This is an opinion article by our senior UK consultant Dave Edwards.

During my 20 years as a quality professional, I’ve seen many organisations getting into difficulty when managing what can be considered different types of quality event such as non-conformances, personal data breaches, security incidents and serious breaches of GCP.

Problems can include:

• Unclear definitions
• Competing process owners
• Conflicting severity ratings
• Unclear reporting requirements
• Duplication between processes and templates

Examples:

For the following examples, you may like to use your organisation’s processes, to see if you can:

• Identify how your organisation would classify the issue (e.g. GxP issue, Non-conformance, Security incident, Data breach, Other)
• If the issue needs reporting to a regulatory/supervisory authority

You may also consider:

• Who would manage the issue (Quality, IT, Privacy, Other)
• What severity the issue would have (Critical, Major, Minor)
• What template(s) would be used to record and manage the issue and resulting Corrective And Preventive Actions (CAPA)

Example 1: A cyber-attack results in a Human Resources server containing data on German employees being compromised but there is no impact to clinical data or GxP services.

This is a security incident and a reportable data breach, but not a serious breach of GCP and would not be listed as a GxP issue despite corrective / preventive actions being required.

Example 2: A site nurse gives informed consent forms for two patients from one study to a monitor working on a separate study enabling them to view both identifier and healthcare data.

This is a data breach but unlikely to need reporting as the monitor is a healthcare professional, who would normally be covered by a confidentiality agreement so there is not likely to be a risk to the patient. It may be a GxP issue and a non-conformance but it is unlikely to be a serious breach of GCP.

Example 3: Your randomisation IRT provider sends a report showing treatment details of all UK patients to a user who should have only had access to the blinded version of the report.

This is a critical GxP issue and potentially a serious breach of GCP but would not be a reportable data breach.

How PharMarketing can help:

There is no single solution that fits all organisations. A single process with an all-encompassing definition of Quality Event (GxP and non-GxP) may avoid confusion but may not be agile enough to cover the range of possible scenarios that could occur, and an organisation’s quality function may not want to support non-GxP issues / may not have the technical knowledge to support some security incidents. Separate processes can be tailored for more specific scenarios and owned / managed by more appropriate groups but can cause confusion and duplication if definitions are not clear and boundaries / escalation points are not precisely specified.

PharMarketing can support your organisation implement either approach and some of the most concise or most common definitions along with reporting requirements are shown below.

• Non-conformance: An unplanned deviation to policy, procedure, design specification, or protocol.
• Security incident: An issue with an impact or potential to impact the confidentiality, availability or integrity of data.
• Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
• Reporting requirement: Where the breach presents a risk to the affected individual(s), an organisation must report it to the relevant supervisory authority within 72 hours of becoming aware of the issue.
• Serious breach of GCP: A breach likely to affect to a significant degree the safety and rights of a subject or the reliability and robustness of the data generated in the clinical trial.
• Reporting requirement: Varies by country but typically organisations must report a potential serious breach of GCP to the relevant regulatory authority between 72 hours and 7 days of becoming aware of the issue.

Feel free to ask your questions to Dave: d.p.edwards@pharmarketing.net

The Data Protection Authority of Finland decided a fine of 122 000 euros for a manufacturer of smart watches collecting Health Data after several complaints were raised by Data Subjects across Europe, and it was demonstrated that the consent of users was not explicit for their data to be processed by the medical device manufacturer online.

If your organisation is using (or plans to) such wearable devices to collect healthcare data from patients, make sure you do a thorough assessment of the compliance of the vendor and of its devices before signing a contract with them. This compliance check should encompass Data Protection of course, but also Good IT Practices and if relevant Good Clinical Practices.

The site gdprhub.eu explains that in a procedure pursuant to Article 60 GDPR, the Finnish Data Protection Authority (DPA) imposed a €122,000 fine on a manufacturer of heart rate monitors due to lack of valid consent for the processing of personal data, including health data, on its online service.

The controller is a manufacturer of heart rate monitors and smart watches offering its services in multiple Member States in the EU and worldwide. Customers (data subjects) had to register for an online service in order to use all the features of the devices, which required personal information, such as gender, height, age and weight. The device collected heart rate, max VO2 (maximum oxygen capacity) as well as BMI (body mass index) information and uploaded them to the online service. Data subjects could use the collected information to analyse training performance.

The Finnish DPA received five complaints from data subjects between 22 May 2018 and 19 February 2019. The Austrian DPA received one complaint on the same matter. The complaints addressed four main issues.

