Privacy and Data Protection in Pharmaceutical and Biotech - Part III

Post-Market Authorization

(Production and Commercial Availability)

When a therapeutic product has finally made it through the painstakingly long process to a successful commercial launch, new interactions with individuals and new types of processing of personal information occur. The pharma or biotech must now consider the rights of – and its obligations to – patients, potential patients and HCPs, as well as its ongoing obligations to its employees. These rights and obligations will arise across numerous and diverse activities, such as marketing the product, adverse event intake, product complaints, medical information requests, patient assistance programs and the use of medical devices.

Pharma Marketing, Consent and Exceptions to Consent

Once a product has received required authorizations in the various countries in which it will be commercially available, marketing activities will require the attention of the privacy professional. While engaged in marketing activities, the pharma or biotech will have interactions with, amongst other parties, Key Opinion Leaders (KOLs), HCPs, potential patients and those patients’ friends and relatives. HCPs are the primary “customers” of a pharmaceutical company and its prescription products. They are the parties that typically make decisions about which products to prescribe to their patients, and as such communication to and with these individuals is critical to the success of the product.

A pharma or biotech will maintain records about identifiable HCPs – sometimes numbering in the millions – in order to engage and build relationships with those individuals with a shared end goal of getting products to those in need. Often these records are provided by third parties, which, in many cases, will have obtained consent for the collection and use of their information. However, in a global environment, once that HCP information is subject to use as determined and directed by the pharmaceutical entity, a legitimate basis for processing will very often be required. One such basis is consent. But, gathering and managing consent from a large universe of HCPs is quite a challenge for a variety of reasons (e.g., sheer volume, reluctant individuals, managing revocations of consent, etc.). It is, therefore, advantageous to have an alternative to consent.

In many European countries where consent is the baseline requirement, section 7(f) of the EU Data Protection Directive (and its country-specific implementing regulations) provides a viable alternative. It’s worth noting that the 7(f) exception is largely carried over to the General Data Protection Regulation, which will be enforceable in mid-2018. Briefly stated, section 7(f) requires a legitimate interest balanced against the rights of the individual. In this instance the pharmaceutical company has a legitimate business interest in processing HCP personal information in order to enable the prescribing of its products to patients, ultimately providing health benefits and potentially saving lives. The HCPs’ interests largely coincide with that of the pharmaceutical company. While they certainly want to maintain and protect their fundamental rights to privacy, they also want to learn about new products and in the end, get those products to their patients in order to treat them in the most effective manner. The processing of their personal information by the pharmaceutical company supports and furthers these interests. While each pharmaceutical entity must analyze this balance according to the facts and circumstances unique to its business, their legitimate business interest largely aligns with a core interest of the HCPs.

Email Marketing

Even something as seemingly straightforward as communicating with an HCP or KOL via email about a pharmaceutical product can be fraught with privacy risks. In the US, the sending of unsolicited commercial email must, of course, comply with the CAN-SPAM Act, which presents requirements that are relatively easily met. In Europe, the sending of such emails requires direct, explicit consent under the ePrivacy Directive. While there are some exceptions, and those should certainly be explored, by and large, in order to send unsolicited commercial emails, prior consent will be required. This will likely even be the case in instances where, for example, the pharma or biotech would like to send an email invitation to an HCP or KOL for a webinar discussing solely scientific facts related to a disease. A core question that should be addressed is whether any of the objectives of the information being shared by the pharma in the webinar are to ultimately benefit the company. If the answer to that question is yes, consent will likely be required prior to the sending of the email invitation.

Are you Creating “Personality Profiles”?

Maintaining information about, and relationships with, KOLs presents another potential challenge for pharmas and biotechs. In many instances, these individuals are ranked in databases according to their level of eminence in the disease area which a pharmaceutical product targets. This may be done so that the pharmaceutical entity can engage the KOLs who have the greatest potential impact in communicating about the product at congresses and/or focused scientific or medical meetings. These rankings (for example, “global KOL”, “regional KOL” or “local KOL”) can impact the interactions with KOLs and the opportunities the KOL has to discuss a product or disease state, and to further his or her own personal eminence in the field. Importantly, the inputs that go into these rankings might be considered by some data protection authorities, particularly in Europe, to constitute a personality profile. As such, specific consent may be required. However, exactly what comprises a personality profile requiring specific consent is not always crystal clear and there are varying degrees to which this is set out with specificity in local data protection acts. A general best practice is to assess first, whether the data that is being collected and the use of that data would comprise a personality profile under applicable requirements or guidelines, and then to assess whether there is an identifiable impact on the individual. If there is, the gathering of consent (as opposed to provision of notice and a section 7(f) exception to consent for legitimate business purpose) is likely appropriate.

