home > > spring 2014 > a safe direction

A Safe Direction

Data protection and privacy issues are becoming increasingly important for the life sciences industry. At the same time as the development of technology, which allows for the greater analysis of data, there is also a growing demand for access to clinical data by regulators and researchers, as evidenced by the recent move by pharmaceutical companies to make data on clinical trials publicly available.

The challenges of data protection equally apply to the area of pharmacovigilance, which relates to the collection by pharma companies of data on adverse events involving their medicinal products and the reporting of such events to health regulators. A significant challenge for pharma companies is meeting the sometimes competing regulatory requirements of adverse event reporting, which involves collecting data on an identifiable reporter and patient, and complying with EU data protection requirements triggered by such collections.

Recently, the Association of the British Pharmaceutical Industry’s Pharmacovigilance Expert Network, together with the Pharmaceutical Information and Pharmacovigilance Association and pvlegal (a benchmarking group of in-house counsel and other pharma professionals), have published new guidance on meeting UK data protection requirements with pharmacovigilance (1). The guidance has also been reviewed by the UK Information Commissioner’s Office (ICO).

The guidance applies to pharmacovigilance data processed in the post-marketing setting for which no consent has been obtained from the patient to process such data. It should assist pharma companies in complying with their data protection requirements under the UK Data Protection Act 1998 (DPA), which implements the EU’s Data Protection Directive in the UK (2). A summary of the main elements of the guidance is set out below.

Legal Ground

Pharmacovigilance data, which includes data on the health of patients, is sensitive personal information as defined by the DPA and must be processed on the basis of a specified legal ground. Normally, when collecting health data, practitioners rely on consent as the main legal ground, but in post-marketing pharmacovigilance this may not be possible because an adverse event report may need to be made by a healthcare professional without the consent of the patient. The guidance states that it is not necessary to obtain the consent of the person who suffered an adverse reaction or the person reporting an adverse reaction to process personal data.

The ICO believes it should be possible to rely on the exemption under the DPA that allows for processing if it is necessary for medical purposes. Medical purposes include preventive medicine, medical diagnosis, medical research, the provision of care and treatment, and the management of healthcare services. Under the medical purposes exemption, sensitive personal data may be processed by a healthcare professional, subject to an obligation of professional secrecy or by someone subject to an equivalent obligation of secrecy.

In addition, pharmacovigilance data must be subject to fair and lawful processing in accordance with the DPA. This means, for example, that data entered into a drug safety database should only be processed for disclosed pharmacovigilance purposes and should not be used for undisclosed purposes, such as scientific research.

Data Protection Notices

Under the DPA, individuals whose personal data are collected (data subjects) must be informed what details have been held, by whom, for what purposes and the general identity of recipients. This information should be provided to the data subject in a clear, comprehensible, written data protection notice. Depending on the method of reporting an adverse event, different data protection notices may be used. Examples of data protection notices are provided in the guidance. The sample data protection notices cover telephone, email, face-to-face and digital media situations, and can be adapted as necessary to take account of the particular circumstances.

Where it is not possible to provide the person who has suffered an adverse reaction with a data protection notice – for example, because the healthcare professional, and not the patient, makes the report – then the guidance recommends using a statement to remind the reporter of his or her obligation, under the DPA, to notify patients when a disclosure of their personal data is made.

Security Issues

As regards the security of pharmacovigilance data, appropriate security measures should be put in place to ensure there is no unauthorised or unlawful processing, accidental loss, destruction or damage. What is appropriate is to be determined by reference to, fi rstly, the harm that might result from such unauthorised or unlawful processing or accidental loss; and secondly, the nature of the data to be protected.

The security measures that are appropriate for an organisation will depend on the circumstances, and a risk-based approach may be adopted. This approach requires an assessment of how valuable, sensitive or confi dential the data are, the way the data are to be used, and what damage or distress could be caused to individuals if there were to be a security breach. The ICO also recommends in its Framework Code on Data Sharing that a good approach is to adopt a common security standard, such as ISO 27001 and ISO 27002. Both certifi cations focus on performing risk assessments and then making the appropriate changes to policies, processes and controls.

The guidance also makes various suggested practical security measures. One is to ensure that employees within the company who have access to personal data are trustworthy and reliable. Reasonable steps should be taken to ensure that staff involved in pharmacovigilance activities receive adequate training on the data protection requirements. Any documentation containing pharmacovigilance data should not be left unattended, and companies are encouraged to adopt a clear desk policy. Hard copy documents should be stored in a secure and robust area, such as a fi re-retardant cupboard. Sensitive data stored on a computer should be encrypted to ensure the integrity of data transmissions, while any database containing personal details should have restricted access so that any changes to data can be identifi ed.

Use of Third Parties

Companies have a responsibility to ensure that appropriate security measures are in place regarding the use of third parties – for example, when outsourcing the entry of pharmacovigilance data to a vendor. They should bind third parties to an undertaking to only process personal data in line with the instructions given and make arrangements for the security of processing the personal data.

In order to achieve this, companies should enter into a written contract including these terms. The guidance recommends that, when sharing safety information with partners and vendors, only the data which the recipient reasonably needs and is consistent with the purpose of pharmacovigilance should be disclosed.

Data Transfers

Importantly, consideration needs to be given to problems associated with international data transfers, which may arise, for instance, when transferring pharmacovigilance data to a global drug safety database maintained by a pharma company.

