Data Privacy and Governance Policy
Effective as of: October 5, 2022
Our registry’s mission is to further research on autoimmune diseases and raise awareness of their prevalence and impact on public health. We collect patients’ diagnosis and treatment data with the aim of better understanding autoimmune diseases, both individually and as a major class of disease, reducing time to diagnosis, improving patients’ disease management strategies, and connecting patients to research opportunities aimed at improving patient outcomes.
ARI collects information from registrants related to their diseases, family history, diagnosis and treatment journeys. Upon registering with ARI, the registrant can opt in to be contacted for relevant research or clinical trials. ARI maintains user data with the following data principles:
ARI organizes and securely stores the data with firewall and access protections.
ARI will not provide patient identifying information to outside parties without the registrant’s consent.
ARI may publish or provide to third parties anonymous statistics related to autoimmune diseases and ARI’s registrants. Anonymous statistics are de-identified and do not contain any patient information.
ARI may email registrants who have agreed to be contacted for clinical trials with details on relevant studies. ARI will not disclose the registrant’s information to the trial sponsor without additional consent from the registrant to participate in the trial or screening process.
Researchers and other parties who use our data are bound by our data use agreements and are subject to our data policy.
Registrants consent to the share of their data through ARI’s Rules for Participation, which must be reviewed by the registrant prior to registration.
Registrants data will be retained for a period of 30 years, after which the registrant must re-consent, or their identifiable personal data will be deleted from ARI’s database and their survey information will be de-identified.
Registrants may revoke their consent at any time by notifying ARI via the contact form or by emailing us at aaron@autoimmuneregistry.org. Registrants may also request the deletion or modification of their data at any time by contacting ARI via the same means. Moreover, registrants may object to the processing of their data for certain purposes or request a copy of the data they shared with ARI by contacting us.
ARI does not use the data to predict or profile any individual registrant’s health or behavior. However, ARI does intend on publishing statistics that show aggregate trends in autoimmune diseases, symptoms, and comorbidities.
ARI will perform an annual data security and risk assessment, which will be presented to its Board of Directors.
In the event of a security breach that exposes the identifying information of less than 500 registrants, ARI will email the individuals to advise them of the breach. ARI will also immediately investigate the source of breach and formulate a remediation plan, to be presented to its Board of Directors for approval.
In the event of a security breach that exposes the identifying information of 500 or more registrants, ARI will email all of its registrants to inform them of the breach, the extent of the exposure, accounts compromised, and its remediation plan. In addition, ARI will publish the breach and related information on its website. ARI will also engage an outside vendor of adequate qualifications to assess the exposure and form a remediation plan.
ARI will establish an independent Community Advocacy Committee, with members from the patient, physician, and research communities, to represent the interests of all stakeholders. The Committee may develop further guidelines and/or clarifications for ARI to adhere to its data principles. The Committee will meet at least annually to review ARI’s data policy and its implementation to ensure that user data are securely stored and used in accordance with the above principles.