Here is an overview of the relationship between pharma regulation and general privacy and data protection law.
- Key acts, regulations, directives governing the health and pharma sector, and which are relevant to privacy and data protection
The key legal act governing the health and pharma sector is the Law of the Republic of Belarus No. 2435-XII dated 18 June 1993 “On Healthcare”. This establishes the medical secrecy concept and governs its disclosure, provides for regulation of clinical trials, establishes key patients’ rights, etc. In addition, the Law of the Republic of Belarus No. 161-Z dated 20 July 2006 “On Pharmaceuticals”; the Law of the Republic of Belarus No. 197-Z dated 30 November 2010 “On donation of blood and its components” and the Law of the Republic of Belarus No. 341-Z dated 7 January 2012 “On auxiliary reproductive technologies” contain provisions which may be relevant.
The general rules for regulation of information, including personal data, information about a natural person’s private life and medical secrecy concepts are contained in the Law of the Republic of Belarus No. 455-Z dated 10 November 2008 “On Information, Informatization and Data Protection” (“Law on Information”).
1.2. Supervisory authorities
- Regulators and supervisory authorities responsible for enforcing the regulations discussed
At the national level, the key state authority responsible for the healthcare sector is the Ministry of Healthcare of the Republic of Belarus. In addition, depending on the specifics of the case, the general enforcement authorities may be empowered (for example, the police). At the supranational level, the Eurasian Economic Commission is the authority which issues a broad range of decisions, also covering the healthcare sector.
No single authority is responsible for data protection issues at the national level. General regulation in the sphere of data and data protection is carried out partially by the Operational and Analytical Centre Under the Aegis of the President of the Republic of Belarus (“OAC”) and by the Ministry of Communications and Informatisation of the Republic of Belarus (“Ministry of Communications”).
- Relevant guidelines issued by the above
Among the relevant guidelines issued by the above are the following:
- Rules of Good Clinical Practice of the Eurasian Economic Union approved by Decision of the Eurasian Economic Commission No. 79 dated 3 November 2016.
- Rules of Good Pharmacovigilance Practice of the Eurasian Economic Union approved by Decision of the Eurasian Economic Commission No. 87 dated 3 November 2016.
- Instruction on the procedure for organizing the pharmacovigilance system and the procedure for monitoring compliance by pharmaceuticals manufacturers under the procedure for organizing and operating the pharmacovigilance system in line with Good Pharmacovigilance Practice approved by Resolution No. 75 of the Ministry of Healthcare of the Republic of Belarus dated 20 May 2015.
- Instruction on reporting revealed adverse reactions to pharmaceuticals and invalidation of certain resolutions of the Ministry of Healthcare of the Republic of Belarus approved by Resolution No. 48 of the Ministry of Healthcare of the Republic of Belarus dated 17 April 2015.
- Resolution of the Ministry of Healthcare of the Republic of Belarus No. 54 dated 1 June 2012 “On certain questions of applying auxiliary reproduction technologies”.
- Instruction on the procedure for blood transfusion organisations to carry out collection, processing, storage and disposal of blood and its components on the territory of the Republic of Belarus approved by Resolution No. 38 of the Ministry of Healthcare of the Republic of Belarus dated 19 May 2011.
- Relevant decisions/case law issued by the above.
No case law or decisions on this topic are available. Sometimes topics involving medical secrecy are discussed in the mass media and the authorities express their postition – for example, recently it was reaffirmed that data concerning students’ health under the general rule constitutes medical secrecy and cannot be disclosed to third parties such as police authorities.
Relevant definitions (e.g. biometric/genetic data, sensitive/special personal data, research, consent, biobank).
Informed consent – free and voluntary expression of the will of a subject to participate in a particular trial after receiving information about all aspects of the trial relevant for a subject to make a decision on participation, and in the case of minor and incapable individuals, permission or consent from their legal representatives for their enrolment in the trial. Informed consent is documented by means of signing and dating a form of informed consent.
