This is an opinion article from our Senior Consultant Eugen Stefanut, MD:

About EMA Guidelines:

Pharmaceutical and biotech companies aiming for medicinal product approval in the European Union (EU) must now adhere to the European Medicines Agency (EMA) Guideline on Computerised Systems and Electronic Data in Clinical Trials.

Effective from 9 September 2023, this guideline sets standards for computer systems and digital data in clinical studies.

The primary document provides definitions of essential terms and general criteria for computerized systems and electronic data. The guideline's appendices offer further detailed information on subjects such as:

• Specifications for agreements
• Validation of computer systems
• Management of users
• Information technology security
• Obligations pertinent to system types, procedures, and data
• A specialized annex for Clinical Systems

About FDA Guideline:

The FDA guideline is still a draft that was released in Sep 2022 - Computer Software Assurance for Production and Quality System Software, Draft Guidance for Industry and Food and Drug Administration Staff.

When final, this guidance will supplement FDA’s guidance, General Principles of Software Validation (Software Validation guidance) except this guidance will supersede Section 6 (Validation of Automated Process Equipment and Quality System Software) of the Software Validation guidance.

For any questions on Computerised System Validation (CSV), contact one of our CSV expert consultants:

Eugen at e.l.stefanut ( at ) pharmarketing.net

Karine at k.i.renault ( at ) pharmarketing.net

or Dave at d.p.edwards ( at ) pharmarketing.net

Real World Data ('RWD') can be very helpful to support a submission of a clinical trial, or to renew the reimbursement of a healthcare product, and also for a Post Market Study, whether for a Fast-Track drug or for a Medical Device.

To get RWD, a sponsor needs to get them either from hospitals, from national healthcare databases, from a registry managed by a scientific body or by the sponsor itself, or combination of these.

For the former (patient data from hospitals, also called Electronic Health Records or 'EHR'), the sponsor will need to demonstrate that they comply with GDPR (or other local data privacy law), and that they comply with the IT security guidelines of the country (e.g. in the UK theNHS IT Toolkit or in Italy the Cloud Guidelines). 

For national healthcare databases, the sponsor will usually need to appoint a certified CRO or IT service company: such company has been trained and is certified to access the national healthcare databases provided by the health ministry; they certify that they will never share the detailed patient data with the sponsor of the research, but only share pseudonymised and aggregated data.

To get access to a registry managed by a scientific body, the approach is similar but lighter than for accessing EHRs.

Once all the mandatory deliverables for the RWD study have been drafted, they will need to be submitted to the Ethics Committees for approval.

NB: in some EU countries, it's mandatory for the sponsor to self-certify with the local Data Protection Authority.

Because in Europe such RWD is not available on demand and cannot be sold by big data providers like in other countries, such a project takes time and needs expertise in regulatory affairs, IT security and privacy laws., and of course in the medical indication.

This is not rocket science and can be done in a few weeks or months if you work with local experts who know the local guidelines and know to whom to send the right document at the right time.

One of PharMarketing's client is a small US CRO and all their business model is based on getting RWD from hospitals in Europe. We have been acting as Data Protection Officer and Data Protection Representative for them for 5 years now, and after an initial start-up work, now all their studies follow the same data flow and are pretty straightforward.

So, in conclusion, yes it's possible in Europe to include Real World Data in your medical research. As we always say, the GDPR doesn't prevent you from doing anything, provided that:

• Patients were informed that an external sponsor might reuse some of their healthcare data for research purposes, and
• You have security measures in place to protect such personal data.

If you want to know more about doing RWD studies in Europe, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

India's Data Privacy Law, the DPDPA, doesn't apply to the processing of personal data of people outside of India, if a Data Transfer Agreement is in place.

This is because the DPDPA considers that data collected in a country outside of India follows the data privacy laws of such country.

This is a major issue, as India's economy relies a lot in providing data processing services, from CROs or more generally from IT or data management service providers. And as the DPDPA doesn't put much obligations on the Processors, Data Controllers based outside of India should put appropriate data privacy language in contracts, so that the Indian sub-contractors has obligations to protect and secure the personal data.

Organisations should also put measures in place to protect personal data against India's national intelligence agencies, as it is the case with the US and other countries. For this aspect, the EU Standard Contractual Clauses, combined with a Transfer Impact Assessment, can provide  appropriate protection for the private life of the data subjects.

It will be interesting to check the developments of the privacy laws in India in the next months regarding this aspect.

For more information on the consequences of India's new Data Privacy law, contact us at contact ( at ) pharmarketing.net

On 27 November 2023, UK's Health Research Authority (HRA) said that, starting 1st Dec 2023, sponsors of Clinical Studies will have to follow the New HRA Standards for the documents submitted to Research Ethics Committees.

This impacts the data privacy language and the role of the Data Protection Officers.

• The Quality Standards and Design and Review Principles apply to new application submission only, and will not be applied to amendments involving participant information in ongoing studies. 
• The Quality Standards will be used by research ethics staff during the research application validation stage to check if the participant information is compliant. Your application will not be rejected at validation if it is not compliant. Any findings will be considered by the REC as part of its ethical review. Where changes or requests for further information are required, they will be included as part of the review outcome from the REC meeting.

Access the Participant Information Quality Standards here.

Access the Design and Review Principles here.

