Managing Privacy and Data Protection requirements in the Pharmaceutical and Biotech world can be a highly complicated matter. At the core, the same type of enterprise privacy program that an entity in most other industries would seek to have in place is necessary, including the standard elements such as policies, procedures, transfer strategy, training, communications, and monitoring of program compliance. But in the pharmaceutical world, the drivers for the enterprise program and many sub-components are comprised of much more than just multi-jurisdictional Data Protection Acts. Pharmaceutical and biotech entities are also subject, for example, to Ethics Committees rules and Pharmacovigilence/Safety requirements that add new layers to already complex privacy and data protection requirements. And the complexities only build from there, with industry requirements such as clinical trial data sharing and financial reporting requirements on top of emerging concerns like storage of patient data in the cloud. In order to effectively manage the privacy issues, it’s helpful to view the issues that arise in the context of the drug development and commercial lifecycles. This is the first of a 2-part article addressing the drug development stage.
Drug Development and Clinical Research
During the Clinical Research phase, the privacy rights of – and your obligations to – a number of parties must be considered. Data Subjects will likely include the principal investigators, their staff, patients, and in many instances members of patient families. In addition, throughout this and all stages of the product lifecycle, the Pharmaceutical company (the research “sponsor”) will need to remain aware of its employee’s interaction with personal information, as well as the manner in which their information is collected and processed.
A number of privacy impacting activities take place during the clinical research phase and they need to be managed carefully. The processing of patient information is subject not only to the various data protection laws in play (for example, HIPAA in the US, PIPA in Japan or the EU Data Protection Directive and its implementing regs in Europe), but also in many instances subject to the authority of Ethics Committees which in many countries establish specific terms for the conduct of a trial. Ethics Committees can set the requirements, for example, for the manner in which patient data must be key-coded or otherwise anonymized, and whether such information can or cannot be shared with the trial sponsor. In order to commence a trial, the sponsor must agree to and be bound by the terms set by the Ethics Committees and have controls in place to ensure that these terms are met.
CROs and Determining Which Party Controls the Data
Once the terms of the Ethics Committees for in-scope countries are established, the sponsor often must address the management of a third party clinical research organization’s (CROs) handling of personal information of study participants. Of course, the requirements of the various Ethics Committees in this regard, as well as the data protection acts for the countries in which the trials will take place must be considered. In nearly all instances of a study sponsored by a pharma or biotech, that entity will be viewed by relevant data protection authorities as the data controller (or equivalent, depending on countries in scope). This creates an interesting scenario in which the data controller never receives identifying information about the individual data subjects. As the controller the sponsor is obligated to ensure that proper controls are in place to enable the handling and processing of personal information in accord with the applicable data protection acts and Ethics Committee rules. While the CRO may be experienced in and adept at addressing these requirements, it is still incumbent on the data controller to ensure that controls are, in fact, in place. While the manner by which controls are implemented will vary, the objective can often be accomplished by a combination of contractual requirements and appropriate up-front due diligence.
Some studies are conducted as “Investigator Sponsored”, and in those instances the controller/processor determination may be less clear. An investigator sponsored trial is typically one in which the sponsor is a physical person such as a physician, or a not-for-profit organization such as a governmental body, a hospital, a university, or a research group. As always, controller/processor determinations must be based on the facts of the processing. While it may be difficult to understand how in some instances where the Pharmaceutical entity is the sponsor, it can be considered the controller despite never receiving identifiable patient information, likewise, the investigator sponsor may be considered a controller despite the fact that at the end of the day, they are using protocols established by the Pharmaceutical company in order to conduct research on a product that company produces (and with a likely benefit to the company).
Adverse Event Data
With every phase of clinical research, a process must be in place to handle intake of adverse events. Adverse events and the reporting thereof will occur in a number of scenarios, each with its own complexities which must be carefully navigated. For example, a healthcare professional (“HCP”) will frequently contact the pharmaceutical company with an adverse event report about one of his or her patients. Safety reporting requirements may require the collection and processing of certain identifiable data elements (e.g., age, gender, disease, locale, ethnicity) of the patient which could readily enable identification of that individual. However, the sponsoring pharmaceutical company almost certainly does not have the consent of the patient to collect and process this data, as they will have no direct relationship or past interactions. In such instances, the appropriate action on the part of the sponsor is not always clear. And there really is no single consistent view on this, with somewhat divergent views coming from different parts of the world. In the UK, for example, guidance from the Association of the British Pharmaceutical Industry provides that, “[r]egardless of whether a data subject is the person who has suffered an AE or is a person reporting the AE (e.g., a HCP or a patient’s relative), it is not necessary to obtain consent from the data subject in order to process personal data relating to the data subject for the purposes of pharmacovigilence.” Some other countries, Germany for example, have data protection authorities which may take a more restrictive view and require consent of the individual. In all instances however, the data subject should be informed as soon as is feasible of the collection and use of their personal information. Regardless of the countries in which your entity operates, public health and safety considerations must be weighed along with the individual’s right to privacy (which may be a fundamental right, depending on the jurisdiction).
In other instances a patient with an adverse event or product complaint may call the trial sponsor directly, creating another privacy dilemma. In such instances, many countries require explicit written consent in order to process identifiable health information. In situations such as adverse event reports, it may be highly important that the sponsor is able to share the patient’s identifiable information with his or her HCP so that the HCP can immediately follow up. In other instances it can be critical to the pharmaceutical sponsor that it is able to follow up on the adverse event with the individual in order to understand the course that the AE has taken. Such information can impact the research at hand and may have immediate health and safety repercussions. However, questions may arise, such as whether, when explicit consent is required, verbal consent on the telephone suffice. In some jurisdictions it likely will, if supported by a documented process and trained intake representatives, but in others only written consent will meet the required standard and a consent form must be mailed to the data subject and returned to the pharmaceutical company. If not returned, a process should be in place to enable complete anonymization so that the patient cannot be re-identified. This can be a challenge, as in some instances, the minimum information that safety requirements call for could lead to the identification of the individual. In any scenario it is important, as mentioned above, to weigh the public health and safety considerations against the privacy rights of the individuals in question. Although a single cross-jurisdictional solution may not be 100% compliant all of the time, a defensible position combined with an appropriate risk analysis may represent an acceptable model for may pharmaceutical and biotech entities.