Medical secrecy – information about a patient’s request for medical assistance and their health status, data about diseases, diagnosis, possible methods of medical assistance, risks related to medical intervention as well as alternatives, other data, including personal, obtained while providing medical assistance, and in the case of death – results of the post mortem examination.
Personal Data: According to the Law on Information, personal data is defined as data of an individual (natural person) that could be divided into three categories:
- additional personal data submitted to the Population Register under Belarusian laws; and
- other data enabling identification of the respective individual.
Belarusian legislation in force does not contain a definition of sensitive data. In general, based on the Law on Information, information is divided into two types: publicly available information and information of limited provision and (or) distribution (“limited information”). Limited information includes, in particular, information about a natural person’s private life and personal data, secrets protected by legislation (including medical secrecy).
The Draft Law on PD introduces a new definition – special personal data – personal data concerning race or nationality, political opinion, religious or other beliefs, health or sex, convictions, as well as biometric and genetic personal data.
2. Clinical research and clinical trials
Discussion of the regulations governing clinical research and trials. Notification/registration of the trial, periodical reporting requirements.
General principles for conducting clinical trials of pharmaceuticals are given in the Law on Pharmaceuticals. The detailed procedure for conducting clinical trials is contained in the EAEU Rules of Good Clinical Practice (GCP), which should be complied with while conducting clinical trials in all EAEU member states. The GCP was drafted based on the Guideline for Good Clinical Practice of the International Conference on Harmonization of Technical Requirements for Registration of Pharmaceuticals for Human Use and reflects international standards for conducting clinical trials. In addition, clinical trials are governed by local Good Clinical Practice, adopted by Resolution of the Ministry of Healthcare of the Republic of Belarus No. 50 dated 7 May 2009.
In Belarus clinical trials are conducted in state healthcare organisations defined by the Ministry of Healthcare and by the latter’s authorisation. Agreement on conducting clinical trials is concluded between the sponsor and the healthcare organisation; direct agreement with the investigator is not allowed. Trials can be commenced only if pre-trial research has shown that the pharmaceutical is safe and effective and if the risk of side effects is reasonable in the light of the expected positive effects.
Clinical trials are conducted on the basis of the program (protocol) of clinical trials which is agreed by the independent ethics committee (IEC) and approved by the Ministry of Healthcare. The IEC is created at state healthcare organisations to protect the rights, safety and well-being of the individuals involved by reviewing all aspects of the trial. The IEC reviews trial-related materials before and during a trial.
The investigator is obliged to provide the IEC with brief written reports about the course of a trial annually or more frequently (if requested by the IEC).
During the whole term of a clinical trial, the sponsor is obliged to submit periodical reports on the safety of the pharmaceutical to the Ministry of Healthcare.
Clinical trials of medicinal products (products for medicinal purposes and medicinal equipment) are conducted on the basis of the Law on Healthcare and the Instruction adopted by the Ministry of Healthcare. The procedure for clinical trials of medicinal products is much like the procedure for clinical trials of pharmaceuticals.
2.1. Data collection and retention
The nature of data collected and then processed and the retention restrictions on it.
General document retention requirements are related to the obligatory or permitted term of storage of received or collected data and are applicable to the archiving and records management conducted by the Belarusian entity. These requirements envisage classification of documents depending on their subject and the term for their retention (retention terms are defined as “not less than” rather than “no longer than”).
According to the GCP, the confidentiality of records which allow identifying trial subjects must be ensured to protect the right to private life. For example, trial subjects’ names are coded in reports on adverse events.
Specifically, as regards collection and retention of personal data in the course of clinical trials, Belarusian law is silent. The Law on Information establishes the general written consent requirement as described in Section 2.1.1. below.
The GCP sets out a list of basic documents which must be retained by the sponsor and investigator (healthcare organisation). The general timing requirement is a minimum of two years after confirmation of the last application for pharmaceutical registration. The basic documents include, inter alia, signed forms of informed consent, original medical records, and list of identification codes.
