Newsletter 40 March 2023

On 8 March, U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan introduced a new version of the Data Protection and Digital Information Bill to Parliament.

A first version was originally proposed by the government in July 2022 but was put on pause due to changes in the UK's Prime Minister.

"Co-designed with business from the start," Donelan said, "this new bill ensures that a vitally important data protection regime is tailored to the U.K.'s own needs and our customs."

"Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR," Donelan said. "Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy."


What does this new bill contain?

The new proposal will increase fines for nuisance calls and texts up to either 4% of global turnover or 17.5 million GBP, whichever is greater. Additionally, the bill would reduce the amount of consent pop-ups on websites, the government stated in a press release.

The new bill will require businesses to document the Records of processing Activities (ROPA - GDPR Article 30) only when it is high-risk data, such as, for example, someone's health data.

Regarding international data flows, the bill will use existing transfer mechanisms "if they are already compliant with current U.K. data laws" the release states.

IAPP Research and Insights Director Joe Jones, who previously worked for the U.K. government in this space, said, "If you're compliant with the EU GDPR, you'll be compliant with the U.K."

U.K. Department for Science, Innovation and Technology Data Policy Director James Snook said stakeholders "identified areas where we could go further" while retaining EU adequacy but adding more legal clarity.


"For the most part," Snook said, "this is not a new regime but, hopefully, provides opportunities for organizations to be more flexible and have more clear rules in the U.K." He also pointed out the reforms would eliminate burdens for small and medium-sized businesses.

After a second reading in the next weeks, the new version of the bill will then be sent to legislative committees for review.


Our opinion:

We agree that it’s a good approach to relieve some burden on small businesses, especially those which do ‘business as usual’ like the car dealer or the grocery shop around the corner. And to make it mandatory to document a personal data processing in the ROPA only if an organisation things it might bring risks to the private life of the data subjects.

In other words, for example all organisations doing the payroll as per best practices will not need to document it in the ROPA. Same for accounting.


Don’t take it as a general waiver not to check what vendors are doing.

Organisations will not need to check that their payroll subcontractor or that the accountant is GDPR compliant, which makes sense in the UK approach, because that is the job of such subcontractors (to check that they are GDPR compliant). But if one day a data breach occurs, because one of the vendors did not comply with a basic IT Good practice, then probably a lawyer might say that the organisation should have checked this before contracting with such vendor. So I don’t think we can take it as a general waiver not to check what vendors are doing.


There is already flexibility for Small and Mid-Size Businesses in the GDPR

Data Protection Authorities in the UK/EU/EEA already stated clearly that they are flexible on the level of documentation.

For example, if a life science organisation conducts several clinical studies, and they all work more or less the same:

  • You can put only one generic line in the ROPA fro all your studies.
  • It is not mandatory to draft one Data Protection Impact Analysis (‘DPIA’) per clinical study.

Same for human resources: it you are a small organisation, you can regroup all your personal data processings related to employee personal data in one line of the ROPA, provided you do business as per good practices of your country.

So, maybe this new version of the Bill comes because some businesses thought they were mandated to go to a very deep level of detail. In real life, things can be made quite easy for SMB in order to be compliant with GDPR.


Organisations will still need to do a risk analysis

As officials put it, it will mandatory to document the ROPA if you think that a personal data processing might generate risks to the privacy of data subjects.

And how to know if a processing will generate risks: by drafting a risk analysis, or to use the GDPR terminology, a Data Protection Impact Analysis (‘DPIA’).

In other words, if a personal data processing seems borderline to you, but you estimate that you don’t need to put it in the ROPA, you will need to document why you think it doesn’t bring any risk to the privacy of people; this will typically the case for direct marketing activities for example.

No change for medical research and healthcare activities

As stated by UK officials, processing healthcare data will still be considered as a personal data processing which could bring a risk on the private life of patients, so it will still be mandatory to document the ROPA and of course to draft a DPIA.


Penalties already exist in the GDPR and in the UK Data Privacy Act 2018

The new bill is expected to increase fines for nuisance calls and texts up to either 4% of global turnover or 17.5 million GBP, but fines can reach already 4% of the global revenue in the GDPR and in the UK Data Privacy Act 2018, so not really a revolution.


Great idea to reduce the amount of consent pop-ups on websites

This is really a great idea, as we all know how painful it is reconsent every time we go on websites, because we automatically clear the cache after closing our web browser. And we know that nobody really reads all the content of the consent notices; even more, we have been told by a lawyer of a Data Protection Authority that it is not because a website asks you to read 20 pages of consent notice that it makes the process lawful as per GDPR, and that they are covered and you cannot complain.