Website Marketing Efforts and Privacy Pitfalls

The online environment creates additional privacy hurdles once a pharmaceutical product has gone to market. Informational websites about a new or existing product often generate medical information requests (they are, in fact, usually intended to do just that). In such instances, notice and consent issues will always require attention. For example, a pharma or biotech must carefully consider what type of information it will gather on a website aimed at individuals suffering from a specified disease, when an individual makes a request for medical information. Does specifically asking whether the individual is suffering from the disease benefit the company? If so, what type of notice is required? Is a simple statement on the website sufficient? Does the provision of this information by the website visitor, combined with other data such as IP address, require direct consent? These questions will directly impact the notice and consent decisions, particularly when combined with jurisdiction-specific requirements.

Even without such direct questions regarding disease, the pharma entity must gain a full understanding of what information is being collected and what facts about the individual can be reasonably inferred from the information in hand. Remember that once health information comes into play, you are dealing with information considered highly sensitive and care must be taken to ensure not only transparency, but also an environment which will adequately safeguard that data. These elements must be supported by policies and procedures to ensure that your employees are aware of the manner in which the data can or cannot be used and how it must be protected.

Consideration should also be given to the fact that many – perhaps most – views of medical information web pages will come from HCPs and not directly from potential patients. This may impact consent requirements due to the fact that individual health information is not being collected. However, depending on the countries in which the business is operating, an exception to a general requirement for consent must be applicable. It’s also necessary to understand what is transpiring on the webpages, particularly with tools such as cookies, and make sure that visitors, including HCPs, potential patients, and the general public are informed of – and agree to – the use of such technology along with the more obvious collection of their personal information.

Adverse Events and Product Complaints

Once a product is on the market, adverse event and product complaint intake and information processing will generally require analysis of the same considerations at issue in the clinical research stages. Pharmaceutical entities should move with some degree of caution when creating online forums, Facebook pages or other social media presences that allow the opportunity for sharing of personal health information. Transparency with regard to processing of personal information is crucial, as always, but the pharmaceutical entity should also consider that such a presence on social media sites potentially creates opportunities for individuals to report (amongst other things) adverse events and to make product complaints in a public forum. While the use of social media for adverse event or product complaints should be strongly discouraged, entities engaging on social media should have trained personnel monitoring such media and have explicit instructions on the sites addressing proper and improper use and sharing of information.

Patient Support Programs

While the list of issues in the post-market pharmaceutical world can go on and on, it is perhaps worth also mentioning patient support programs (PSPs), as these often give rise to privacy and data protection concerns and potential pitfalls. Issues that require management from the privacy office include making crucial controller/processor determinations (in the instance of third party PSP providers), oversight and management of data security and, in some instances, ensuring that appropriate protocols are in place for transfer of data to third parties. It’s also important to consider that many interactions between the PSP provider and the patient take place remotely, and if done by email or text message (SMS), additional privacy requirements are likely to come into play. And, as with most of the other interactions mentioned above, a process should be developed and in place that will ensure that adverse events reported to, or during patient interaction with the PSP provider are handled in accord with applicable notice and consent requirements and are reported back to the pharmaceutical company in a manner that will enable the pharmaceutical to meet its legal requirements.


Privacy and data protection in pharmaceutical and biotech environments is fraught with multiple levels of complexity and pitfalls coming from inconsistent and often conflicting legal requirements, industry requirements from multiple countries and cultures, and the demands and expectations of patients, health care professionals and third parties. The management of these issues requires strong privacy and data protection skills, deep industry knowledge, a pragmatic, risk-based approach and support from internal and external resources. With those components in place, the pharmaceutical privacy professional will be in an excellent position to navigate their way to a successful enterprise privacy program which supports the business and respects the privacy of those individuals who trust the entity with their personal information.

Featured Posts
Recent Posts