Integrated Management Policy
INTENDED FOR THE KNOWLEDGE OF ALL OUTCOMES’10 STAFF AND INTERESTED PARTIES
The Management of OUTCOMES’10, a company dedicated to RESEARCH IN HEALTH RESULTS, HEALTH ECONOMICS, AND MARKET ACCESS, sets out its Integrated Management Policy, which will be the obligatory reference point for the Integrated System Management according to the UNE-EN-ISO 9001, ISO 27001, and RGPD standards in its relations with workers, clients, suppliers, and interested parties, and undertakes to ensure that it is disseminated, implemented and maintained at all levels of the organization.
OUTCOMES’10 commitment is to achieve excellence in quality management and information management; involving in this commitment all stakeholders affected by the company’s strategy: employees, suppliers, customers, visitors, and society in general.
Thus, the Integrated Management Policy is elaborated, which combines Quality Management, Information Security Management, and Protection Data, according to the following commitments that meet the requirements established by the UNE-EN-ISO 9001, ISO 27001, and the RGPD.
OUTCOMES’10 Management assumes the following OBJECTIVES, considering them as fundamental axes of its business strategy:
- Integrated Management Systems and their improvement are the responsibility of all members of OUTCOMES’10 and require the participation and collaboration from the Management to each of its workers, so this policy is disseminated to all OUTCOMES’10 staff for their knowledge, understanding, and compliance.
- Quality, Information Security, and Protection Data are obtained by planning, executing, reviewing, and improving the Integrated Management System, considering the organization’s internal and external context.
- Integrated Management Systems is oriented towards the satisfaction of all our customers (and interested parties) through the commitment of the entire organization to meet their needs and requirements, as well as the legal and regulatory requirements and those applicable to the lines of business developed by the organization and included in the scope of the Integrated Management System.
- Integrated Management Systems is based on the Continuous Improvement of both the production processes and service provision and the effectiveness of the Integrated Management System in which preventing errors is a fundamental aspect.
- Integrated Management Systems direct us to pay maximum attention to technological evolution and the possible improvements that new technologies may make available to us.
Given that the main business activities: Health Outcomes Research, Health Economics, and Market Access, involve the Management of highly confidential information, not only our own but also that of third parties, as well as sensitive personal data, OUTCOMES’10 Management establishes the following as specific PRINCIPLES of information security:
- The protection of personal data and the privacy of individuals.
- The safeguarding of the organization’s records.
- The safety of intellectual property rights.
- Documentation of the information security policy.
- Assigning security responsibilities.
- Information security training and education.
- Recording of security incidents.
- Business continuity management.
- Management of security-related changes that may occur in the company.
To this end, it acquires the following COMMITMENTS:
- To use the minimum data necessary to comply with the purposes indicated in each case, ensuring, as far as possible, the integrity and accuracy of the same.
- Define and implement the technical and organizational measures necessary to ensure the confidentiality, integrity, and availability of personal data based on estimating the risks that may affect the data processing.
- Ensure compliance with the right to information and obtaining consent for the processing of data and the possibility of exercising the rest of the rights contemplated by law (access, rectification, cancellation, opposition, automated decisions, portability, and limitation of processing).
- Assume the commitment to minimize and communicate security breaches and collaborate with the supervisory authority (Data Protection Agency) to resolve incidents or conflicts that may arise from non-compliance with the regulations.
- Prevention and detection of viruses and other malicious software through developing specific policies and establishing contractual agreements with specialized organizations.
- Business continuity management, developing continuity plans under internationally recognized methodologies.
- Establishing the consequences of security policy breaches will be reflected in the contracts signed with stakeholders, suppliers, and subcontractors.
- Acting within the strictest professional ethics and complying with all legislation applicable to its activity (indicated in the corresponding list of the ISMS) of a general (Commercial Code, Civil Code) and specific nature.
And makes available an INTEGRATED MANAGEMENT SYSTEM COMMITTEE:
- made up of the IMS Director, the IMS Manager, and the personnel involved in the correct functioning of the Integrated Management System, which may be assisted permanently or sporadically by external consultants;
- with a Secretary of the Integrated Management Committee, who is the IMS Manager (or person delegated by them) and whose functions are the preparation of meetings, the dissemination of their results, and the monitoring of the agreements reached; who reports to Management and whose functions include:
- coordinating and approving actions in the area of quality, information security, and protection of data;
- promoting culture in the three areas;
- Assign responsibilities among the members of the organization concerning the obligations related to the three areas;
- participating in the categorization of systems and risk analysis;
- reviewing and supporting documentation related to integrated management system;
- resolving discrepancies and problems that may arise in the three areas;
- Supervise and verify compliance.
- Initiate the sanctioning process in case of non-compliance.
HEAD OF INFORMATION SECURITY
OUTCOMES’10 has incorporated a specialized figure in the Information Security section to collaborate in the usual Management of the implemented Integrated System.
His usual functions are:
To promote the information security culture;
To participate in the categorization of systems and risk analysis;
To review the documentation related to information security;
Report any information to the person in charge of the Integrated Management System;
Support to the person in charge of the ISMS in the matter of ISMS;
DATA PROTECTION DELEGATE
OUTCOMES’10 has incorporated an external figure specialized in the Data Protection section to supervise the proper compliance with the rules on personal data protection in the organization and support the staff in charge of this section within the organization.
This Integrated Management Policy provides the reference framework for the continuous improvement of the Integrated Management System, as well as for establishing and reviewing its objectives, being communicated to the entire organization through the document manager installed in the organization and its publication on information panels, being reviewed annually for its adequacy and extraordinarily when special situations and substantial changes occur, being available to the general public.
OBLIGATIONS OF THE EMPLOYEES
– All OUTCOMES’10 employees must know this Integrated Management Policy, which is mandatory within the identified scope, together with the rest of the policies established by OUTCOMES’10, is the responsibility of the Integrated Management System Committee to provide the necessary means for the information to reach those affected.
– A continuous awareness program shall be established to cover all OUTCOMES’10 members, particularly the new ones.
- Third parties related to OUTCOMES’10, within the scope, sign with the company an agreement protecting the information exchanged.
- When OUTCOMES’10 uses services of third parties or transfers information to third parties, they shall be informed of this Security Policy. Such third party shall be subject to the obligations outlined in this policy and may develop its operational procedures to comply with it.
- Where any aspect of the policy cannot be satisfied by a third party, as required in the above paragraphs, a report from the Manager of Integrated Management System specifying the risks involved and how they are to be dealt with shall be required. Approval of this report by those responsible for the information and services concerned will be required before proceeding further.
In Castellón, September 19, 2022
Director de Outcomes’10