What should organisations do?


For an organisation doing business only in the UK and processing ONLY personal data from people in the UK, and which doesn’t plan to go international, then of course we recommend to only with the new Bill and not with the EU GDPR.


But again, in real life EU Data Protection Authorities are very flexible regarding the level of detail SMBs need to go for the data privacy deliverables, so think twice before making such decision.

And remember, even if you have only one legal entity in the UK (and none overseas), you might work with a client or a vendor based in the EU, or you might offer services to people based in the EU, and such case, you will fall under the EU GDPR, as the EU GDPR has a principle of extra-territoriality.


For an organisation doing business internationally, or doing business only in the UK but thinking of going international:

For an organisation in such situation, as stated by IAPP Research and Insights Director Joe Jones, your organisation should aim to comply with EU GDRP: then you will be compliant with UK Data Privacy, and also with 99% of other data privacy laws elsewhere on the globe.


To read the new version of the Data Protection Reform Bill click here.


If you want to prepare for the changes to come, please write to Bertrand at b.p.lebourgeois ( at ) pharmarketing.net, or contact our UK consultants:

  • Julianne Hull: j.m.hull ( at ) pharmarketing.net
  • David Edwards: d.p.edwards ( at ) pharmarketing.net
  • Maria Veleva: m.i.veleva ( at ) pharmarketing.net


On 24 February, the European Data Protection Board (EDPB) released Guidelines clarifying International Transfers of Personal Data. 


These guidelines aim to assist controllers and processors when identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers. 


Following public consultation, the guidelines were updated and further clarifications were added. Most notably, a clarification was added regarding the responsibilities of the controller when the data exporter is a processor. In addition, further examples were added to clarify aspects of direct collection, as well as the meaning of “the data importer is in a third country”.


Moreover, an annex was added with further illustrations of the examples included in the guidelines to facilitate understanding.


Download the Guidelines here.


On 8 December 2022, the European Medicines Agency (EMA) sent a letter to all QPPVs in EU on 'International transfer of personal (health) data in ICSRs originating from EudraVigilance'.


What happened?


Submissions of ICSRs by these Market Authorisation Holders ('MAHs') to the
U.S. Food and Drug Administration’s Center for Biologics Evaluation and Research (FDA CBER)2, which
resulted in the publication of such unredacted case narratives on the U.S. Vaccine Adverse Event Reporting System (VAERS)3 website and the U.S. Centers for Disease Control and Prevention (CDC) WONDER4 website.

Then, some researchers managed to reidentify some patients from the data sets in VAERS and WONDER4, by matching them with other data sets they had access to publicly. These researchers notified the EMA, which decided to send the above mentioned letter to QPPVs.

Following this incident, the FDA removed some personal data from their databases.


What is EMA asking to MAHs?

In its letter to QPPVs, the EMA is asking QPPVs from MAHs to replace the country by 'EU' in EudraVigilance, and to implement similar pseudonymisation measures on other data fields to reduce the probability that somebody could reidentify a patient.


Our opinion:


1) MAHs can improve the pseudonymisation, but to some extent

For an MAH, replacing the country code by 'EU' means that the ICSR will lose its meaningfulness. And also for researchers in the EU who perform epidemiology studies.

So MAHs can do a 'replace all' in ICRs, but it will probably bring drawbacks at other points of the value chain.


2) MAHs can try and ask receiving authorities to put in place security measures to protect Personal Data, but probably some authorities will decline

The MAHs have of course their share of responsibility towards data privacy and should certainly peudonymise as much as possible the ICSRs entered in EudraVigilance , and that they share with the FDA or other authorities outside EU/EEA which are in non-adequate countries. We also appreciate that putting in place a data transfer agreement with the Standard Contractual Clauses from the EU Commission, even after drafting a Transfer Impact Assessment, does not mean that the FDA (or any receiving authority outside of EU/EEA) will comply with the GDPR and put enough security measures in place so that patients cannot be reidentified.

Also, probably the receiving Healthcare Authorities will probably don't want to sign such Data transfer Agreement nor to commit to any specific security measures.


3) Different definitions of Personal Data

It is important to remind that encoded patient data are NOT considered as personal data in the US. This is a common misunderstanding between the two sides of the pond between people working in life sciences and healthcare in Europe on one side and in the US on the other side.


4) What will the reactions of Healthcare Authorities outside EU/EEA be?