Read the article from gdprhub.eu

Download the official decision as a PDF

Read the news article from Yle (Finnish national broadcasting company) disclosing the controller's name

At the occasion of world's Privacy Day on 28 January 2022, Kenya's President William Ruto launched the Data Protection Registration System for Kenya.

President Ruto attended the Data Protection conference in Nairobi themed “Promoting data privacy in a digitally transformed economy.”

The two-day event brought together stakeholders from government agencies, private and public sectors among various exhibitors.

Data commissioner Immaculate Kassait has told Kenyans to be wary of the amount of personal information they give out.

Kassait said data collectors should not demand more information than is required by law in order to identify a person.

She said collecting information that is beyond personal identification is dangerous.

"Why do you need to know my email address or my residence when I am accessing a building?" the commissioner said during an interview.

Kassait said one should not be asked for their biometrics in order to access a building.

"Data collectors should practice data minimisation and only collect what is needed to identify someone," Kassait said.

Read the article from Felix Kipkemoi in the STAR newspaper here.

Slovenia's Personal Data Protection Act (ZVOP-2) was adopted on 15 December 2022 and entered into force on 26 January 2023. 

The law includes the following items:

- Guidelines for processing healthcare data and genetic data, see below,

· Procedure for data subjects to exercise their rights on their personal data

· Transmission of personal data in the public and private sectors,

- Guidelines on the transfer of personal data to third countries and international organisations

· Rules for video surveillance,

· Changes to the integration of several personal data sets (linking),

· Updates to the managementof biometric data,

· Principles for enforcing codes of conduct and for the certification,

· Additional conditions for Data Protection Officers

· Specific requirements on the security of personal data, for traceability and and for drafting impact assessments,

· Specific information and guidelines for the processing of personal data for research, archival and statistical purposes,

Since the regulation's adoption, the information commissioner has been updating guidelines and materials to assist managers and processors of personal data as well as individuals.

Guidelines for genetic data:

The new regime provides in Article 81 of the ZVOP-2 that the genetic data of an individual (e.g. DNA material) is permissible to process where otherwise provided for by another law, for the purposes of providing healthcare or where processing is necessary for the performance of a contract concluded solely for the purpose of processing genetic data for the benefit of a party who is an individual.

Guidelines for health data:

Those companies and institutions carrying out extensive processing of health and other sensitive data, including so-called specific types of data, e.g. hospitals and clinics, health and social care institutions, health information systems and service providers. A single private doctor, dentist or lawyer is not obliged to appoint an authorised person.

Read the press release from the Slovenia Data Protection Authority here.

The Federal Trade Commission (FTC)’s Health Breach Notification Rule (HBNR) applies only to health information that is not secured through technologies specified by the Department of Health and Human Services (HHS).

The HBNR applies for example to organizations which have a website that allows people to maintain their medical information online, or who provide applications for personal health records, e.g a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record.

Under the FTC’s Rule, companies that have had a security breach must:

1. Notify everyone whose information was breached;
2. In many cases, notify the media; and
3. Notify the FTC.

The FTC has designed a standard form for companies to use to notify the FTC of a breach and periodically posts a list of breaches for which it’s received notice under the Rule. A brochure for businesses, Complying with the FTC’s Health Breach Notification Rule, explains who’s covered by the Rule and offers guidance on what to do in case of a breach. FTC enforcement began on February 22, 2010.

The FTC’s Rule does not apply to businesses or organizations covered by the Health Insurance Portability & Accountability Act (HIPAA).

In case of a security breach, entities covered by HIPAA must comply with HHS’ breach notification rule.

Read more about the Health Breach Notification Rule (HBNR) here

On February 2nd, 2023, The FDA released a new guidance: 'Considerations for the Design and Conduct of Externally Controlled Trials for Drug and Biological Products'.

This guidance provides recommendations to sponsors and investigators considering the use of externally controlled clinical trials to provide evidence of the safety and effectiveness of a drug product. In an externally controlled trial, outcomes in participants receiving the test treatment according to a protocol are compared to outcomes in a group of people external to the trial who had not received the same treatment.

External control arms use data collected from outside of the current trial, typically from electronic health records from hospitals, or from registries. Such patient data are usually called Real World Data (RWD) and are used to provide Real World Evidence (RWE).

Such arms can be used to to provide a comparator group and are especially useful for studies of rare disease treatments where it is not feasible or ethical to collect data from randomized trials.

The guidance addresses considerations for the design and analysis of externally controlled trials to study the effectiveness and safety of drugs, including discussion of threats to the validity of trial results from potential bias.