For any questions regarding UK, contact our UK senior consultant Dave Edwards at d.p.edwards ( at ) pharmarketing.net

The French Data Protection Authority, the CNIL, published on 8 November 2023 2 guidelines (“Méthodologies of Référence” in the wording of the CNIL); this is nothing new, as guidelines already existed for accessing to the SNDS: they are now updated and formalized in these 2 guidelines:

MR007: access by a public body (hospital, academic research): click here

MR008: access by a private organisation: click here

The SNDS is a big healthcare database managed by the French ministry of health with pseudonymized patient data coming from different sources.

It’s very useful to do a retrospective study based on real world data.

Also, for an interventional clinical study, it can be used for a dedicated arm based on real world data.

It is important to note that, for access by private organisations, a private company CANNOT access to the SNDS: they need to go through a certified consulting company. Several such certified companies exist in France, they are either Phase 4 CROs or IT service companies. They need to comply to a very strict code of conduct.

NB1: in most European countries, it is possible to access to public healthcare databases like this, it is not specific to France.

NB2: in France, there are other very interesting healthcare data bases that can be accessed by certified companies: the SNIIRAM, the catalog of the Health Data Hub, etc. But this is another discussion for a future Newsletter!

NB3: the MR007 and the MR008 are available only in French.

For any question on these French Methodologies of Reference, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

Bertrand Le Bourgeois, Founder and President of PharMarketing attended a Conference on 9 November 2023 in Paris, hosted by Roche.

Anne Vidal and Manon de Fallois, Healthcare Lawyers at the French Data Protection Authority, the CNIL (cnil.fr), provided updates on existing guidelines, and on the future evolution of the doctrine of the CNIL regarding data privacy in life sciences. The conference was moderated by Selima Ellouze and a person from Roche.

The following topics were discussed:

MR007 and MR008: 

These 2 new guidelines for accessing the healthcare data base SNDS were commented; it was said that the guideline MR004 will remain as it is. Same for access to the ESND (ex EGB); the CNIL plans to release a user guide to the MR007 and MR008 in November or December 2023.

Decentralised Clinical Trials ('DCT')

Following the publication for comments of a reference guide on DCT by the EMA back in January 2023, in France the CNRIPH (National Center for Interventional Clinical Research, which manages all Ethic Committees in France)is in charge of localising these principles; the CNRIPH created a working group dedicated to DCT, of which the CNIL, France Biotech (of which France Biotech is a corporate member) and other trade associations are part. PharMarketing has already provided feedback on some deliverables shared by the working group. As you know, as of today, the French guideline MR001 is more restrictive than other Data Protection Authorities regarding the conducting of home trials. The CNIL is aware of it and will work on it in the future. The CNIL will propose a pilot phase on DCT.

New consultation on MR001-MR004 and on the guidelines on Healthcare Data Warehouses

The CNIL will launch a consultation on the guidelines MR001 to MR004 and on the guidelines for Healthcare Data Warehouses in January. 

One of the goals will be to try and make them more flexible to new practices like remote monitoring, remote source data verification, home trials and asking patients to enter clinical data themselves, while making sure the privacy of data subjects is still protected. Another goal will be to reflect the new mandates from the CTR and the MDR/IVDR.

eConsent can still not be used in clinical research in France

The CNIL confirmed that as of today the use of eConsent is not compliant with the guidelines of the CNIL, as in order to collect the eConsent from a patient, the service provider will need to have the nmr of the patient, its electronic signature, its email address and also the provider will hace information about the clinical study which is considered as healthcare data.. This is also something that the CNIL will be working on.

New Guideline on Compassionate Prescription

The CNIL said they will release in the future a new Methodology of Reference ('MR') dedicated to Compassionate Prescription, as described in French Law, see here:

Section 7 ter : Cadres de prescription compassionnelle (Articles R5121-76-1 à R5121-76-11) - Légifrance (legifrance.gouv.fr)

Artificial Intelligence and Healthcare Data

The CNIL reminds that it has already released several guides on AI on its website cnil.fr. Once the EU IA Regulation comes into force, the EU will publish a guide on the Interplay between AI and GDPR.

The CNIL distinguishes 3 different snenarii for AI and health data:

1) When the algorithm is in development phase: it is a clinical research personal data processing

2) When the AI is used in daily use: it is an 'exception to formalities' in the sense of article 65 of the French data privacy law of 6 January 1978 revised in 2018.

3) Creation of a persistent heathcare datawarehouse to be used by the AI: it can be considered either like the creation of a new Healthcare Data Warehouse, or as a new clinical research study.

The CNIL considers a provider of AI as a Processor, not as a Producer, as per the definition of the GDPR.

Codes of Conduct for clinical research

The CNIL confirmed that the codes of conduct ( in the sense of the GDPR) submitted a couple of years ago by the EUCROF and by the EFPIA are still in review by the local data protection authorities of the EU, and that the process will take some time due to the number of organisations in the review process. 

A Code of Conduct for biological labs has been submitted to the CNIL and is currently under review.

The 2 healthcare lawyers of the CNIL said that when an organisation can demonstrate that it complies with a Code of Conduct, then it is compliant with the GDPR: this was a surprise for us at PharMarketing: our understanding was that a Code of Conduct is just a guide to make it easier for SMBs to become compliant with GDPR, but it doesn't grant automatic compliance.

For any question on the topics presented at this conference, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

QUIZ NOVEMBER:

1. The name of the Data Protection Authority of Iceland is Persónuvernd. Persónuvernd - Þínar upplýsingar, þitt einkalíf. (personuvernd.is)
   
   
2. The European Medicines Agency was created in 1995 under the name of European Agency for the Evaluation of Medicinal Products. It has around 900 employees, an annual budget of 358 million euros, and is located in Amsterdam, Netherlands. European Medicines Agency | (europa.eu)