As one of our clients told us, the EMA has exchanged with the US FDA, but probably not will each Healthcare Authority outside EU/EEA. 

So, be ready to get questions from Healthcare Authorities when they will realise that you changed the country by 'EU' everywhere.


5) GDPR applies outside of Europe

Lastly, it is important to remind our readers that GDPR has an extraterritoriality clause: any organisation receiving personal data from EU/EEA data subjects, even encoded, MUST apply the EU GDPR to such data.

So clearly the FDA and other receiving authorities must work from their side to make sure that the data sets published in their data bases cannot make it easy to reidentify a data subject.


6) There is always a probability that somebody could reidentify a patient from a pseudonymised (encoded) data set

The EMA letter reminds MAHs that the confidentiality undertaking of EudraVigilance requires MAHs to “ensure that personal data reported can no longer be attributed to a specific data subject”.

It has been demonstrated by many specialists and by Data Protection Authorities that the probability that somebody could reidentify a data subject from a data set is never equal to zero, unless you aggregate at least 3 data subjects in a statistic. The probability can be decreased, but can never be equal to zero. So, our opinion is that this request is not realistic and unworkable in real life.


NB: there are software solutions in place to fully anonymise a personal data set, but Data Protection Authorities say that there is still a small probability that a patient could be reidentified. Also, when applying such anonymisation software to ICSR, probably it would lose much of its medical significance for authorities , the MAH and any researcher.


Conclusion

In conclusion, MAHs should do their best to pseudonymise as much as possible the patient data that they enter in EudraVigilance and they share with Authorities outside the EU.

BUT such authorities should also comply with GDPR and do their part.


If you would like to exchange with us on this topic, please write to Bertrand at b.p.lebourgeois ( at ) pharmarketing.net


On the 3rd of May 2022, the European Commission launched a legislative proposal on the “European Health Data Space”(hereinafter ‘EHDS’), in order to ‘unleash the full potential of electronic health data’ through a ‘European electronic health record exchange format’. The proposed EHDS Regulation is a ‘health-specific ecosystem’ comprising of rules, common standards, infrastructures and a governance framework, in order to regulate both the primary use of electronic health data for the provision of personalized health services, as well the secondary use thereof, for health research, innovation and public-policy purposes. The EHDS builds further on the GDPR and recent legislative incentives of the EU, like te Data Governance Actdraft Data Act and NIS Directive (on security of network and information systems). It complements these initiatives and provides more tailor-made rules for the health sector. An open public consultation on the EHDS ran between 3 May and 26 July 2021 , gathering a wide range of views that contributed to the design of this legal framework.


Extra-territorial application

The EHDS has an extra-territorial scope, as it applies to manufacturers and suppliers of EHR systems and wellness applications placed on the market and put into service in the EU and the users of such products, to non-EU controllers and processors that have been connected to or are interoperable with MyHealth@EU1, as well as to data users worldwide, to whom electronic health data are made available by data holders in the EU.


Scientific research under the proposed EHDS Regulation

Chapter IV of the proposed EHDS specifically regulates the secondary use of electronic health data. It describes the purposes for which secondary use of electronic health data is permitted, which include scientific research related to health or care sectors, as well as development and innovation activities for products or services ensuring high levels of quality and safety of healthcare, medicinal products and medical devices (article 34 EHDS). The EHDS also lays down prohibited uses of electronic health data, such as taking decisions detrimental to a natural person based on electronic health data, as well as developing products that may harm individuals and societies at large (article 35).


Data sharing for research purposes under the EHDS relies on three essential roles: (i) data holders, namely the legal or natural persons bearing the obligation to make the electronic health data available, (ii) data users, namely the natural or legal persons who have lawful access to electronic health data for secondary use and (iii) the data access bodies, which shall be the competent authorities at member-state level, for the provision of a permit to data users for the processing of electronic health data. The EHDS introduces a new definition of ‘electronic health data’, which includes personal and non-personal (fully anonymized) data. It primarily encourages the secondary use of non-personal electronic health data for research purposes; however, should the data user need to process pseudonymized personal data instead, this request must be specifically justified to the competent data access body, for the issuance of a relevant permit. In this case, processing must take place under the provisions of the GDPR and rely on a legal basis. Access will only be granted by the data access bodies, if the requested data is used for specific purposes, in closed, secure environments and without revealing the identity of the individuals.