Under the EU’s Data Protection Directive, as implemented by EU member states, personal data may only be transferred to countries outside the European Economic Area (EEA) – consisting of the 28 EU member states, together with Iceland, Liechtenstein and Norway – which are not deemed to provide an adequate level of protection, if certain exemptions apply. Only a limited number of countries have been judged by the European Commission to have adequate data protection laws, and they do not include the US. The exemptions include, among others, transfers to US companies that have self-certified to the US Department of Commerce that they subscribed to certain Safe Harbor privacy principles; transfers made subject to the EU’s Standard Contractual Clauses for the transfer of personal data from the EU; and circumstances where a company has adopted Binding Corporate Rules, which is essentially a global privacy policy that meets strict EU data protection principles and has been approved by relevant EU data protection authorities.

The guidance comments on the data protection issues with international transfers of pharmacovigilance data and how the exemptions under the DPA can be applied to permit the transfer of pharmacovigilance data from the EEA.

Access to Personal Data

Under the DPA, a data subject has a right of access to their personal data, including their pharmacovigilance data. The time limit for responding to a request is 40 days from the date of receiving the request or the fee (if there is one), and of additional information, if required.

As commented on in the guidance, in responding to data subject access requests, a pharma company should take reasonable steps to verify the identity of the person making the request. If a data subject access request is made through a third-party, the company must be satisfied that the third-party is empowered to act on behalf of the individual concerned. There is no obligation on a company to provide personal data if they are not satisfied as to the identity of the person making the request.

Rectification Rights

The guidance also covers rectification rights under the DPA as they apply to pharmacovigilance, stating that it is a legal requirement that pharmacovigilance data should be accurate and kept up-to-date where necessary. If an individual challenges the accuracy of the information held about them, the information should be amended or deleted as appropriate. The individual who is not satisfied that their information is accurate can apply for a court order, which forces the company to rectify, block, erase or destroy the information. Under the DPA, an individual also has the right to object to the processing of their personal data if the processing causes, or would be likely to cause, unwarranted and/or substantial damage or distress.

Redaction and Retention

The guidance comments on the need for pharma companies to practice data minimisation in relation to pharmacovigilance. Data minimisation involves identifying the minimum amount of personal data needed to properly fulfil safety reporting activities. Data that is not required for effective pharmacovigilance should be removed from source data. The guidance says that a company should not deidentify or redact personal data if its pharmacovigilance reporting obligations are compromised by doing so.

When deciding whether to redact, companies should consider whether there is a legitimate reason for keeping the data, such as identifying duplicates and performing follow-up activities. It provides elements recommended for redaction, including patient name, contact details and hospital number.

With regards to the retention of personal data, the DPA requires that companies should not hold more than is needed or keep it longer than necessary. Article 12 of the European Commission’s Pharmacovigilance Implementing Regulation states that product-related documents should be retained as long as the marketing authorisation exists, and then for at least 10 years afterwards. Companies should be able to justify why data is retained and for what length of time. If a patient is the reporter or the only source of obtaining follow-up information, then a company can retain information that is usually redacted. Companies should ensure contracts with business partners and vendors specify requirements for retention of pharmacovigilance documents, and guarantee that such documentation is not destroyed without notifying the other party. The guidance also provides elements recommended for retention – for example, patient initials, ID, age/age group, ethnicity, and adverse experiences including symptoms, outcome and duration.

Industry Application

Pharma companies in the UK and other European countries should review the guidance and consider how they can apply it to the everyday practices of their drug safety departments, as it should assist in bridging the gap between the sometimes competing regulatory requirements of pharmacovigilance and data protection. Furthermore, the guidance could, in time, lead to more general EU legislation on pharmacovigilance and data protection, which would no doubt be welcomed by the industry.

The views expressed in this article are exclusively those of the author and do not necessarily reflect those of Sidley Austin LLP or any of its clients. This article has been prepared for informational purposes only and does not constitute legal advice.

1. Guidance notes on UK data protection in post-marketing pharmacovigilance, 11th February 2013
2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Read full article from PDF >>

Rate this article You must be a member of the site to make a vote.  
Average rating:

There are no comments in regards to this article.


William Long advises international clients on a wide variety of social media, data protection, privacy, information security, e-commerce and other regulatory matters. He is a member of the Association of Privacy Professionals’ European Board and a co-founder of the Social Media Governance Forum. William was previously e-commerce counsel to one of the world’s largest international financial services groups and also spent a year at the UK’s Financial Law Panel as assistant to the Chief Executive.

William Long
Print this page
Send to a friend
Privacy statement
News and Press Releases

First cellularized collagen membrane implant to regenerate heart tissue in patients with ischemic heart disease

• 3P Biopharmaceuticals and Viscofan go ahead with this innovative project of regenerative medicine for cardiac use • Beginning of Phase I clinical trial in a group of 10 patients
More info >>

White Papers

The BioPharmaSpec Approach”: Mass Spectrometry Based Host Cell Protein Identification and Quantitation


1. Introduction As part of the development of any biopharmaceutical product, the impurities present must be examined, minimized and where possible characterized (1). These impurities fall into two broad categories: product-related impurities (derived specifically from the drug product itself) and process-related impurities (derived from material associated with the production, processing or purification of the sample). Host cell proteins (HCPs) are process-related impurities that require specific analysis due to the multitude of naturally occurring proteins expressed in the production cell line.
More info >>

Industry Events

World Vaccine Congress Europe

18-21 October 2020, Barcelona, Spain

The World Vaccine Congress is an award-winning series of conferences and exhibitions that have grown to become the largest and most established vaccine meeting of its kind across the globe. Our credibility is show through the prestigious scientific advisory board that spend months of hard work creating a new and topical agenda, year on year.
More info >>



©2000-2011 Samedan Ltd.
Add to favourites

Print this page

Send to a friend
Privacy statement