Newsletter 43 June - July 2022

Disclaimer: this is the opinion of PharMarketing. It has been drafted by our lawyer Ersi with President Bertrand, and we also confronted this with opinions from our clients, but you cannot use it as a legal binding affirmation.

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law.

Our opinion is that medical research doesn’t fall under CCPA for the 5 following reasons:

1. CCPA is about consumer; and patient included in a research doesn’t ‘consume’ anything. Sponsors and CROs (and other sub-contractors) don’t provide healthcare, they provides services for a medical research which is different in essence (it’s different from ongoing care); so the patient is not ‘consuming’ a classic care; to say it a different way, if a patient was getting healthcare from a remote GP via telemedicine, then it might be requalified as a ‘consumer’ purchase, but not in the case of a medical research

2. Sponsors and CROs do this at the request of a site which recruited the patient for the given study initiated by the sponsor; the site is a covered entity under HIPAA, so, as per the ‘HIPAA Exemption’ section of the CCPA , the personal data processing is exempted from CCPA for this reason also

3. Also, Sponsors and CROs do this for a Clinical Trial, so as per the ‘Clinical Trial Exemption’ of the CCPA, it is again a waiver to comply with CCPA.

4. Furthermore, although the Clinical Trials exemption is not a blanket exemption for all clinical trials, given that not all research activities are subject to the Common Rule, we think the AB 713 CCPA de-identification exemption resolves that, provided that the data has been de-identified in accordance with the HIPAA de-identification method.

5. Finally, our reading of the clinical trial exemption of the CCPA, especially of the “or human subject requirements…”, is that the article actually outlines the legal provisions and guidelines a clinical trial may adhere to, however these laws do not necessarily apply cumulatively in order for the article to apply. So our interpretation is that a Clinical Trial which follows for e.g. ICH-GCPGuidelines or human subject protection requirements also falls under the Clinical Trials CCPA exemption, even if not subject to the Common Rule.

For more information on this topic, contact our expert lawyer Ersi at e.c.michailidou ( at ) pharmarketing.net

When designing a clinical study or a quality of life study, It often happens that patients are asked to enter healthcare data themselves from their home. Patients can do so by using their own computer and accessing a portal, or using a tablet or a smartphone provided by the sponsor and the CRO, or by downloading an app on their smartphone.

In all situations, patients need to log in to the portal, the software or to the application with a specific user id and password (unless it is a general survey where it is not needed to know which person completed the survey).

Usually the user id and password are sent to each patient by the CRO or by the service provider. In France, this is not compliant:

In France, local guidelines from the French Data Protection Authority (CNIL) must be complied with, respectively MR-001 for an interventional study and MR-003 for an observational study. Each stakeholder in the value chain (sponsor, CRO and site) must self-declare itself to the CNIL as compliant with these 2 guidelines.

Both MR-001 and MR-003 state that only healthcare professionals from the site, or acting on behalf of the medical team of the site (e.g. a nurse visiting the patient at home) can have at the same time health data and an identifier of a volunteer/patient.

The sponsor, the CRO, central labs, software providers, etc. cannot have at the same time health data and an identifier of a volunteer/patient.

If the software provider or the CRO sends to each patient the user if and password, then is not compliant with these MR, because they will have at the same time an identifier of the patient (his or her personal email address), and it will know the pathology of the patient which is healthcare information.

If the CRO and the software company want to continue like this, they must ask a waiver to the CNIL.

To fulfill this request for a waiver takes a long time because all stakeholders in the study need to provide information (the sites, the CRO, the sponsor, the software provider), and there is a lot of information to provide.

Link to request a waiver: https://declarations.cnil.fr/declarations/declaration/declarant.display.action?showDraftPopup=true

Regarding the sites, the sponsor needs to identify a ‘lead investigator’ in France; this person will be populating the infos in the waiver request on behalf of all the investigators in France.

Then it takes up to 2 months for the CNIL to respond. No response within the 2 months period is considered as a yes as per French laws.

