The Clinical Register

Data privacy and security

The Clinical Register

Data privacy and security

We protect confidentiality and maintain a secure registry record through technical safeguards, controlled access, and clear privacy rules. This page explains what we collect, how we use it, how it is protected, and what rights you have.

Encryption Access control Audit trails Minimization
 
Important: Submissions must not include personal identifiers, participant level data, or protected health information. If such data is detected, we may restrict access, request revision, and apply privacy remediation steps. 

1) Scope and principles

Privacy and security controls are built around minimization, transparency, and accountable stewardship of registry data.

  • Purpose limitation: we use data to operate the registry, maintain record integrity, and meet legal obligations.

  • Data minimization: we collect only what is needed for registration, governance, and security.

  • Confidentiality: platform access is controlled and monitored.

  • Integrity: versioning and audit trails preserve a citable record.

  • Security by design: safeguards are embedded across infrastructure and processes.

2) What we collect

The Clinical Register collects limited personal and study related data required for transparent registration and platform operation.

Account data
Name, professional email, affiliation, role, and contact information required for authentication and stewardship.
Registration data
Study details such as title, design, outcomes, recruitment status, investigators, approvals or ethics status when provided, and structured metadata used for indexing and transparency.
Technical and security logs
IP address, device and browser metadata, timestamps, and administrative action logs used for security monitoring and abuse prevention.
We do not require participant level data. Do not upload patient identifiers, medical record numbers, dates of birth, full dates linked to individuals, addresses, faces, or any direct identifiers.

3) How we use data

Data is used to provide registry services, preserve record integrity, and protect users and the public record.

  • Operate the platform: account creation, authentication, notifications, and support.

  • Maintain the public record: registration display, version history, and citation continuity.

  • Quality and completeness checks: validation of required fields and policy alignment.

  • Security and fraud prevention: detect misuse, protect against unauthorized access, and investigate incidents.

  • Legal compliance: respond to lawful requests and meet applicable regulatory obligations.

4) Security controls

We apply layered safeguards to protect data in transit, at rest, and during administrative operations.

Core protections
Encryption, role based access controls, monitoring, and auditable administrative actions.

  • Encryption in transit: TLS SSL for data transmission.

  • Encryption at rest: encrypted storage for databases and backups.

  • Role based access: least privilege permissions for staff and administrators.

  • Multi factor access: strengthened authentication for privileged accounts.

  • Logging and audits: security and administrative events are recorded and reviewed.

  • Change management: documented review of standards and platform updates.

5) Data sharing and third parties

We do not sell or rent personal data. Limited sharing may occur only to operate the registry and meet lawful obligations.

  • Service providers: hosting, infrastructure, and monitoring providers bound by confidentiality and security obligations.

  • Indexing and identifiers: registry metadata may be shared to support discoverability and citation workflows.

  • Legal disclosures: we may disclose information when required by law or to protect platform safety and integrity.

Where third parties process data on our behalf, we use contractual safeguards and access restrictions appropriate to the risk.

6) Retention, versioning, and deletion

Registry records are designed to remain citable and auditable. We prioritize versioning over deletion.

Default approach
Material changes are published as new versions with timestamps and reasons for change. Earlier versions remain accessible as part of the audit trail.

  • Account data: retained while your account is active and as needed for security, audit, and legal compliance.

  • Registration records: retained to preserve the scientific record, including version history.

  • Deletion requests: we assess requests in line with law and registry integrity; public record elements may remain as an archived entry.

  • Exceptional removal: may occur for privacy violations, unlawful content, or serious safety concerns, with a minimal tombstone record where appropriate.

7) Incident response

We maintain procedures to identify, contain, investigate, and remediate suspected security incidents.

  1. Detection: monitoring and alerts identify abnormal access patterns and suspected misuse.

  2. Containment: we may restrict access, rotate credentials, or apply temporary controls.

  3. Investigation: logs and evidence are reviewed to determine scope and impact.

  4. Notification: affected users are notified when required by law or when risk warrants communication.

  5. Remediation: corrective actions are implemented and documented.

8) Your rights and contact

You may request access, correction, or deletion where legally permissible, and you may report privacy or security concerns.

What to include
Account email, Registration ID if relevant, request type (access, correction, deletion, privacy concern), and any supporting details.
Where to send
Use the Contact page form or the official privacy and security email address listed on that page.
Applicable frameworks: we align with GDPR, PIPEDA, and relevant local requirements where applicable.

Privacy protections support trust in the registry record

Submit only non identifying study information, update responsibly, and report concerns promptly.

Last updated: 2026-02-16