silk Road, Macclesfield, Cheshire SK10 2NA, in case of any questions or concerns regarding the processing of your personal data. If AstraZeneca’s processing of your personal data is covered by EU or UK law, you can also lodge a complaint with the corresponding data protection supervisory authority in your country of residence. You can find the relevant EU supervisory authority name and contact details under https://edpb.europa.eu/about-edpb/board/members_en and the UK data protection supervisory authority’s contact details under https://ico.org.uk/global/contact-us/.
For Clinical Study applications, add this sentence or similar Stopping the application will not affect your usual care or participation in this study.
Last updated December 2021