Obligations to obtain consent, including consent where the individual lacks capacity (e.g. minors). Information provision requirements. What happens if the participant withdraws consent mid-trial?
The Law on Information establishes a general requirement that personal data and information regarding the private life of a person can only be collected, processed, stored, used, transferred to a third party or disclosed with the written consent of that data subject. Additionally, legal, organisational and technical data protection measures must be fulfilled with respect to operations with those data.
Participation of patients in clinical trials is voluntary and subject to written informed consent. Before trial, the investigator must receive written approval of the informed consent form from the IEC.
The investigator or person appointed by the investigator must fully inform a potential patient or their legal representative about all significant aspects of a trial, inter alia provide information about the trial in writing. The informed consent should contain:
- mention of the experimental character of a trial;
- the purpose of the trial;
- the trial procedures;
- the patient’s obligations;
- the expected risk to or benefit for a patient.
Minors can participate in clinical trials with written consent of one of the parents.
Individuals who are not able to make an informed decision participate in trials with the written consent of a spouse or a close relative (parents, adult children, brothers (sisters), grandchildren, grandfather (grandmother)).
Pregnant women, orphaned children, convicted persons and some other individuals are prohibited from participating in clinical trials of pharmaceuticals.
Patients can terminate participation in a clinical trial and withdraw consent at any stage of the trial. Currently, effective laws do not specifically regulate the consequences of such termination with regard to subsequent data processing.
The Draft Law on PD provides the right to withdraw consent for personal data processing; however, withdrawal would have no retroactive effect – actions with personal data before withdrawal will not be considered illegal.
Additionally, the Draft Law on PD provides specific grounds for special personal data processing, similar to a certain extent to the GDPR. In particular, where the consent of a data subject is not obtained, special personal data may be processed in order to organise medical aid, provided that such personal data is processed by a medical, pharmaceutical or other health official who is entrusted with a duty to ensure protection of personal data and to which, in accordance with legislation, the duty to keep medical secrecy applies.
2.1.2. Data obtained from third parties
Rules for obtaining data/samples from someone other than the data subject (e.g. public health service provider, hospitals). Privacy notices/information provision requirements to be included.
With regard to general obligations for obtaining data from third parties see Section 7 below.
Information about a patient’s request for medical assistance and their health status, data about diseases, diagnosis, possible methods of medical assistance and other data, as elaborated above, constitute medical secrecy.
Upon written request of persons/entities established by law, information constituting medical secrecy can be disclosed without the consent of a patient or their legal representatives, guardians, spouses or close relatives. For example, upon the written request of:
- the Ministry of Healthcare, healthcare departments of regional and Minsk executive committees for the purposes of providing medical assistance to a patient, controlling its accuracy, or in the case of a threat of infectious diseases, and while conducting state sanitary inspections;
- healthcare organisations providing medical assistance to a patient or in case of a threat of infectious diseases.
Information on reporting adverse reactions in a pharmacovigilance context, whether pseudonymisation/anonymisation of data is necessary, notification, authorisation, data retention.
The key regulation on pharmacovigilance in Belarus includes the Law on Pharmaceuticals, the Instruction about the procedure for reporting adverse reactions to pharmaceuticals, Rules of Good Pharmacovigilance Practice of EAEU (GVP), which must be complied with by all EAEU member states.
In general terms, the pharmacovigilance system is organised by the Ministry of Healthcare at the premises of the Centre for Expertise and Testing in Healthcare (CETH).
CETH is a body which receives, processes [S1] and evaluates reports on adverse reactions for pharmaceuticals.
There are approved forms of reports on suspected adverse reactions and unexpected serious adverse reactions.
The form on suspected adverse reaction includes the patient’s initials, the number of the medical record, gender, age, weight. Information about the reporting person includes full name, telephone number, working position and place of work, working address.
The form on unexpected serious adverse reaction includes the patient’s initials, country, date of birth, age, gender, etc. Information about the reporting person includes name and address, including postal code.
According to the GVP holders of a registration certificate are obliged to retain all pharmacovigilance data and documents related to registered pharmaceuticals at least 10 years after expiry of state registration certificates. Documents can be stored in electronic form subject to appropriate validation of the electronic system and its safety.
According to the GVP, there are certain requirements for ensuring confidentiality of pharmacovigilance data when it is transferred.
The GVP declares the obligation to comply with the requirements of personal data protection in accordance with the legislation of EAEU member states on various stages of pharmacovigilance. For example, to comply with the requirements of patients’ personal data protection the system of document management, which is an integral part of the pharmacovigilance system, must include measures ensuring safety and confidentiality. Such measures will include limiting access to documents and databases to authorised persons only.
- establishment and conditions of biobanking activities;
- collection of samples and information attached to them;
- processing and storage of samples;
- registers established for the purposes of biobanks;
- rights of registered individuals and protecting their information.
In Belarus legislative biobanking activities are not regulated in detail. The current regulation in force is mostly connected to donation and storage of blood and reproductive cells.
Donation of reproductive sells
Donation of reproductive cells requires a written application for voluntary donation and an agreement with the healthcare organisation.
Donors have the right to provide their cells either for a consideration or free of charge. Remuneration is paid to donors by the healthcare organisation. An anonymous donor is not entitled to receive information on further usage of their cells, or to know the identity of a child conceived with the use of the cells and the parents of the child.
A patient has the right to choose a donor. Selection of a donor is carried out with the help of a catalogue of anonymous donors containing information not related to medical secrecy. Information about sampling is reflected in the donor’s registration card, which inter alia contains the donor’s personal data. Reproductive cells are stored in healthcare organisations for no more than 10 years after cryoconservation. Сoding and special labelling of donated reproductive cells are used to ensure medical secrecy.
The Mother and Child National Research Centre operates a single register of reproductive cell donors to control use of cells. Prior to inclusion in the register, information about anonymous donors is encoded. Information in the register constitutes medical secrecy and includes, inter alia, donors’ identification numbers, gender, age, height, weight, colour of hair and eyes, race and nationality, education, blood group and Rh factor.
Donation of blood and its components
During storage of blood and its components the following conditions must be ensured:
- identification of blood and its components;
- separate storage based on blood group and Rh factor;
- registration of observation over storage conditions.
The Single Database of donation of blood and its components is operated by the Republican Scientific and Practical Center of Transfusion and Medical Biotechnologies to ensure safety of blood and its components, quality of samples ‒ taking, processing and storage ‒ as well as carrying out prompt medical assistance to recipients.
The Database includes the following data:
- to allow identifying donor’s and recipient’s personalities;
- about the consequences of transfusion;
- about volumes of preserved blood and its components;
- about persons who have medical contraindications for donating blood, its components, etc.
Personal data should be recorded in a database in accordance with Belarusian legislation on personal data.
Donors of blood and its components are entitled, inter alia, to money compensation, release from work (study, etc.) and free food on the day of donation.
5. Data management
- General obligations on the data controller
The Law on Information does not provide a definition of “data controller”. It defines subjects in the sphere of information relations, such as information owner; operator of information system; user of information; information intermediary; user of an information system and/or information network; possessor of software and technical apparatus, information resources, information systems and networks; owner of software and technical apparatus, information resources, information systems and networks.
The classification is barely used in practice. Consequently, provisions related to respective rights and obligations are rather uncoordinated, not clearly developed in other legal acts and therefore mostly not effective.
- Permitted uses of data
The Law on Information is the central legal act regulating such operations as searching, obtaining, transferring, collecting, processing, accumulating, storing, disseminating, providing, pseudonymising, destroying, disclosing. There is no well-established practice or official comments from the regulator as to whether all operations with personal data require written consent.
