The draft EC data protection Regulation (Regulation) proposes a number of changes to the EU data protection regime which, if adopted, will have significant implications for data controllers and data processors in the life sciences sector.
Collection and analysis of personal health data is fundamental to the extensive research that takes place in the industry in order to develop and supply safe and effective medical products which are vital to society as a whole. However, such data is often highly sensitive and the Commission’s desire to increase protection for data subjects may significantly increase the compliance burden on those processing personal data in this field.
Research clinical trials
Compliance with data protection laws already represents a considerable challenge for pharmaceutical companies, clinical research organisations, laboratories, sponsors, statisticians and a host of other data controllers and processors involved in clinical trials. Since such projects commonly involve parties based all over the world, they require significant international transfers of sensitive personal data. Furthermore, it is not always clear whether such organisations will be considered controllers or processors, meaning navigating, for example, the restrictions on cross-border transfers and implementing appropriate solutions can prove a very complex exercise.
The position is unlikely to improve under the Regulation, which envisages a number of additional requirements on both controllers and processors. One particularly significant change is that companies will no longer be required to register with national data protection authorities. While at first glance this would seem to make life easier, there is also a requirement for controllers and processors to carry out impact assessments where processing operations present specific risks to the rights of data subjects by virtue of their nature, scope or purposes. For life sciences companies processing health data and conducting medical research, this may account for a significant proportion of their activities. Since such impact assessments require data controllers to seek the views not only of regulators but also their data subjects, on a literal interpretation those running clinical trials would be required to consult with all patients before using their personal data for such purposes.
Data subjects must also provide their consent before participating in clinical trials, having been fully informed of the objectives and risks involved and their right to withdraw at any time. Consent is currently a vital justification for processing personal data, particularly sensitive personal data such as that relating to patient health. Under the Regulation, however, consent will not provide a legal basis for processing where there is a “significant imbalance between the position of the data subject and the controller”. It seems possible that clinical trials would fall within this definition, and it therefore raises the question whether informed consent will continue to be sufficient in this context.
The proposed 'right to be forgotten' also creates unique challenges for those processing personal data through clinical trials and research. Since subjects have the right to withdraw consent and request erasure of their data at any time, such requests could significantly disrupt daily operations of those processing data during trials and even impact on the validity of research findings. While an exemption to this right exists for processing “historical, statistical and scientific research purposes”, it is not entirely clear where this will apply; it is often impossible to anticipate the “secondary research” purposes for which data may be used when patient data is first collected, and it is possible that subjects and/or regulators might challenge such secondary purposes and require cessation of processing.
Another unique challenge for many life sciences companies is that they are legally required to process sensitive personal data in order to comply with the Directive 2010/84/EU and Regulation (EU) No 1235/2010. Under this legislation pharmaceutical companies have strict obligations to report “adverse events” relating to a medicinal substance or product, which requires the large scale processing of sensitive personal data.
The pharmacovigilance legislation does not provide substantial guidance regarding the interrelationship between these obligations and those imposed by the Data Protection Directive. However, the Regulation does specify that health data may be processed for:
- preventative or occupational medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services, and, where those data are processed by a healthcare professional, subject to the obligation of professional secrecy;
- reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety for medicinal products or medical devices;
- other reasons of public interest in areas such as social protection.
This provision helps to clarify the legal basis for processing personal data to comply with pharmacovigilance legislation. It is also a requirement that only the only health data which may be processed for this purpose is that which is “absolutely necessary” and Data Controllers will be required to formulate methodologies to ensure that such 'data minimisation' practices are observed.
Also relevant to the issue of Pharmacovigilance compliance is the question of the exact scope of “personal data”, and in particular whether coded data such as patient identification numbers, are considered personal data. Several EU member states are currently divided on this issue, with some considering that pseudonymised data could be treated as personal data if the recipient also possesses the means of re-identifying the individual data subject.
The Regulation clarifies that the data protection principles should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable. In situations where an individual can be identified from a combination of different personal data sets in the controller’s (or processor’s) possession the Regulation applies a similar test to the Directive, stating that account should be taken of all the “means likely reasonably to be used”, either by the data controller or any other person to identify the individual. However, this would seem to be a difficult assessment for such organisations to make in the absence of further guidance, particularly considering both the public interest in such processing activities and the increasingly damaging penalties for non-compliance.
It is clear that for a data rich sector like Life Sciences, compliance with the proposed Regulation will bring challenges that will fundamentally overhaul data collection and usage practices. The sting in the tail is also potentially lethal; failure to meet these new challenges and deploy adequate PIAs will not only prejudice the legitimisation of data captured but may also trigger fines of up to 2% of global annual turnover.