The categories of electronic health data which shall be mandatorily made available by data holders for secondary use include human genetic, genomic and proteomic data, person-generated data from medical devices, wellness- or other digital health applications, data from public health registries, medical registries for specific diseases, clinical trials, medical devices, registries for medicinal products and devices, research cohorts, questionnaires and surveys related to health, as well as data from biobanks and dedicated databases (article 33). EHDS is intended to constitute a legal basis under article 6.1(c)2 GDPR for data holders to perform their sharing duties (fulfilment of a legal obligation), in conjunction with article 9.2(j) 3 GDPR for the processing of special categories of data.


Some questions:


Will patients be informed at the time they receive care in a hospital, that their health data might be reused one day by a researcher based in another EU country? If yes, how an hospital could inform patients?

Yes, the patients will be informed. Hospitals are ‘data holders’ under the EHDS so they do not fall under the exemption of article 38.2 EHDS, which releases only data access bodies from the obligation to notify data subjects under article 14 GDPR.

Hospitals should put appropriate language in their general welcome brochure and more generally in all patient-facing documents.


Will a patient have the possibility to oppose to the use of its health data by a researcher in another country? 

The EHDS does not have a specific provision, however the GDPR rights still apply. In that sense, the right to object may be exercised under article 21.6 for personal electronic health data (see article 14 of EHDS preamble); whereas the GDPR doesn’t apply to non-personal electronic health data.


Conclusions

Quoting the words of the EC- Vice President, Margaritis Schinas, “The European Health Data Space will be a ‘new beginning' for the EU's digital health policy, making health data work for citizens and science ”.

It is meant to be a key-pillar towards accelerating data-driven health research and innovation in the EU, providing access to large amounts of high-quality health data, in cost-effective ways and under strict conditions for the protection of personal data. However, awaiting the entry into force of the finalised EHDS, issues like balancing the data sharing duties of the data holders, including sponsors of clinical trials, with their obligation to preserve confidentiality and protect intellectual property rights and trade secrets must be properly addressed by the EU legislator.


Any questions? Contact Ersi at e.c.michailidou ( at ) pharmarketing.net


  • 1 MyHealth@EU is a network which enables any healthcare professional in the EU to access to the Healthcare dossier of a patient coming from another EU country. For the patient, it guarantees that there is a continuity of care even if it is travelling to another EU country.
  • 2 Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • 3 Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes


On 13 March 2023, the French Data Protection Authority (DPA), the CNIL, announced that it had issued a warning to 2 French organisations conducting clinical research. 


The controls performed by the French DPA on these 2 medical research organisations followed a complaint to the CNIL, and were conducted in 2022.


These 2 medical research organisations did not have drafted a Data Protection Impact Analysis (DPIA), and the information provided to patients and to healthcare professionals were wrong and incomplete.


In addition, the Informed Consent Form handed out to study participants did not specify the storage duration, and stated that their personal data were shared with the sponsor of the study in an anonymized form, which is incorrect: encoded personal data are pseudonymized, not fully anonymised.


As said in a previous Newsletter, the European Data Protection Board (EDPB) stated clearly in an opinion document issued in 2018 that all organisations conducting clinical research must draft a DPIA and appoint a Data Protection Officer (DPO). This applies even if the clinical study involves only a few data subjects, for example for a Phase 1 study with 20 volunteers. This applies also for registries and cohorts.


The DPIA is a Risk Analysis from the point of view of the patients: for example, what would be the impact on their private lives if a nurse would lose paper documents in a taxi?


In addition, in France organisations need to check that they comply with specific local guidelines (MR001 for interventional studies, or MR003 or MR004 for non interventional studies), and self declare such compliance to the CNIL. To our knowledge, France is the only DPA in Europe with such a requirement, with Ireland.


Read the press release from the CNIL here (in French): Données de santé : la CNIL rappelle à deux organismes de recherche médicale leurs obligations légales | CNIL


For more information on what data privacy language needs to be on on the information notices, or to learn how to draft a DPIA or a job description for a DPO, feel free to contact us at contact ( at ) pharmarketing.net


If a former employee sends us a request to have a copy of what personal data we hold about him/her, we can ask the person to pay a small fee, as it will take us time and energy to fulfill its request  yes / no


No: the GDPR states clearly that a Data Controller should answer a request from a data subject free of charge.

One of our employees mistakenly sent patient data to a wrong recipient: Can our company be held responsible for that, and can we be fined by the local Data Protection Authority? yes / no


Yes: your company bears responsibility: you should have trained the employee on data privacy and on IT security properly, and you should have put in place a control on outgoing emails to prevent that from happening. So, the patients whose personal data was sent to an incorrect recipient could complain to the local Data Protection Authority and your organisation could be fined and sued for that.


Share by: