Pharmacovigilance Data and EU Data Privacy Regulations

Like any data within the EU, access to pharmacovigilance data must always be considered in respect of EU laws that protect the patient’s rights to privacy.

Clinical data is essential for the identification and analysis of Adverse Reactions which could be caused by taking a particular drug. Whilst this endeavour ultimately aims to protect the patient, by law it must not over-ride any privacy concerns or data protection rights and freedoms. This page provides a brief outline of some of the key issues around personal data privacy and the use of clinical information for drug safety purposes.

The Effect Of EU Data Privacy Laws

The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, replaced the Data Protection Directive 95/46/EC in Spring 2018 as the primary law regulating how companies handle and protect personal data of data subjects located in the European Union. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the Union, regardless of whether the processing takes place in the Union or not. Also, this Regulation applies to the processing of personal data of data subjects who are in the Union by a Controller or Processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behavior as far as their behavior takes place within the Union. It concerns itself with all forms of personal data, including information related to health (recognized as a special category of personal data). Information handled by doctors, hospitals, pharmacies and so on must comply with EU Regulation and national laws which exist at the very minimum to comply with the GDPR. They apply irrespective of whether the information is held on a computer or in any other electronic form, or whether it has been stored in a ‘manual format’ (for example, on paper, as an X-Ray, like a handwritten form, etc). In order to process any personal information, the person to whom the information relates must give their explicit consent or there must be a valid and lawful legal basis to perform such processing of personal data.

Bear in mind that the EU Members States have their national laws on personal data protection. Ideally, the provisions of local legislative acts of each EU Member State should be compliant with the provisions of the GDPR. Although the Member States cannot modify principles, rights, and obligations established within the GDPR, each of them needs national legislation to accompany GDPR provisions for two reasons. First, local legislation is needed for the GDPR to fit appropriately into the Member State’s legal framework. And secondly, national legislation is needed to select among the variations permitted and/or add details on specific matters enshrined in the GDPR itself. In addition, following complex industry-specific requirements, the Company handling personal data must ensure that adequate drug safety follow-ups and data collection is held to the highest level, where many pharmaceutical companies may need professional guidance.

The Impact On Practice

The impact of the GDPR on drug safety work (or in general) has not been to prevent accurate reporting or the flow of information from clinical trials, studies, etc. Nonetheless, the laws throughout the EU are subject to change and pharmaceutical companies, therefore, continue to need expert advice on the current regulations. There are also instances where advice is required to export data to countries outside the EU in a legally compliant manner. Non-anonymized data cannot be moved from within the EU to countries that are not considered to have adequate data privacy laws unless robust transfer safeguards are put in place. However, it is a fact that many pharmaceutical companies and regulators may need to quickly access information across continents. Thus, compliance with GDPR is a significant undertaking, particularly for specialty pharma and biotech companies with limited resources. Needless to mention, noncompliance can be extremely costly in terms of clinical trial progress and heavy financial penalties. It is, therefore, essential for companies handling personal data to identify trusted partners who can help ensure that all aspects of their business — and the data handling involved — are executed to the most recent regulatory standards.

Please note this brief introduction cannot be considered as an exhaustive description and is not any form of professional advice.