home > > autumn 2015 > big business

Big Business

‘Big data’ refers to the large-scale collation, processing and analysis of digital data in high volumes. It consists of the bringing together of data sets generated from a network of different sources to extract historical trends, and facilitate in-depth analysis and identification of cycles for the future. Its use in predicting future outcomes or behaviours has already been embraced in a number of industry sectors.

Changes are beginning to be witnessed in pharmaceutical and healthcare quality, and delivery too, with financial resources being used by the purchasing bodies, either at a government level or in the private sphere. Equally for those developing and manufacturing medicines and medical devices, big data could influence monitoring, reporting and clinical research. It has the potential to impact the way in which R&D evolves, influencing opportunities and patient choices, as well as the measurement of treatment outcomes.

Suitability for Pharma

In the life sciences sector, sources of big data include: electronic health records, healthcare, clinical trials, medical devices, self-generated smart devices, remote patient monitoring, and genetic and genomic data, as well as that made publicly available (under freedom of information regimes) – all of which can be pooled to create ‘real world’ health data.

A report by McKinsey & Company cites the use of big data in healthcare in the US as a revolution (1). In the same way that the banking and retail sectors have used it to improve profits and increase customer satisfaction, big data can have a major impact on healthcare by approbating evidence-based medicine, and by using algorithms as a resource for obtaining scientific diagnostic evidence.

Reviewing studies in the US, a report published by PricewaterhouseCoopers highlighted that big data in the healthcare sector can “dramatically increase the speed and accuracy of patient diagnosis and treatment”. A number of benefits were detailed, including the possibility of tailoring patient therapy to the likelihood of drug response, allowing a safer and more effective use of medicines (2).

To date, a slightly more cautious approach has been taken across Europe. The Association of the British Pharmaceutical Industry has issued the ‘Big Data Road Map’ which sets out the challenges, achievements and opportunities for big data in pharma and healthcare (3). The four-plan road map involves:

  • Increasing awareness – developing strategic big data leadership within the pharma industry
  • Building capability and capacity – broadening skills capacity and establishing a cross-sector academy
  • Creating a sustainable data ecosystem – improving data analysis and analytics services in healthcare
  • Accelerating high-value opportunities – establishing a joint demonstrator projects portfolio
As sophisticated data storage techniques and processing technologies advance further, the industry can expect to see the deployment of more big data analytics, improving the effectiveness of medical research, clinical trials and pharmacovigilance. However, this does give rise to a whole raft of technological, infrastructural and data protection/ privacy challenges.

In the context of data protection, this entails the purpose for which the data is to be used, access to sensitive personal data and issues of consent.

Data Protection Directive

Across Europe, the EU Data Protection Directive 95/46/EC (the ‘Directive’) regulates the protection of individuals with regard to the processing and free movement of personal data. The Directive affords member states some latitude as to how it is implemented under local law, enabling a degree of flexible interpretation at a micro level. For this reason, data protection regimes across the EU can vary in terms of application and leniency; but in a globalised world this can be unhelpful, leading to inconsistencies and uncertainty.

The Directive mainly requires data controllers (those who determine the purposes and means of the processing of personal data) to comply with its obligations, including the data protection principles in respect to personal data.

The current regime in the UK, for example, does not apply to data processors which process personal data on behalf of controllers such as laboratories or outsourced IT providers or payroll providers, unless contractual provisions are put in place. One of the challenges for pharma is differentiating between those in the role of data processor and those in the role of data controller.

The concept of processing is broader than most organisations envisage. It denotes the limits of any operation or set of operations performed upon personal data. The long list of activities that fall under the processing umbrella include: collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Issues with Personal Data

Personal data encompasses any information relating to an identified or identifiable natural person (‘data subject’). An identifiable person is one who can be identified directly or indirectly, in particular, by reference to an identification number, or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity. This definition is wide-ranging so that even if anonymised, it can still conceivably be counted as personal data for the purposes of the Directive, and also under local implementing legislation (such as the UK’s 1998 Data Protection Act).

The EU Article 29 Data Protection Working Party (Art. 29 WP) has issued an Opinion (4/2007), which runs to 26 pages, on interpreting the concept of personal data. In turn, the International Pharmaceutical Privacy Consortium (IPPC), while commending the Opinion, has issued a further commentary on the application and impact of data protection on medical research, public safety and reporting issues.

Take, for example, the European Pharmacovigilance Directive (2010/84/EU) and Regulation (EU No. 1235/2010). The IPPC has recognised that, in the case of pharmacovigilance inconsistencies between member states operating under the data protection regimes, to ascertain whether certain data elements are “identifiable” has created “significant compliance obstacles for pharmaceutical companies”. In all actuality, some data protection authorities demand that both initials and birth date are not to be transmitted without explicit consent and, as the IPPC points out, it is not possible to obtain a data subject’s consent to such a transfer within the timeframe required for adverse event reporting.

The interaction of the Data Protection Directive with other regulatory and legal requirements can also give rise to challenges, such as in the case of clinical trials, which may not easily translate. The IPPC acknowledges that “patient privacy and data confidentiality have long been the cornerstone of human subjects research”. That being said, the EU Clinical Trials Regulation (No. 536/2014) does mirror some of the data protection language requirements of the Directive.

In addition, the IPPC targets genomic research or other research involving biological samples, highlighting that just because biometric data can be extracted from human tissue, does not necessarily mean that the sample itself should be classified as personal data. This demonstrates how the purpose for which the data is to be used can be vital for analysing the data protection aspects of use.


