With the implementation of the EU General Data Protection Regulation, one can observe a certain sense of proactiveness in the life science and health care industry. One sector, in particular, namely pharmacovigilance, is striving to align itself with the requirements under the GDPR while ensuring the sector-specific requirements also see the light of the day when being integrated into the privacy and information security frameworks of the relevant organizations.
PV services is the practice of monitoring the effects of medicinal drugs after they have been licensed for use to identify and evaluate adverse events or reactions one experiences on consumption of a drugs or medicine and identify any additional safety problems not uncovered during clinical testing.
How does the GDPR affect the PV sector?
The GDPR defines "data concerning health" as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about their health status. Hence, the provisions of the GDPR would be applicable on PV services since the same requires processing of data concerning health. Entities that are in the PV business would be required to be mindful of various requirements and controls that flow from the GDPR in relation to handling of data and beyond, in case of transfer of data.
EU regulates safety monitoring of medicines through Directive 2010/84/EU and Regulation (EU) No 1235/2010 as per which market authorization holders should collect as much information as possible on the suspected drug-related adverse events. MAHs is a status bestowed on entities to market a specific medicinal product in one or more EU member states. Therefore, requirements under the GDPR would be applicable to PV data since it includes information that identifies the patient and reporter in the form of personal data, such as first name, last name, address, gender, age, weight, height, ethnic origin and health status. Moreover, personal identification and contact details get collected if there is a need for follow-up to the adverse events reported and, hence, these data elements will fall under the category of “personal data” as per Article 4 of the GDPR.
Sector-specific outliers
The GDPR has enshrined upon the data subjects with a series of rights enabling individuals to have a better control over their personal information in relation to why, how and where of the collection, storage and processing activities. However, the PV industry comes with its own set of dos and don’ts, and hence, the sector-specific particularities overlap with data subject rights and GDPR requirements at various intersections, such as:
- Right to erasure/restriction of processing: The data subjects have the right to have their personal data erased or forgotten/restrict processing. However, if the processing of the personal data is required for reasons of public interest in the area of public health, such as pharmacovigilance, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, such as clinical trials, the right to erasure and/or restriction of processing will not be applicable.
- Right to data portability: Data subjects have the right to receive their personal data in the commonly used, machine-readable format and have the right to transfer their data to another controller. The only exception would be for tasks that are performed in public interest, such as post-marketing surveillance of medicinal drugs that is conducted to see assess the impact of a particular drug on the public at large.
- Data retention: According to Regulation (EU) No 520/2012 on the performance of PV activities, all PV-related documentation is to be retained until the medicinal product is in the market and until 10 years after the product is withdrawn from the market. Hence, the requirement for PV sector in relation to data retention flows from the above said regulation and therefore will affect the right to erasure and storage limitation requirements under the GDPR.
The PV sector is a highly regulated sector. A number of processes and functions undertaken in this sector are any which way in line with confidentiality and privacy requirements mandated by jurisdictions across the world. Having said that, it is still prudent for organizations in this sector to go the extra mile and indulge and invest in a few leading practices to secure the data they process. These practices range from data minimization with respect to nonessential data elements captured during reporting of an adverse event to training the employees involved in handling the personal information on data privacy requirements on a periodic basis.
Photo by Adam Nieścioruk on Unsplash