1.0    PURPOSE

This Privacy Manual has been compiled so that employees are aware of what types of personal information and other legally protected data (“Personal Data”) is processed for subjects, vendors, and the employees themselves. There are various types of data categories to which protection will be provided. As these categories and the policies concerning them may be updated from time to time, please continue to refer to this Manual and the policies noted herein so that you may continue to be apprised of any changes to the information presented.

2.0    SCOPE

This Privacy Manual applies to all Leading Edge Pharms, Inc. (“Leading Edge”) and its wholly owned subsidiaries (herein “Leading Edge”) employees. All employees must read this Privacy Manual in full. Employees performing data processing tasks for study participants, employees, consultants or vendors are doing so on behalf of Leading Edge Pharms as the data controller.

This Privacy Manual is particularly focused on how Personal Data is processed and transferred in the United States (“US”) in conformity with the General Data Protection Guidelines (referred to herein as the “GDPG”).

3.0    DATA PROTECTION PRINCIPLES

 In the US, there is no single, comprehensive federal (national) law regulating the collection and use of personal data. There are however many guidelines, developed by federal and state governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices”. These self-regulatory frameworks have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators. The aggregate of these federal and state guidelines is referred to above as the General Data Protection Guidelines, or GDPG.

There is already a panoply of federal privacy-related laws that regulate the collection and use of personal data. Some apply to particular categories of information, such as financial or health information, or electronic communications. Others apply to activities that use personal information, such as telemarketing and commercial e-mail. In addition, there are broad consumer protection laws that are not privacy laws as such but have been used to prohibit unfair or deceptive practices involving the disclosure of, and security procedures for protecting, personal information.

Some of the most prominent federal privacy laws include, without limitation, the following:

  • The Federal Trade Commission Act (15 U.S.C. §§41-58) (FTC Act) is a federal consumer protection law that prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies. The FTC has brought many enforcement actions against companies failing to comply with posted privacy policies and for the unauthorized disclosure of personal data. The FTC is also the primary enforcer of the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§6501-6506), which applies to the online collection of information from children, and the Self-Regulatory Principles for Behavioral Advertising.
  • The Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB)) (15 U.S.C. §§6801-6827) regulates the collection, use and disclosure of financial information. It can apply broadly to financial institutions such as banks, securities firms and insurance companies, and to other businesses that provide financial services and products. GLB limits the disclosure of non-public personal information, and in some cases requires financial institutions to provide notice of their privacy practices and an opportunity for US citizens and residents to opt out of having their information shared. In addition, there are several Privacy Rules promulgated by national banking agencies and the Safeguards Rule, Disposal Rule, and Red Flags Rule issued by the FTC that relate to the protection and disposal of financial data.
  • The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.) regulates medical information. It can apply broadly to health care providers, data processors, pharmacies and other entities that come into contact with medical information. The Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule) (45 C.F.R. Parts 160 and 164) apply to the collection and use of protected health information (PHI). The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule) (45 C.F.R. 160 and 164) provides standards for protecting medical data. The Standards for Electronic Transactions (HIPAA Transactions Rule) (45 C.F.R. 160 and 162) applies to the electronic transmission of medical data. These HIPAA rules were revised in early 2013 under the HIPAA “Omnibus Rule”.
  • The HIPAA Omnibus Rule also revised the Security Breach Notification Rule (45 C.F.R. Part 164) which requires covered entities to provide notice of a breach of protected health information. Under the revised rule, a covered entity must provide notice of acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule, unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.
  • The Fair Credit Reporting Act (15 U.S.C. §1681) (and the Fair and Accurate Credit Transactions Act (Pub. L. No. 108-159) which amended the Fair Credit Reporting Act) applies to consumer reporting agencies, those who use consumer reports (such as a lender) and those who provide consumer-reporting information (such as a credit card company). Consumer reports are any communication issued by a consumer reporting agency that relates to a consumer’s creditworthiness, credit history, credit capacity, character, and general reputation that is used to evaluate a consumer’s eligibility for credit or insurance.
  • The Electronic Communications Privacy Act (18 U.S.C. §2510) and the Computer Fraud and Abuse Act (18 U.S.C. §1030) regulate the interception of electronic communications and computer tampering, respectively. A class action complaint filed in late 2008 alleged that internet service providers (ISPs) and a targeted advertising company violated these statutes by intercepting data sent between individuals’ computers and ISP servers (known as deep packet inspection).

