Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
What post-market monitoring mechanisms are in place to ensure the ongoing safety and efficacy of medicinal products after marketing authorisation has been granted?
The relevant rules on pharmacovigilance for medicines authorised through national procedures are set out largely in Title IX of the Code for Human Medicines Directive. Part 11 of the Human Medicines Regulations implements those requirements In the United Kingdom. These requirements include the obligation for marketing authorisation holders to:
- operate and regularly audit appropriate pharmacovigilance and risk management systems;
- monitor and report on the safety of their medicines throughout the entire product lifecycle; and
- detect any change to their risk-benefit balance.
What data protection issues should be considered when conducting pharmacovigilance activities?
Pharmacovigilance data may include:
- information that identifies a patient and the reporter; and
- personal data about the patient (eg, sensitive personal data and contact details).
Although the General Data Protection Regulation (GDPR) considers obtaining data subject’s consent before processing as the fundamental basis of data protection law, there are legal grounds other than consent for processing pharmacovigilance data – principally:
- Article 6(1)(f): “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”; and
- Article 9(2)(i): Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member States law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subjects, such as professional secrecy.
Under Article 17(1) of the GDPR, a data subject has the right to obtain the erasure of personal data without undue delay from the data controller. However, under Article 17(3)(d), the so-called ‘right to be forgotten’ does not apply if the processing takes place:
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing.
The general principle of data minimisation and purpose limitation should apply to pharmacovigilance data processing. This type of data should not be processed for any other purpose and should not be held after the data storage period expires.
As pharmacovigilance data is often transferred across borders, relevant systems must be in place to ensure GDPR compliance relating to international data transfers.
Click here to view the full article.