Newsletter 38 January 2022

On 2 February, the ICO, the UK Data Protection Authority submitted 2 sets of documents to the British Parliament for the transfer of personal data* from the UK to a non-adequate country**:

  • International Data Transfer Agreement (“IDTA”);
  • New International Data Transfer Addendum (“UK Addendum”) to the “new EU SCCs”.

Either document can be used when personal data are exported from the UK to an organisation in a non-adequate country. 


From 21 March 2022: UK Data exporters can use either:


  • International Data Transfer Agreement (“IDTA”), 

or 

  • New International Data Transfer Addendum (“UK Addendum”) to the “new EU SCCs”.


 

There will be a transition period between March 2022 and March 2024:


  • Data Transfer Agreements (DTA) using the old EU SCCs and concluded before 21 September 2022 will continue to be valid until 21 March 2024 (unless the actual underlying processing operations change before that latter date).


  • after 21 September 2022, organisations must use the IDTA or the UK Addendum if they want to enter into new arrangements.


  • by 21 March 2024, all DTAs with the ‘old’ EU SCCs should be updated to the new UK documents.


Why is this important?


This will be very helpful to make Data Transfers compliant in a simple way, especially when the Data Exporter is a Processor (= sub-contractor): as of today, the ‘old EU SCCs cannot be used when the UK Data exporter is a Processor, because these old EU SCCs don’t cover this situations; alternative solutions exist, see previous Newsletters.


Which document should we use: the IDTA or the UK addendum?


  • If you are an organisation which already transfers personal data from EU/EEA to a non-adequate country, you have probably already put in place a Data Transfer Agreement (DTA) with the Data Importer containing the new EU SCCs: then, if you also transfers personal data from the UK to the same Data Importer, we recommend that you add the ‘UK addendum’ to the existing DTA.


  • If there is a Data Importer to whom your organisations transfers personal data from the UK only (and not from EU/EEA), then it’s probably more simple to put in place the IDTA with the Data Importer.

( * ) This applies even if the direct identifiers have been redacted

( ** ) A non-adequate country is a country outside the EU/EEA which has not data privacy laws equivalent to the GDPR and which has not a Data Protection Authority with a role equivalent to the one given by the GDPR. As of 22 February, there are 14 adequate countries


For any questions, ask our UK experts: 

  • Dave Edwards at d.p.edwards ( at ) pharmarketing.net or 
  • Julianne Hull at j.m.hull ( at ) pharmarketing.net
  • Maria Veleva at m.i.veleva ( at ) pharmarketing.net


PHIPA is the Personal Health Information Protection Act, specific to Ontario’s state, in Canada. It was passed in 2004, and has been updated with the HIPA in 2016.


PHIPA has some similarities with HIPAA, but is more comprehensive and allows the Privacy Commissioner to give penalties.

Key Definitions:

Personal Health Information (PHI) have a larger definition than the Protected Health Information (PHI) in the US.

Health Information Custodians (HICs) is the name in PHIPA for Covered Entities in HIPAA.


HIPAA Breach Notification Requirements vs. PHIPA Breach Notification Requirements:

In the US, under HIPAA it is required to notify the U.S. Department of Health and Human Services (HHS) in case of a data breach ; the deadline depends if the breach pertains to more than 500 data subjects or not; NB: there is no privacy commissioner at this time.

PHIPA requires to notify the Ontario Information and Privacy Commissioner (OIPC) in all situations. The OIPC can decide financial penalties against the persons or organisations responsible for the data breach.


HIPA 2016:

In Ontario, the Health Information Protection Act (HIPA) was passed in 2016 to clarify some points of the PHIPA. It also strengthens the role of the OIPC and aùmkes it easier for it to take actions; a HIC shall give written notice of any wrongdoing by its employees to authorities. The HIPA brings new provisions for electronic health records. In addition, HIPA enacts a new regime for the protection of quality-of-care information that is created when examining adverse events in hospitals.


A new version of the Data Privacy Law of Japan, the Act on Protection of Personal Information (APPI), will come into effect on 1st April 2022. (Amendments to the Personal Information Protection Law will be enforced on the same date.) 


