Newsletter 40 March 2022

There are many local requirements in the UK for commercial health research and Real World Data studies.


Here are some of them:


1) The NHS Health Research Authority (HRA) released in 2021 a guideline detailing what information should be in the Informed Consent Form (ICF) given to subjects participating to a Medical Research, see here. (the 'Patient Data and Research' leaflet)


2) Guidance from NHS HRA May 2021: Patient information and health and care research, read here.


3) New template released by the NHS HRA in February 2022 for Clinical Trial Agreements between Sponsors and sites ('Reducing the time to set up commercially sponsored studies in the UK'), see here.


4) Guidance from the UK Government: Access to Electronic Health Records by Sponsor representatives in clinical trials, see here.

Again, this text takes precedence to the GDPR and the UK Data Privacy Act.

In particular, the sponsor representative should demonstrate compliance with NHS Toolkit, and maintain compliance over time.


Complying with NHS Toolkit is a quite thorough exercise: contact us for tips and tricks!


5) Sponsors and their sub-contractors (e.g. CRO, home nursing company etc..) should populate a DPIA template provided by each NHS site. Templates vary depending on the hospitals. Reach to us here also for tips and tricks on how to do this.


In all examples above, in case of conflict, these local guidelines take precedence to articles 13 and 14 of GDPR and to the UK Data Privacy Act.


NB: the list above is not exhaustive. Contact us to learn about more UK localities for health research and real world data studies.


A question? Feel free to contact our UK consultants:



Codes of conduct are Powerful Tools provided by the GDPR to streamline the compliance of your organisation to Data Privacy.


They are described in articles 40 and 41 of the EU GDPR. They are especially usefull for Small and Medium organisation who want to easily check their compliance to GDPR.


A code of conduct can be specific to one industry (e.g. for healthcare), or can be specific to one function (e.g. for human resources).


A Code of Conduct (CC) can be drafted by one or several associations of one given industry or of one area, or by a trade union or body like for example a body representing the life sciences organisations of a geographic area.


The organisation which has drafted the CC needs then to submit it to its local Data Protection Authority (DPA). This DPA will review and approve it, and then forward it to the European Data Protection Board (EDPB) for final approval. Once approved by the EDPB, any organisation might refer to such CC for GDPR compliance. This applies to Controllers and Processors, whether based in EU/EEA or outside.


What are the Benefits of Referring to Codes of Conducts?


Your organisation can refer to an approved Code of Conduct in order to:

  • Check if you comply with the items from the CC to help you comply with GDPR:
  • as per article 24.3 of EU GDPR: "Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller. ".
  • and as per article 35.8 of EU GDPR for DPIA: "Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment."
  • Help make an International Data transfer compliant as per article 46.2.e of EU GDPR:
  • the Data Exporter (based in the EU/EEA) can use it to demonstrate that appropriate safeguards are in place.
  • the Data Exporter or the Controller for the personal data processing can mandate that the Data Importer proves compliance with the CC. This is especially useful if the Data Importer is based in a Third Country (i.e. outside EU/EEA and in a non-adequate country). In this case, the Data Transfer Agreement between the Data Exporter and the Data Importer should indicate that the Importer commits to be compliant with the CC.
  • The European Data Protection Board (EDPB) has issued Guidelines 04/2021 on Codes of Conduct as tools for transfers on 22 February, read here.



Adherence to an approved CC will be taken into account by a Supervisory Authority when deciding whether to impose a fineon a Controller or Processor (article 83.2.j EU GDPR).


What CCs Cannot be Used for:


CCs cannot be used to:

  • Certify that a personal data processing is compliant with GDPR: a CC is a guide (or a 'check list' if you wish to help you make sure you cover the most important aspects of data privacy. But it doesn't automatically prove that the data privacy language that you have put in the information notice to your employees or to your sub-contractors is compliant with article 13 of EU GDPR.
  • It doesn't give you a derogation for populating the Register of Processing Activities (ROPA).
  • If you are performing a critical personal data processing as a Controller or as a Processor, it doesn't prevent your organisation to draft a Data Protection Impact Assessment (DPIA - Risk Analysis).

 

In a nutshell, a CC is a guide it is not a compliance certificate.


Which Codes of Conducts have been already approved by the European Data Protection Board (EDPB)?


The EDPB already approved 2 Codes of Conducts:


What about Codes of Conducts in Development for Healthcare Research?


No Code of Conduct has been validated by the EDPB as we speak, but several are on progress:

  • EUCROF, the European CRO Federation, submitted a Code of Conduct for Service Providers in Clinical Research in March 2021 to the French DPA. the CC has already had successful reviews by the DPAs of France, Belgium and Bayern; EUCROF expects the CC to be approved by the EDPB in Q2 2022, see PR dated 12 Jan 2022 here.
  • The EFPIA has drafted a CC on Clinical Trials and Pharmacovigilance: it has progressed to the final phase of review by Data Protection Authorities prior to formal submission to the European Data Protection Board for approval (see PR from 13 Jan 2022).
  • BBMRI-ERIC, a European research infrastructure for biobanking is working on a ‘Code of Conduct for Health Research’ - nothing finalised so far, but working documents are available on anonymization and consent.



