In the UK, the Data Protection Act (DPA) 2018 governs the processing of personal data and implements the European GDPR: Regulation (EU) 679/20161. The GDPR came into force on 25 May 2018 and replaced the EU Directive 95/46/EC (the Data Protection Directive). Even though the UK has left the EU, the DPA brings GDPR requirements into UK law and extends it to cover legal areas for which the EU does not have oversight. It will remain in force after the UK leaves the EU.
In terms of scope, we need to be aware that the GDPR applies both in and outside of the UK and EU. Health data and other sensitive data cannot be processed without informed consent, unlessan exception applies, but when it comes to fulfilling pharmacovigilance (PV) obligations, processing the data is necessary as stated in Article 9.
In PV, there are two types of data that are subject to regulation:
1. Personal data received from the collection of reports (e.g., adverse event reports by email notifications)
2. Collected data that no longer contain personal data (e.g., subject identifiers replaced in order to pseudonymise the data)
|