Businesses should amend their privacy notices on the following items:


  • Description of the purpose of use should be more detailed
  • Purpose of using pseudonymised information should be published (the notion of pesudonymised personal data is new in the APPI)
  • Joint use will require disclosure of additional elements
  • information should be made available to data subjects regarding “retained personal data”
  • Provision of relevant information in connection with cross-border transfer of personal data (This obligation does not apply to the UK//EEA/EU as these regions are adequate)
  • Providing pseudonymised information to a third party: consent of the data subjects needs to be obtained


The Japanese Data Protection Authority, the Personal Information Protection Commission said that they will review the data privacy laws of 31 countries and check if they provide equivalent protection as the Japanese laws do.


For more information, read the article from the IAPP here.


Last month, one of our friend working at a Big Pharma in the EU contacted us: a young start-up offered to buy the license for a molecule on which the Big Pharma had run medical research about 20 years ago, and they wanted to get also all the clinical data base from the clinical studies.


Several questions are raised by this situation:


  • Should the personal data be fully anonymised before transferring it to the Start-Up?
  • How to inform the patients, given the difficulty to reach out to all these patients after all these years, and as this mandated by the GDPR?
  • Should the Big Pharma put in Place a Data Transfer Agreement with the Start-Up?


Here are our recommendations to be compliant with GCP/GDPR:

  •  Should the personal data be fully anonymised before transferring it to the Start-Up?

  • We don’t recommend to fully anonymise the personal data:
  • First, it is not mandated by GDPR;
  • and second, it is very costly and time consuming to make a personal data set fully anonymised and at the same time keep it meaningful for future medical analysis.
     
  • How to inform the patients that their personal data will be reused for another objective, given the difficulty to reach out to all these patients after all these years, as this is mandated by the GDPR?

  • It is true that the GDPR mandates that data subjects be informed that their personal data will be reused;
  • This is especially necessary as their data will be reused for another objective and by another data controller (the new sponsor);
  • The fact that their data are encoded (pseudonymised) is not a derogation to the principle of information: remember that, in Europe, redacted data are still personal data and still fall under the GDPR;
  • In theory, the big pharma should reach out to all patients and inform them of the data reuse and give them the possibility to opt-out;
  • In practice, this will be very time consuming and costly, because the big pharma doesn’t have the contact details of the patients (data are encoded), so they would have to ask the sites to do this; given that the clinical trials happened long ago, probably a good percentage of the patients moved to another place, and some of them might be deceased;
  • Data Protection Authorities in Europe accept that in such case, the big pharma informs the patients in a more simple way: by putting an announcement on their public website and asking the sites to do the same, by asking the sites to put a poster in the relevant places of the site; another accepted solution is that the big pharma places announcement in local newspapers;
  • If the Start-Up intends to re-share the patient data with sub-contractors, this needs to be indicated in the announcements, especially if the data are transferred outside EU/EEA/UK.
     
  • Should the Big Pharma put in Place a Data Transfer Agreement with the Start-Up?

  • Yes, this is recommended: even if the Start-Up is in the EU/EEA like the Big Pharma, it is a good practice to put in place a Data Transfer Agreement (DTA) between the Big Pharma and the Start-Up;
  • This DTA will list the obligations that the Start-Up has per the GDPR and the GCP and any other local laws or guidelines;
  • It should also identify which Technical and Organisational Measures the start-up committed to put in place (and also to ask its sub-contractors to) to protect the patient data and mitigate the risks for the privacy of the patients;
  • If the ‘sale’ of the data involves data transfers outside the EU/EEA/UK and to a non-adequate country, then the DTA should clearly indicate the appropriate measures that are implemented by the Parties to secure the Data Transfer.


These recommendations also apply if your organisation:

  • Plans to ‘sell’ patient data to a data broker or a marketing company;
  • Discovers that one of your SaaS software providers is reusing information from your your clinical studies for its own analysis or for reselling.


==> If you would like to discuss this topic more in depth and/or to get examples of data privacy language to inform patients and for the DTA, feel free to reach out to us at b.p.lebourgeois ( at ) pharmarketing dot net


Share by: