Managing Privacy and Data Protection requirements in the Pharmaceutical and Biotech world can be a highly complicated matter. In part II of this two-part article, we take a look at some of the challenges surrounding storage, transfer, access requests and clinical trial data sharing.
Storage and Transfer of Clinical Research Information
Storage and transfer of information produced during clinical research, which may include (in some instances) patient-level data, presents another challenge for privacy professionals. Depending on the countries in which clinical research is being conducted, a legal mechanism for the transfer of personal information may be required before transferring data across international borders, particularly if the data is originating from with the EU or the European Economic Area (EEA). Options in such instances may include Safe Harbor certification for transfers to a US-located recipient, Model Contracts or Binding Corporate Rules. Direct consent is also an option, but this is always revocable by the individual and is often frowned upon by enforcement agencies such as data protection authorities in instances where the transfers are recurring and involve large amounts of data. The decision of which mechanism to use will be dependent in part on the facts of the transfer (e.g., data going to the US only; data going to third parties in non-US countries) and whether the country of origin has specific transfer requirements. Regardless, the party making the transfer should always consider the type of data being transferred, and if identifiable patient data is included, special care should be taken to safeguard that data. Breaches of either patient or HCP personal information can prove costly from reputational and financial perspectives. In the pharmaceutical world, trust of both patients and HCPs is paramount.
The storage of personal information of clinical research patients, HCPs or other parties leads to a number of additional issues and potential pitfalls. In-house storage by the pharmaceutical company may provide what appears to be a secure solution, but it is absolutely worth considering whether the data security in place for a company whose primary objective is research, development and marketing of pharmaceutical products is as good as a company whose sole purpose is the secure storage of data. Third party cloud-based solutions are increasingly common and popular options. But outside of the US, cloud-based storage – particularly storage of identifiable patient information – can prove challenging. Generally speaking, European citizens and legislators are less trusting of having personal information (and particularly sensitive health information) stored in a cloud environment outside of the country in which they reside. This can lead to hurdles such as the general requirement to inform data subjects (study participants, investigators and staff) of cross-border transfers of personal information – transfers to which they may object. Regulators are equally cautious when it comes to the storage of such data in clouds environments. In France, for example, cloud-based storage of personal health information is subject to a law requiring that the cloud service provider is accredited by the Shared Healthcare Information Systems Agency, a department of the Ministry of Health. The strict accreditation procedure includes (amongst many other requirements) that the cloud provider have a physician on staff. In other countries, the regulatory climate toward cloud storage of personal information varies quite a bit, but in the post-Snowden/NSA world of data, non-US countries are far less fond of US-based cloud solutions than they once may have been, and this requires consideration when making decisions about storage of clinical research information.
Clinical Trial Data Sharing
The management and safeguarding of personal information in clinical trials is further complicated by obligations imposed by the PhRMA/EFPIA Clinical Trial Data Sharing Principles. The Principles call for the sharing, under specified conditions, of patient-level clinical trial data, “subject to terms necessary to protect patient privacy”. The difficulty comes in determining exactly what patient-level data can be shared while protecting patient privacy. For example, factors such as age, gender and ethnicity can impact the efficacy of a therapy during a trial. If these data elements must be shared, it could be relatively easy to combine these elements with, for example, the disease and locale of the research, to identify the individual. Pharmaceutical companies have been working to establish protocols which will meet the strong public interest goals of the Principles, but there is not a consistent approach to which data elements will be deleted, encrypted or otherwise obfuscated, and which data elements will be shared.
Handling Access Requests
Finally, a pharmaceutical company needs a process to handle data subject access requests, which appears straightforward, but has some wrinkles to consider. For example, in cases where a data subject objects to the further processing of his or her personal identifying adverse event information, the pharmaceutical company may not, in all instances, be obligated to block or delete such information. This is often the case if the processing is being performed to fulfill a legal obligation arising from safety and phamacovigilence obligations. However, because the data protection acts and legal requirements vary from country to country, local expertise should be obtained before deciding not to comply with such a request. Regardless, the company should always respond to the request with a full explanation of its actions in response. While a general data access/correction/amendment/objection process is necessary and will often suffice even in the pharmaceutical context, care must be taken to identify industry-specific outlier scenarios.
Privacy Skills and Industry Knowledge
Privacy and data protection in the pharmaceutical and biotech environments is fraught with multiple levels of complexity and pitfalls coming from inconsistent and often conflicting legal requirements, industry requirements from multiple countries and cultures, and the demands and expectations of patients, health care professionals and third parties. The management of these issues requires strong privacy and data protection skills, deep industry knowledge, a pragmatic, risk-based approach and support from internal and external resources. With those components in place, the pharmaceutical privacy professional will be in an excellent position to navigate their way to a successful enterprise privacy program which supports the business and respects the privacy of those individuals who trust the entity with their personal information.