For the purposes of the Directive, health data comes within a special category of processing, sometimes known as sensitive personal data. The Directive requires member states to prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sexual activity. There are, however, a number of exceptions:

  • Where local law permits, and the data subject has given their explicit consent
  • If the processing is necessary in the field of employment law, in so far as it is authorised by national law providing for adequate safeguards
  • If the processing is necessary to protect the vital interests of the data subject or of another person, where the former is physically or legally incapable of giving their consent
  • Where processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade union aim, on the condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes, and that the data is not disclosed to a third party without the consent of the data subjects
  • Processing that relates to data which is manifestly made public by the data subject, or is necessary for the establishment, exercise or defence of legal claims
  • The prohibition does not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of healthcare services. Nor does it pertain to cases where such data is processed by a health professional in compliance with national law, or rules established by competent bodies under obligations of professional secrecy, or by another person also subject to equivalent bonds of secrecy.
In certain circumstances, it can subsequently be preferable, or safer, to simply rely on consent to use the personal data – although the purpose must be made clear, and consent can still be withdrawn.

The major predicament with big data is, therefore, that it is not always possible to know at the time of collection the purpose for which the personal data may ultimately be used, even in a pseudonominised, combined or anonymised form.

On the Horizon

The legislative landscape is changing. The Directive came into effect in the mid-1990s and there is now a draft EU Data Protection Regulation (the ‘Regulation’) on the horizon. This will bring an additional dynamic to the table:
  • Direct effect and harmonisation – the draft Regulation is an attempt to adapt the current legislative regime, to give it both flexibility and yet more certainty. It is specifically being introduced in the format of a piece of legislation (as opposed to a directive) so that it will apply directly to all member states. This is intended to avoid existing inconsistencies where each member state must implement the Directive using local domestic laws, which can lead to differences in how the law works in practice. The IPPC cites this as a major obstacle when enforcing pharmacovigilance rules across the EU, voicing the difficulties faced when trying to accommodate local data protection requirements
  • Supervisory body – as currently drafted, the Regulation contains a mechanism which allows for a single supervisory decision to be taken in important transnational cases, thus reducing costs and providing greater legal certainty
  • Risk-based internal procedures – the prevailing weakness of data protection legislation in the UK, for example, is that it does not apply to data processors. A key change to be brought about by the Regulation is the extension of certain new obligations – risk assessments and notification of breaches – applying to data processors as well as data controllers. For this reason, data protection requirements will penetrate the data supply chain, with those seeking to harness and make use of big data feeling the full effects of its reach
  • Genetic and biometric data – the draft Regulation introduces a definition of genetic and biometric data. Genetic data is defined as “data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal development”. Biometric data is defined as “data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data”. Although Art. 29 WP welcomes the introduction of a definition of biometric data, it has reservations about the wording being limited to identification, and not extending far enough to cover its utility for authentication (that is, verifying identity without actually identifying the individual)
  • Rights to be forgotten – the draft Regulation will strengthen the rights of data subjects by introducing a right of erasure for personal data, or the ‘right to be forgotten’, limiting the extent to which data profiling can be used
  • Consent – the Regulation includes a strengthened single definition of consent as freely given, informed, specific and explicit. Furthermore, it makes it clear that, as a general rule, consent should not be implied, but requires either a statement from the data subject or a clear affirmative action. The data controller bears the burden of proof that he has obtained the data subject’s consent to the processing of their personal data for specified purposes
  • Hefty fines – probable fines for non-compliance with the Regulation could account for up to €1million, or 2%, of a company’s annual global turnover
Given the successful global use of big data in other sectors – in the face of innumerable regulatory and technological challenges – it now only seems a matter of time before big data is utilised as a business tool at all levels of the pharma sector.


1. McKinsey & Company, The ‘big data’ revolution in healthcare, produced for the Center for US Health System Reform Business Technology Office, January 2013
2. PricewaterhouseCoopers, Big Data: Big benefits and imperilled privacy, June 2014 3. Association of the British Pharmaceutical Industry, Big data road map, 21 November 2013

Read full article from PDF >>

Rate this article You must be a member of the site to make a vote.  
Average rating:

There are no comments in regards to this article.

Beverley Flynn is a Commercial Partner at Stevens & Bolton LLP, where she has a particular focus on major contracts and commercial advisory work. She specialises in the pharmaceutical, IT, retail, healthcare and renewables sectors. Beverley has significant experience in advising on strategic alliances, IT and e-commerce matters. These include manufacturing, software, services, standard terms, franchising, sponsorship, commercial agency, distribution, outsourcing, advertising and copy clearance. She also leads the firm’s data protection practice, advising on cookies, international transfers, data protection policies and subject access requests, as well as other data issues.
Beverley Flynn
Print this page
Send to a friend
Privacy statement
News and Press Releases

Rentschler Biopharma and Vetter Unveil Xpert Alliance

Laupheim and Ravensburg, Germany, Milford, MA, and Skokie, IL, USA, March 29, 2022 – Rentschler Biopharma and Vetter, two globally operating Contract Development and Manufacturing Organizations (CDMOs), announced today that the companies are unveiling Xpert Alliance, a joint visualization of their strategic collaboration. The visualization is designed to “bring to life” this ongoing alliance and celebrate its successful operation, delivering effective solutions to address clients’ changing and expanding needs in the area of complex biopharmaceuticals.
More info >>

White Papers

Why You Should Be Using Ultrasonic Cleaning

Natoli Engineering Company, Inc.

Clean punches and dies are essential to maintaining the integrity and efficiency of your tooling investment, as well as the quality of your product. Ultrasonic cleaning has long been considered the most effective, nondestructive way to clean tools – from medical instruments to tablet tooling. The Tableting Specification Manual (TSM) states, “An ultrasonic bath is ideal for cleaning tooling.” This high-tech cleaning process also saves time, reduces cost and is better for the environment.
More info >>




©2000-2011 Samedan Ltd.
Add to favourites

Print this page

Send to a friend
Privacy statement