- Obligations in respect of disclosure of records to other medical professionals (e.g. Individuals’ GP) or to family members/representatives
Information about a patient’s state of health can be provided by a GP to a patient or the patient’s legal representatives, guardians, spouses or close relatives (in the case of minors or incapable patients). An adult patient may define a person who may (not) be eligible to receive information about their state of health.
Minors may upon request receive information about their state of health and methods of medical assistance in a form understandable for their age and considering their psychophysiological and emotional state.
As noted above in Section 2.1.2, information constituting medical secrecy can be disclosed without a patient’s (or their legal representatives, guardians, spouses or close relatives) consent in certain cases defined in legislation. In addition to those already stated above, such information could be provided upon written request by, inter alia:
- Criminal prosecution institutions and courts in relation to an investigation or court proceedings;
- Local military administration bodies for the purposes of medical examination of persons during call-up for military service;
- Employers for the purposes of investigating an industrial accident;
- Insurance organisations for the purposes of insurance payments, etc.
Sometimes healthcare organisations are obliged to forward information constituting medical secrecy to particular state bodies without the patient’s consent and any written requests, for example:
- To law enforcement bodies if there are grounds to believe that harm to health has resulted from wrongdoing, including road accidents;
- To the Ministry of Foreign Affairs in relation to foreign citizens suffering from emergency conditions of an environmental and technogenic character, terrorism, mass disorders.
- Data security requirements
Belarusian laws establish specific data protection measures that must be fulfilled with respect to limited information, in particular the following:
- Legal measures, e.g. concluding agreements with individuals whose personal data is collected and processed. Such agreements should contain the conditions of data usage as well as defining the liability of parties to the agreement for breach of such conditions;
- Organisational measures, including establishing a special entrance regime to premises used for collecting and processing of data, differentiation of access levels to such information; and
- Technical measures, including the use of cryptography and technical means of information protection and control.
Limited information should be processed in information protection systems compliant with legislation, in particular:
- Information security tools used in an information security system should pass the conformity confirmation procedure under technical regulation “ТР 2013/027/BY”;
- The information security system itself should be accredited according to the procedure established by the OAC.
The Law on Information does not clearly define a regime for anonymisation/pseudonymisation and provides for the depersonalisation concept in regard to the register of population which is similar to pseudonymisation.
- Record keeping
Belarusian law does not provide a “records of processing” concept establishing an obligation to exercise control over the objects of information system use.
- DPO requirements
The Law on Information does not require obligatory appointment of a data protection officer similar to the GDPR concept.
General outsourcing requirements, contractual requirements.
As a general rule, the Law on Information does not specfically regulate outsourcing issues.
Generally, if a company plans to provide outsourcing services, the following written consents are required:
- patient’s consent to the healthcare organisation under the Law on Information, including for subsequent transfer of data to the company;
- patient’s consent to the company under the Law on Healthcare, including collection, processing, storage, use, transfer, accumulation, provision, and dissemination of information by the company (the patient may also issue a power of attorney in the name of the Company; however, we believe this is more difficult from a practical point of view).
If the Draft Law on PD enters into force, it will introduce the analogue of a processor – a party collecting, processing, distributing or providing personal data under authorisation of the operator. Authorisation could be based either on agreement or on the decision of the operator, which is the state body.
7. Data transfers
Discussion regarding specific restrictions and exemptions relating to the transfer of sensitive personal data.
Subsequent transfer of personal data is allowed only with the prior written consent of the data subject. According to the Law on Information, subjects of informational relations that receive personal data in violation of the requirements are not allowed to use such data.
The Law on Information does not specfically regulate international data transfer and outsourcing issues. If the Draft Law enters into force, the issue of international transfer of personal data will become regulated in general. The list of countries that ensure suffcient measures with respect to personal data protection will be determined by the Data Protection Authority. Transfer of personal data to countries not ensuring sufficient measures is permitted in a limited number of cases provided by the Draft Law. For example, in cases of consent from the data subject which has been obtained, or if an individual permit is received from the Data Protection Authority for such transfer, etc.