Partitioning data is not a sufficient security measure.

Some software providers have partitioned the health data from the direct identifier: in other words, the healthcare information entered by the patients is stored on one database, and the direct identifier of each patient is stored on another database. And the persons accessing the former don’t have the access rights to the latter and vice versa.

This is a good security measure to protect the privacy of patients, and this is accepted by all countries, but this is not deemed as a sufficient security measure to be compliant with MR-001 and MR-003.

The possible scenarios for being compliant with MR-001 and MR-003 are the following:

1) Complete the waiver request on the website of the CNIL

a. Pro: compliant

b. Cons: burden for all stakeholders and long and always the risk to get a negative answer from the CNIL (CNIL could say that the sites can email the patients)

2) Create one ‘dummy’ email address for each patient for the study, for examplepatient01_studyXX@csoftware_company.com, and send them to the sites. Then each site will assign one dummy email address to each patient, and will send to each patient their email address + password. After that, each site sends back to the software company a table with the patient code for each ‘dummy’ email address.

a. Pro: compliant

b. Cons: burden on the sites

For any question, contact our consultant Dave Edwards who is acting as DPO for an ePro/eCOA software provider: d.p.edwards ( at ) pharmarketing.net

Enforcement of Thailand’s Personal Data Protection Act (PDPA) starts June 1, the Bangkok Post reports.

A survey by the Thai Board of Trade and the University of the Thai Chamber of Commerce found of nearly 4,000 businesses surveyed, 8% have taken steps toward compliance, while 31% have not begun the process. Total Access Communications’ interim Chief Corporate Affairs Officer Stephen James Helwig said enforcement “marks a milestone for privacy protection and data security” in Thailand.

In its article, The Bangkok Post says that only 8% of the business interviewed have already implemented security measures to comply with the PDPA, and 31% have not even started the process of compliance.

Thailand’s PDPA is similar to EU’s GDPR: the definition of personal data is the same (except for deceased persons), and a DPO is mandatory for private organisations processing large volumes of personal data. The amount of fines is written in the law:

The criminal penalties include fines of up to 1 million baht (around 27 200 euros) and/or imprisonment for up to one year, while non-compliance with administrative rules could result in fines of up to 5 million baht (around 136 000 euros) and punitive damages up to twice the amount of the actual damages.

Like in the EU, Thailand has completed the establishment of the Personal Data Protection Commission (PDPC)

A CRO has to perform a visit in Spain for a French patient who will be vacationing in Spain when a clinical study visit is due: which guidances apply? Spanish guidances / French guidances / Both

Both guidances from Spain and from France apply

2. An ePro report with the user ids of patients was sent to a CRO:
John_doe@yahoo.co.uk connected on 12 Feb 2022 at 7:30am
Pam_browning@gmail.com connected on 5 Feb 2022 at 3:11pm
Is it a personal data breach?

Yes, it is a personal data breach: only site personnel should see direct identifiers from patient, the CRO should not; as explained in the article regarding ePro and eCOA above, personal email addresses from patients should never be used because they disclose the first name or the last name of the patient, which are direct identifiers as per the GDPR. Instead, the software provider (or the CRO) should create one dummy email address per patient.

To send us a RFI/RFQ, a message, or to subscribe to our free GDPR Life Sciences Newsletter

RGPD - DSGVO - Datenschutz - Protection des données - защита на данните - zaštita podataka - databeskyttelse - protección de datos - andmekaitse - tietosuoja - προστασία δεδομένων - הגנה על נתונים - adatvédelem - cosaint sonraí - gagnavernd - protezione dei dati - datu aizsardzība - duomenų apsauga - Dateschutz - protezzjoni tad-data - gegevensbescherming - databeskyttelse - ochrona danych - proteção de dados - protecția datelor - заштита података - ochrana údajov - varstvo podatkov - dataskydd - ochrana dat - защита данных

Subscribe to our free GDPR Life Sciences Newsletter

NB: we reserve the right to accept or deny requests to receive our Newsletter

Download our brochure