Personal Data relates to a natural individual who can be identified, directly or indirectly, from that data or information. Identification can be by the data or information alone or in conjunction with any other data or information in the data controller’s possession or which is likely to come into such possession. The processing of Personal Data of US citizens or residents is governed by the GDPG.

The term “processing” includes any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, retrieving, consulting, using, disclosing, disseminating, adapting or altering, and otherwise making available the data.

GDPG recognizes that non-US businesses processing Personal Data may follow GDPG requirements by following contractual provisions contained in US Standard Contractual Clauses as required by the US Directive on Data Protection. However, the basic principles contained herein apply to processing Personal Data whether transmitted from the US or to the US from any other countries in which Leading Edge does business. As various countries may have special rules, they will also be addressed as necessary under applicable local law.

The GDPG provides extensive privacy protections and rights to individuals in the US. The GDPG applies to any organization operating within the US as well as any organizations outside the US which offer goods or services to individuals or businesses in the US. The GDPG applies to Personal Data about individuals (including vendors and employees) located in the US, regardless of where the data resides. The potential penalties for GDPG non-compliance are severe.

4.0    US CITIZENS AND RESIDENTS RIGHTS REGARDING PERSONAL DATA

GDPG grants US citizens and residents a range of specific rights they can exercise in regard to their Personal Data including:

  • Right to access their Personal Data and information about that data, such as uses and location;
  • Right to rectification (correction) of any inaccurate Personal Data;
  • Right to erasure (right to be forgotten) – this is the right to request their Personal Data be erased where it is no longer necessary for Leading Edge to retain such data;
  • The right to withdraw their consent to or restrict the processing of the Personal Data at any time;
  • The right to data portability including the right to receive and transfer Personal Data to another party;
  • The right, where there is a dispute in relation to the accuracy or processing of their Personal Data, to object to use or further processing; and
  • The right to lodge a complaint against Leading Edge with governmental agencies or Data Protection Authorities as provided for in the GDPG.

US citizens and residents may exercise their rights to data rectification, erasure, portability, access and/or restricted processing by sending their request to Leading Edge Privacy Team at privacy@LeadingEdge.com . The Privacy Team is led by Leading Edge Director of Compliance, Kyle Chadwick, who can be contacted at kchadwick@LeadingEdge.com , or 1.800.813.0013.

5.0    PRIVACY STATEMENT

Leading Edge is committed to conducting its business ethically and in compliance with all applicable laws, guidelines, and policies. Leading Edge has deployed global data protection compliance efforts for the protection of all personal data Leading Edge processes. Leading Edge has elected to adhere to enforcing the GDPG, concerning the transfer of personal identifiable data in and from the United States of America.

The term “processing” includes any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, retrieving, consulting, using, disclosing, disseminating, adapting or altering, and otherwise making available the data.

5.1  Who We Are

Leading Edge is a biotechnology company that develops and commercializes innovative cannabinoid products and novel delivery systems of therapeutic molecules that aim to improve consumers quality of life. Leading Edge is developing a pipeline of products intended to address unmet medical needs and the clinical shortcomings of existing commercial products.

5.2  Sources of Personal Data

Leading Edge business actions include the conduct of clinical trials, commercial activities related to plant-made compounds (PMCs) and delivery systems, and general business management activities. During the course of conducting these activities, Leading Edge collects personal data pertaining to clinical trial staff and study participants, employees, and vendors.

5.3  Types of Personal Data

The personal information Leading Edge collects may include the following:

  • Name and contact information
  • Demographics
  • Location Data
  • Personal Health Information
  • Account and/or Payment Information

5.4  Use of Personal Data

Leading Edge is a data controller according to the GDPG, which means that Leading Edge determines the purposes for which, “why”, and the means by which, “how”, personal data is processed. The personal data of clinical trial staff and study participants is typically used to assess the safety and efficacy of Leading Edge products. Employee and Vendor information is generally used for business purposes such as employment status, work completion, and billing/payment information.

5.5  Sharing Your Personal Data

For clinical trial participant US citizens and residents, please refer to your clinical trial documentation for more information on third-party vendors who may receive access to your personal information.  Additionally, you may send an inquiry to the Leading Edge Privacy Team at privacy@LeadingEdge.com .

For non-clinical trial participant US citizens and residents, personal information may be shared with business service vendors, covering areas such as payroll, billing, and employee benefits.  Additionally, Leading Edge may share personal information in response to lawful requests by public authorities, including to meet national security, law enforcement requirements, and tax and reporting requirements.

5.6  Data Protection Compliance

Leading Edge complies with its obligations under the GDPG by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorized access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

Personal data provided to Leading Edge may be stored in data centers in the United States.

5.7  Further Data Processing

Leading Edge will not further process any personal data for a new purpose not covered by existing processing agreements without providing impacted persons with a new notice explaining this new use. Where and whenever necessary, Leading Edge will seek prior consent to the new processing.

5.8  Cookies and Website Privacy Practices

The Leading Edge website uses cookies, tracking pixels and related technologies. Cookies are small data files that are served by our platform and stored on your device. When anyone visits Leading Edge ‘ website, Leading Edge does not track Personal Data, names or email addresses. Instead, Leading Edge could track which Internet Service Provider has accessed the site as well as statistics that show the number of site visitors, any requests received and the country the request originated. This information may be used to improve our site.

5.9  Confidentiality

Leading Edge treats all material provided to us from our Clinical Trial Staff and Participants, Employees, and Vendors collectively, (“CEVs”) as confidential in accordance with current confidentiality agreements.

Confidentiality provisions are required as part of all clinical trials as well as our contracts with all of our vendors and employees; each separate entity must sign a confidentiality agreement prior to becoming affiliated or working with Leading Edge. All vendors who will be processing personal data are required to sign the US Standard Contractual Privacy Clauses.

Except as may be required by law or during a registrar or regulatory audit, Leading Edge will not provide this data to a third party without their consent.

5.10  Email Correspondence

All emails sent to Leading Edge are routed through data servers in the United States. This means all email correspondence originating outside of the United States with an end destination other than the United States still must travel through the United States before arrival at the desired location.

5.11  Limiting Use/Disclosure of Personal Information

US citizens and residents have a choice concerning what personal data is accessed, used or retained by Leading Edge. For business purposes, it is necessary for Leading Edge to maintain certain contact information and/or billing information. Any further questions concerning personal data storage, access, and usage may be discussed with Leading Edge Privacy Team by contacting privacy@LeadingEdge.com .

5.12  Access and Correction

US citizens and residents may request a copy of the personal data Leading Edge has collected from Leading Edge in accordance with applicable law. US citizens and residents also have the right to correct, amend or delete information when it is inaccurate.  This information can be corrected and/or discussed with the Leading Edge Privacy Team by contacting privacy@LeadingEdge.com .

5.13  Data Integrity

Leading Edge is dedicated to ensuring that all data maintained is accurate, updated, and relevant for the agreed upon use.  Leading Edge will take all required steps to ensure the data is accurate, complete and current.

5.14  Data Security

Leading Edge has strict physical and logical security procedures to ensure that all electronic and paper records are secured. Leading Edge ‘ information security is managed internally and is routinely audited to ensure conformity with Leading Edge procedures and recommended industry standards such as the Health Insurance Portability and Accountability Act (HIPAA) and GDPG.

5.15  Data Retention

Leading Edge will only retain personal data for the timeframe necessary to complete its business purposes, such as through regulatory approval process. Although US citizens and residents have the right to request the deletion of personal data pertaining to them, Leading Edge, as permitted by applicable law, will continue to maintain its records in such a way that Leading Edge may retain its historical knowledge and relationships concerning any legal or regulatory inquiries which may later arise. This practice is in the best interests of both parties so that identifying information relating to a matter is accessible but sufficiently discrete.

5.16  Privacy Complaints

In compliance with the GDPG, Leading Edge commits to resolve complaints about our collection or use of your personal information.  US citizens and residents with inquiries or complaints regarding our Privacy Policy should first contact Leading Edge Privacy Team at: privacy@LeadingEdge.com .  Your inquiry or complaint will be responded to within 45 days of receipt.

Leading Edge has further committed to cooperate with GDPG authorities with regard to unresolved Privacy Policy complaints concerning HR and job-related data transferred in and from the US. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the Federal Trade Commission (FTC) for more information or to file a complaint. The services of the FTC are provided at no cost to you.

5.17  Enforcement

Leading Edge will use its best commercial efforts to ensure that compliance to GDPG is maintained and that this document is accurate, comprehensive, and continues to conform to applicable laws and regulations. Leading Edge will verify compliance with data privacy requirements not less than once per year and will document the compliance review.  Leading Edge is subject to the investigatory and enforcement powers of the FTC in GDPG compliance.

5.18  Onward Transfer to Third Parties

In the context of an onward transfer, Leading Edge has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf.  Leading Edge would remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the GDPG, unless Leading Edge is proven to be not responsible for the event giving rise to the damage.

6.0    CLINICAL TRIAL STAFF AND PARTICIPANTS

Clinical Trial Staff and Participants must receive, consent to, and sign off on the proper clinical trial documents such as the contracts or the Informed Consent Form.

7.0    EMPLOYEES

Leading Edge stores Personal Data concerning its employees for business purposes such as paying taxes, providing benefits and issuing payroll payments and any other legal purposes. This information is stored as part of Leading Edge accounting and administrative systems. The information is secured and only accessible by Human Resources and other applicable departments, applicable managers, and the employees themselves.  Data will be deleted from time to time and in accordance with applicable law after Leading Edge Pharms no longer needs such information for business use. Employees may have information edited on an as needed basis and may discuss any issues regarding such information with their managers and representatives of the Human Resources department. Except as may be required by law, business practices, or during an audit, Leading Edge will not provide this data to a third party without the consent of the employee.

Generally, Leading Edge makes non-work contact information (cell phone, home phone, and email address) accessible to other employees within Leading Edge for the purposes of emergency contact. Additionally, Leading Edge may post personal information regarding education, experience, and promotions as well as pictures of the employee on its intranet and maintain such information as part of Leading Edge administrative business purpose. Intranets are secured and have limited access. If an employee wishes to remove such information from being posted in this manner, the employee is required to advise the Human Resources department in writing so that the information can be removed. If an employee requests the ability to edit or change the information on a Leading Edge Intranet site, the employee may do so by sending an email requesting such change to Human Resources.

Employees are not permitted to share subject, study, vendor or employee data with or disclose same to any third party without written consent by an authorized representative of Leading Edge. Any misuse of this data for personal or financial gain is also prohibited.

Leading Edge is obligated to enforce the policies which are explained in this Manual and in the event of any failure by an employee to observe its contractual obligations or any provisions of this document they will be subject to disciplinary action, up to and including termination of employment.

8.0    VENDORS

All vendors who receive personal information must receive, consent to, and sign off on the US Standard Contractual Privacy Clauses or Business Associate Agreements as applicable. All vendors who receive personal information must also sign a contract detailing their agreement to observe the requirements described and set forth in this Manual.

9.0    Disclosure / Training

Leading Edge provides annual training regarding this document and data privacy practices to all employees.

10.0   REVISION HISTORY

Revision No., Date and  Reason for Change