8. Breach notification
Obligations to report to data protection supervisory authority, other supervisory authorities and data subjects.
The Law on Information does not contain a general obligation to notify any authority, individuals or any other data subject of a data breach. Certain requirements on notifying the OAC are set for specific cases of data protection system breaches and inability to remove the breach within five working days.
9. Data subject rights
Rights over data and samples. SAR, data portability, etc. Include when the controller is NOT obliged to comply. Rights of minors and deceased persons.
In general, the Law on Information does not contain a systematised list of data subject rights.
Under the Law on Information, as a general rule no one may demand from an individual information about their personal life and personal data, including information that constitutes private and family secrecy, privacy of correspondence, phone and other conversations, information about their health, unless this is allowed by law.
Certain general provisions of the Law on Information may be interpreted so that individuals may familiarise themselves with their own personal data. However, the Law on Information does not provide any guidance and further explanations in relation to this procedure and in particular whether the party that receives personal data of an individual should provide such data to that individual upon request.
According to the Law on Healthcare, a patient has the right, in particular, to:
- obtain in an accessible form information on their own health condition, the methods used to provide medical aid, as well as the qualifications of the attending physician and other medical professionals directly involved in providing medical aid;
- the choice of persons to whom information on the patient’s own health condition can be reported or prohibit its reporting to certain persons.
According to the Law On Auxiliary Reproductive Technologies, an anonymous donor is not entitled to receive information on further use of their cells or to know the personality of a child conceived by using their cells, and the parents of such a child.
When using auxiliary reproductive technologies, the patient may, in particular, obtain:
- complete and reliable information on the condition of their reproductive health;
- information on the auxiliary reproductive technologies used, the effectiveness, optimal timing of their use, possible risks, side effects and complications, medical and legal consequences, as well as alternative methods of providing medical aid.
Liability for breach of medical secrecy may include:
- disciplinary liability (under labour legislation reprimand, warning, dismissal);
- administrative fine from 4 to 20 base units (approx from EUR 45 to EUR 225 as of 15 August 2019) if disclosure does not contain elements of a crime);
- civil liability (for example, compensation of damages and (or) moral harm);
- criminal liability:
- Intentional disclosure of information about the existence of a disease, diagnosis or results of medical examination of a patient by a medical, pharmaceutical or other worker without professional or business exigencies leads to a fine or loss of the right to hold certain positions or carry out certain activities.
- Disclosure of information that a person has the HIV virus or AIDS leads to loss of the right to hold certain positions or carry out certain activities with a fine, or arrest, or restriction of freedom for a term up to 3 years with a fine.
If these actions lead to severe consequences, they may be penalised by imprisonment for up to 3 years with a fine and with loss of the right to hold certain positions or carry out certain activities or without losing that right.
Special administrative liability (penalty) is established for using non-certified data protection means which may attract a fine up to 200 base units (approx EUR 2,260 as of 15 August 2019) with the possibility of confiscation of data protection means.
11. Other areas of interest
E.g. telemedicine, medical devices, Digital Health Records
Currently, the concept of telemedicine is developing in Belarus. Relevant amendments to the Law on Healthcare providing regulation of telemedicine are expected in the upcoming year.
Another technical development in the healthcare sector is a system of electronic prescriptions. The principle of electronic prescriptions is that doctors issue e-signed prescriptions in electronic form through a special system where healthcare institutions and pharmacies are registered. Patients can get prescribed pharmaceuticals upon presentation in pharmacies of special personal cards issued by healthcare institutions where their electronic prescriptions are reflected.
As of August 2019, a pilot project for electronic prescriptions is being implemented in a limited number of healthcare organisations. Relevant regulations have been drafted by the Ministry of Healthcare but have not yet come into force.