About local Guidelines:


Several Data Protection Authorities, professional associations and independent bodies have issued guidelines, see examples below. Such guidelines are very helpful to guide you in your compliance work towa&rds GDPR, but they cannot be used as true Codes of Conducts in the definition of the GDPR: for example, they cannot be used as a derogation for a transfer of personal data from the EU to the USA.


Examples of guidelines issued by Data Protection Authorities or other Authorities:


  • Most DPAs and governments issued recommendations on the storage duration for various documents like employees' records or customer invoices.
  • The EMA and several DPAs have issued guidelines to perform remote clinical monitoring and home clinical trial visits during Covid.
  • The DPA from Ireland and the Health Research Consent Declaration Committee (HRCDC) have issued a Guidance on Deferred Consent, see  here.
  • Germany: Bavarian State Office for Data Protection Supervision: Guidance from the supervisory authorities on the processing of personal data for direct marketing purposes subject to the GDPR.
  • Italy DPA: Guidelines on the Electronic Health Record and the Health File.
  • The French DPA (CNIL) has issued several guidelines for medical research and Pharmacovigilance ('Methodologies of Reference'), one for Healthcare Data Warehouses, one for Human Ressources and many others.


Examples of guidelines issued by professional associations or independent bodies:


For more information on Codes of Conducts and how to use them in your organisation, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net


Data collected and processed during a clinical study or for a registry has a lot of value for such study.


But, in addition, it can ‘generate’ more value afterwards if the data are reused for other objectives:
• Other clinical study on the same indication
• Clinical study on same molecule, but for other indication
• Meta analysis
• Public health
• Etc.

Data Value from the view of Data Privacy
Data collected during a medical research are personal data, even if they are encoded.
All personal data have a value: the proof is that if the services of social media are free of charge, it is because these companies monetize your data.
As people say: if a product free, it means that YOU are the product.
And so we ‘jump’ in the considerations of the data privacy laws, and the fact that it is FORBIDDEN to reuse personal data unless you informed the data subjects!


NBanother way to be compliant is to get a special authorisation for creating a healthcare data warehouse and we shall talk about that in a future Newsletter.


Data Value from the Reselling Point of View
In our industry some companies resell the healthcare data they collect from hospitals, from healthcare professionals in town, or from clinical research sponsors.

They reuse such data to run analytics, like identifying which are the best sites in Europe to recruit patients for a specific indication.
And they resell this service.

This is clearly a proof that these data have a lot of value.

Data Value from the View of Security:
Because such data has so much value, organisations must make sure that all security measures are in place to protect such data: it can be either IT security measures, or putting appropriate confidentiality measures in the contracts of employees, training employees (and sub-contractors) to the protection of data, etc..


Data Value and the Principle of Minimisation.

Because data have value and we need to protect it, we need to comply with the principle of Minimisation.
This principle exists both in the GCP and in the GDPR.
Because the less data you collect, the less the risk for your organisation and for the privacy of patients if there is a data breach!

So, as you can see, ‘value of data’ can bring us on a wide discussion, and it will be very useful for the edification of all employees of your organisation to be aware of that, so probably each employee should take a short annual training on this topic.


After meeting with Joe Biden on 25 March 2022, Ursula van der Leyen, the President of the European Commission, said on Twitter that she is 'Pleased that we found an agreement in principle on a new framework for transatlantic data flows. It will enable predictable and trustworthy EU-US data flows, balancing security, the right to privacy and data protection. This is another step in strengthening our partnership'.


Is it a New Privacy Shield Framework that we can start using now?


At this time it is only a political announcement. The 2 Parties didn't agree on a new text to replace the 'old' Privacy Shield Framework which has been declared as non-adequate to GDPR by the Court of Justice of the EU in July 2020. 

From past experience, such a text should not be available before several months. 


In addition, Max Schrems, the Austrian lawyer who initiated the non adequacy decision of the Privacy Shield Framework, said he and his team would review carefully the new text once published, and that they will initiate a procedure if they think that the new text is not adequate with the RU GDPR: Read the reaction from Max Schrems on 25 March 2022 here.


So, in conclusion, it is probably not before end 2022 that we can expect a new tool to make the transfers of Personal Data between the EU/EEA and the US compliant with GDPR.


  1. If I send an email to the wrong recipient, containing healthcare data of a patient, but without patient’s identifiers, it is a data breach: yes
  2. Our external recruitment agency asks candidates to do a psychological test, it is profiling: yes


Share by: