Third parties
Jean Samuel
STEP-IN Management Ltd.
Continued from “UK Bribery Act”
Third parties are now a routine / standard factor of the business resourcing strategy for many companies. Reasons for using third parties include:
• Cost reduction, because the third party operates in an economy with lower wages or can use economy of scale to deliver the same number of workers but without the costs of pension and other overheads
• To separate out support activities in order to focus staff investment in areas core to the business
• Flexibility to provide extra resource to in-house staff to meet high demand rather than to resource in-house for those peaks
• The need for complementary skills that your business does not yet have or may not want to develop
and in addition,
• The desire to offload a discrete activity or piece of work and just have it delivered without any involvement, except paying for it.
“Companies who hoped using a third party would keep compliance responsibility at arm’s length are mistaken.”
To meet these varied roles, third parties operate differently – as service providers, contractors or business partners – but bring both the same and diverse compliance risks and responsibilities. Companies who hoped using a third party would keep compliance responsibility at arm’s length are mistaken.
Service providers
These will have tendered for contracts against your requirements, operate to set specifications and deliverables and have their own infrastructure and premises.
Awarding contracts
When seeking requests for tenders a commissioning company’s code of conduct outlining its anti-bribery and corruption (ABC) commitment should be accessible and highlighted to potential third parties in such a way that there is no doubt that the same standards are expected of the service providers.
When awarding contracts, the company should follow purchasing and procurement processes which include objective business criteria and a consistent, systematic review process.
In an industry where networking is fundamental and career moves between service commissioners and providers are common, there should be no opportunity in the process for employees to steer the award of a contract to a particular bidder.
Contracts should give the commissioning company the right to impose sanctions, including termination, in the event of a violation relating to bribery.
Standards
Service providers will have their own policies and procedures and are bound by the same regulations and laws as the commissioning company. Most pharmaceutical companies recognise that attestation to a set of standards is not enough. Pre audits should include:
• Review of key procedures and, if necessary, their revision
• (Sampled) checks on CVs and training records of staff who will work on the project
• Training curriculum and content.
Commissioning companies are sometimes tempted to specify delivery to their own internal procedures. This will bring added responsibilities with it in terms of training the service provider staff and then holding training records on them. This, in turn, could add costs to the tender and reduces flexibility for the provider as only staff trained by the commissioner can work on the project.
“Contracts should give the commissioning company the right to impose sanctions, including termination, in the event of a violation relating to bribery.”
Due diligence
The commissioning company has to conduct due diligence including:
• Checking details of ownership, directorships held, existing partnerships and third party relationships and any relevant judicial or regulatory findings plus research of every person identified as having a degree of control over its affairs (especially important if foreign public officials may be executives of companies running outsourced services for government such as health services)
• Following up references and clarifying any matters arising from the due diligence
• Requesting sight or evidence of any potential provider’s own anti-bribery policies, reporting procedures and records.
Data privacy (DP) and protection
Where a service provider is collecting and using personal data on your behalf or because you are required not to have access to it, for example patient data, the commissioning company must assure itself that the service provider:
• Understands DP law and requirements
• Can manage, produce, safeguard and delete data as needed
• Has adequate processes to deal with breaches.
Any contract should make it clear which party is the Data Controller, where and under which jurisdiction the data will be held. Special attention should be paid to this where a supplier uses cloud computing to store data. (More on date protection in a later article.)
At some point in the future it would make sense for the industry to develop a kite mark or ISO regarding due diligence and data privacy such that service providers robustly demonstrate their fitness rather than customers needing to check.
Individual contractors
Hired directly or via an agency, these people will work alongside in-house staff and use company infrastructure and premises
Contract
Willingness to actively conform to the commissioning company’s code of conduct still applies.
“At some point in the future it would make sense for the industry to develop a kite mark or ISO regarding due diligence and data privacy such that service providers robustly demonstrate their fitness…”
Standards
In this situation, companies would need to specify delivery to their own internal procedures in which case training must be given and recorded.
Due diligence
In the case of contractors, the checks are more to establish that the individual is properly qualified to do the job by actively checking CVs and references.
Data privacy (DP) and protection
Contractors should be bound in their contract to apply the same care as employees. The special considerations here are making sure passwords are managed and access is appropriate. Where the same contractor is used on separate occasions the company must make sure that previous rights and accounts are not automatically set up which might allow inappropriate access to personal data.
Partners
Under section six of the Bribery Act a company must apply good practice and due diligence in its business relationships. Joint ventures and Joint Working is the subject of my next article.
The next article in this series can be viewed here.
About the author:
Jean has worked in the pharmaceutical industry for over 20 years, and is currently an interim manager addressing business compliance and records management with a special interest in e-marketing, Joint Working and the UK Bribery Act.
Former positions include Compliance Director for Schering Plough UK and Head of Clinical Programming and Medical Writing at Pfizer’s UK R&,D. In previous roles Jean had responsibility for the development of GCP SOPs, Training and Clinical Trial process improvement, was Inspection Readiness lead during an MHRA inspection and was part of an EFPIA Task Force addressing the secondary use of Electronic Health Records for clinical trials and the privacy and data standards issues this concept raises.
jean.samuel@step-inmanagement.com
Do third parties present cause for concern with compliance issues?