Although various sources of data can serve as the control arm in an externally controlled trial, this guidance focuses on the use of patient-level data from other clinical trials or from real-world data (RWD) sources, such as registries as well as electronic health records (EHRs) and medical claims. The guidance also describes considerations related to communicating with FDA and ensuring access by FDA to data from an externally controlled trial.

In addition to this FDA guidance, the guidance provides some insights on data privacy to make sure that organisations are compliant when collecting and processing patient data from hospitals or registries.

Comments should be submitted before 2 May 2023.

Download FDA's draft guidance here.

The California Privacy Rights Act (CPRA) amending the California Consumer Privacy Act (CPPA) now applies for B2B and HR personal information and is subject to the same rigorous California privacy regulations as "consumer" personal data.

Companies need to meet strict privacy obligations for personal information about a broad range of individuals, such as employees, contractors, job applicants, B2B customer contacts and prospects, web and mobile application visitors, supplier contacts, and other individuals.

Now organisations should develop an inventory of key systems and assets that collect and process the relevant personal information on HR, B2B and consumers. The inventory should also reflect how and under what terms such information is disclosed to other parties, including vendors, suppliers, distributors, business partners and others.
Organisations should confirm whether they engage in the "sale" or "sharing" of personal information and amend or update contracts accordingly.

About sensitive personal information: CPRA establishes a robust list of personal information that is considered "sensitive," including elements such as Social Security Number, passport number, biometric information used to uniquely identify the individual, information about sex life or sexual orientation, the contents of an individual's mail, email, and text messages (unless the business is the intended recipient), and the like.

CPRA establishes a general rule that individuals must be able to limit the use or disclosure of sensitive personal information beyond what is "reasonably necessary to provide the services or provide the goods reasonably expected by an average consumer," or other limited exceptions.

Information notices: Organisations should develop and/or enhance relevant privacy notices, including updates to existing externally facing privacy notices, e.g., a website privacy statement, as well as the basic version of privacy notices for employees that had already been required under the CCPA.

Such updated privacy notices should take account of all the content requirements for notices in the CCPA/CPRA, including the obligation to identify the length of time the company intends to retain each category of personal information or the criteria used to determine that period.

Exercise of their rights by data subjects: all B2B and HR contacts should be able to exercise the full rights afforded to them under the CPRA as of Jan. 1, 2023, including access and right to know, correction, and deletion rights.

Download the draft law here.

Download the draft final statement of reasons from the CPPA here.

A compromise text states that an external audit will be needed for some specific products like Connected Devices deemed ‘critical’ or ‘highly critical’ The draft text has been discussed on 10 February at the at the Cybersecurity Working Party,

The Swedish presidency of the EU Council of ministers shared a new compromise text with hefty changes on the categorisation of critical and highly critical products under the Cyber Resilience Act.

According to the compromise text, certain products will be deemed ‘critical’ if they perform a key security function, for instance, authentication, intrusion prevention or network protection.

Another group of products would be considered ‘highly critical’ if they meet both aforementioned criteria, namely, they have an important security function and are central in a broader Internet of Things (IoT) environment.

Read the article from Euractiv here.

The European Commission, the EMA and the Heads of Medicines Agency (HMA) prepared a questions and answers document on data protection. The Q&A document has been created to provide guidance to CTIS users on how to protect personal data and commercially confidential information (CCI) in CTIS.

In the document, you will find answers to the following questions:

• Which CTIS documents require a signature?
  
  
• Name and surname of individuals – where are expected to be included ?
  
  
• Is it correct that as per Regulation (EU) 536/2014 the subject ID should no longer be provided in Annual Safety Reports (ASRs)?
  
  
• May sponsors mark/highlight the text that they consider Commercially Confidential Information (CCI) in documents ‘not for publication’?

Download the document here. 

1. A Polish patient has been included in a clinical study with a hospital in Warsaw; after doing some visits, the patient wants to spend vacations in Spain: is it compliant with data protection for the patient to do some of the clinical trial visits at a Spanish Hospital? yes / no
   
   Yes, there are several ways to organise it so that it is compliant with the EU General Data Protection Regulation. But then you must check with the local healthcare laws of Poland and Spain that it can be done.
   
   
2. I'm an HR clerk at a global life sciences company in the US; I want to check the records of employees in Greece: can I do this? yes / no
   
   No, you can't do this unless your company has put in place a Data Transfer Agreement between your affiliate in Greece and the headquarters in the US. Remember that it is forbidden to send personal data (even encoded) outside of EU/EEA/UK, unless your organisation has put in place a specific derogation.