On 30 January 2024, the FDA submitted a new draft guidance on Race and Ethnicity for public review.

This is of utmost importance for Privacy in healthcare and life sciences, as race and ethnicity are considered as sensitive data by several data protection laws, including EU and UK GDPR.

Hence, organisations collecting such sensitive information must draft a Data Protection Impact Analysis ('DPIA'), and must appoint a Data Protection Officer ('DPO').

And if the conclusion of the DPIA is that there might be risks to the private life of people (for example if a personal data breach would happen), then it is mandatory to ask the opinion of the local Data Protection Authority ('DPA').

Failing to do so would expose the organisation to a financial penalty, to legal prosecution, and to having its name mentionned on the public website of the local DPA.

Comments and suggestions regarding this draft document should be submitted within 90 days of publication in the Federal Register of the notice announcing the availability of the draft guidance, so before end of April 2024.

The new draft guidance can be accessed here.

Submit electronic comments to the FDA here.

If you have questions on how to mention the collection of race or ethnicity in a patient facing document, contact our healthcare privacy experts at contact ( at ) pharmarketing.net

8 November 2023 - The European Parliament and the Council of the EU reached a final agreement at the final trilogue on the Regulation introducing European Digital Identity Wallets ('DIW').

The agreement is now subject to formal approval by the European Parliament and the Council. Once formally adopted, the European Digital Identity framework will enter into force on the 20th day following its publication in the Official Journal.

Read the press release from the EU Commission here.

What will the Digital Identity Wallet be used for?

All EU citizens will be offered the possibility to have an EU Digital Identity Wallet to access public and private online services in full security and protection of personal data all over Europe.

In addition to public services, Very Large Online Platforms designated under the Digital Services Act (including services such as Amazon, Booking.com or Facebook) and private services that are legally required to authenticate their users will have to accept the EU Digital Identity Wallet for logging into their online services.

Why is it important for personal data privacy?

In the healthcare industry, it could be used to avoid mistakes when a patients registers at the entrance of a hospital: this is called Identitovigilance. Many situations arise each year when a patient doesn't get the appropriate care due to a mistake between 2 patients with similar names.

In other words, the DIW will reinforce the protection of the private life of people.

Spain's Data Protection Authority, the AEPD, approved  the first GDPR Code of Conduct for Clinical Trials

This code of conduct is also posted on the EDPB site. https://edpb.europa.eu/search_... 

Codes of Conducts ('CCs') are very powerful tools described in article 40 of the GDPR. They can be drafted by an industry professional association, to describe a check list of steps to make a personal data processing compliant with GDPR.

CCs are primarily targeted at small and mid-size organisations (SMBs).

A SMB can use a CC to guide itself on the journey to compliance to GDPR. While adhering to a CC does not make you automatically compliant with GDPR, it's a good guide. Also, it is not a waiver to draft the mandatory deliverables , such as the Register Of Processing Activities ('ROPA') or to put data privacy language in the contracts with your clients and/or sub-contractors and/or employees.

Codes of Conducts take a lot of time to be drafted and then to be approved by your local Data Protection Authority ('DPA'), and then by the European Data Protection Board ('EDPB').

At this time (January 2024, only a handful CCs have been approved by the EDPB, mainly for cloud services. The EUCROF and the EFPIA have drafted and submitted CCs for clinical research, but as of 31 January 2024 none has been approved as far as we know.

This why the approval of this Spanish CC for clinical research was a breaking news for our industry!

Even if it can be only used for clinical trials in Spain, it's already a good start, especially for small organisations.

Here is the comment from our consultant Catalina Danila, PharmD based in Romania:

"I found this beautiful “Code of Conduct Regulating the Processing of Personal Data in Clinical Trials and Other Clinical Research and Pharmacovigilance Activities” , issued in Feb 2022 by Farmaindustria, the national trade association of the pharmaceutical industry in Spain.

https://www.aepd.es/documento/...

According to this code, the legal basis for the data processing in this area is the fulfilment of legal obligations, without the consent of the research subject being needed for the processing of his or her data, without prejudice to the informed consent that must be given to participate in a clinical trial. The secondary use of the research data obtained in future research is regulated, without requiring, as a general rule, the consent of the participants in the research (Page 5) Page 27: 1.2 PRINCIPLE OF LAWFULNESS AND FAIRNESS IN PROCESSING.

This is quite surprising as most clinical sites in Spain only accept the GDPR consent of the patient as the legal basis for processing personsl data.

The Sponsor and Principal Investigator must process the personal data of participants pursuant the legal basis set out in Article 6 of the GDPR.

According to section 3.3 the processing will be justified in this case by the legal obligation that it be carried out in accordance with the legislation regulating the guarantees and rational use of medicinal products and medical devices (Article 6(1) (c) of the GDPR), in connection with the limitation of the prohibition of processing health data for reasons of public interest in the area of public health and for ensuring high standards of quality and safety of medicinal and healthcare products (Article 9(2)(i) of the GDPR), as well as for conducting scientific research (Article 9(2)(j) of the GDPR).

The processing is not justified by the data subject's consent, without prejudice to the informed consent that is required in order to participate in the clinical research. That informed consent does not refer to the processing. The Sponsor and Site shall adopt measures to ensure that the clinical research is pursued according to the applicable national and EU rules cited in section 2.2 of this Protocol. Page 37: 3.3 LEGAL BASIS FOR THE PROCESSING

Therefore, the legal basis for processing the data of clinical research participants is the existence of a legal obligation (Article 6(1)(c) of the GDPR) in connection with what is provided in Article 9(2)(i) and (j). Indeed, the processing, on the one hand, has as its purpose compliance with the legal obligations to ensure a high level of quality and security on the medicinal product and, on the other, it is carried out for scientific research purposes on the basis of Spanish and European Union legal rules regarding guarantees and rational use of medicinal products and medical devices that impose the legal obligation to conduct investigations before marketing a medicine, as well as to conduct studies after the medicine has been authorised. The processing is thus carried out to comply with legal obligations imposed by the laws on medicinal products and medical devices, without requiring that data subjects give their consent to the processing of their personal data once they have agreed to enrol in an investigation.

Thus, although the laws and regulations on clinical research do require that the informed consent of the participants be obtained to take part in a specific clinical investigation, their consent need not be obtained for the processing of their data, given that the processing is based on compliance with the legal obligations of the Sponsor.

Consequently, a participant who consents to form part of a clinical investigation does not need to give his or her consent, once enrolled in the investigation, to the processing of his or her personal data as part of that investigation for the purposes and in accordance with the terms of the laws on clinical research. So specific consent is not needed for the processing of the participant's data; the participant need only be informed of the processing on the terms del Article 13 of the GDPR through the document prepared for that purpose.

For this reason, should a participant decide to withdraw from the clinical investigation, the Sponsor and the Site may continue processing the data obtained from that participant before the withdrawal for the purposes and in accordance with the terms of the laws on clinical research, given that the patient's consent is not required and subsequent revocation is not possible. The data subject's consent will be necessary, however, if it is proposed to process the data of participants in a clinical investigation for purposes not related to that investigation, unless that processing also finds some specific legal basis other than the consent.

Examples where there is a legal basis not grounded in the consent are cases where it is proposed to use a participant’s data in future investigations on the terms specified in section 3.9. Page 41: 3.9 COMPATIBLE PURPOSES, REUSE AND SECONDARY USES

As indicated in section 3.3, where there is an intention to use a participant’s data in future research, that future processing must be grounded in one of the lawful basis laid down in personal data protection laws and regulations. In this regard, where the intended reuse involves coded data only, it may be carried out without having to obtain the consent of the participants, provided the legal and regulatory requirements are met. In particular, the investigator team in the successive investigations shall in no event be able to access the information of the team that carried out the initial coding; it will have to sign an undertaking not to carry on any activity that could lead to re-identification and specific security measures will have to be adopted to such effect.

For more information on Codes of Conduct, or on privacy for clinical research, contact us at contact ( at ) pharmarketing.net

European Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

Thanks to GDPRhub NOYB for all these valuable information.

Denmark: 

Fact: The Danish DPA reprimanded a regional administration for providing access to a health database to more than 16,000 staff members, in lack of a substantial connection between the tasks of the latter and the information processed. Read more or edit on GDPRhub...

Takeaway: your organisation must draft a procedure explaining how access rights to business applications and databases are granted to employees and external contractors, and how tthese access rights are updated or revoked when an employees has a job change or leaves the organisation. In addition, you should audit regularly that this procedure is correctly implemented.

Fact: Examining the publication by a hospital of patients' data on Instagram, the Danish DPA found a violation of Article 6(1)(a) and Article 9(2)(a) GDPR. The DPA stated that the processing could not be based on consent since, due to the power asymmetries between patients and the hospital, patients could not have given their consent freely. Read more or edit on GDPRhub...

Takeaway: first, organisations should not publish patient data on any public website, especially on social media; the only situation where  sharing patient data would be allowed, would be in a scientific publication, or when it is a legal obligation to notify something to an authority, for an adverse event for example. and if so, the patient data should be pseudonymised (redacted), and the patient should have been informed prior to the publication.

Finland:

Fact: The Finnish DPA fined a psychotherapist €1,600 for not complying within the time limit, pursuant to Article 12(3) GDPR, with a data subject's access request about treatment history and notes made during the sessions. Moreover, the DPA declared that the therapist breached Article 12(4) GDPR, since it did not inform the data subject for almost three years of the reasons why. Read more or edit on GDPRhub...

Takeaway: Always indicate the storage duration in your information notices to data subjects, and appoint one of your employees to make sure that every year olf personal data are deleted.

Fact: The Finnish Data Protection Authority reprimanded a healthcare provider for not implementing appropriate technical and organisational measures ('TOMS') to ensure the security of personal data processing in the electronic healthcare appointment booking system

https://gdprhub.eu/index.php?t...(Finland)_-_5546/163/2019&mtc=today

Takeaway: always conduct a risk analysis to make sure you have appropriate Technical and Organisational security Measures ('TOMs') in place; refer to article 28 of GDPR and to ISO 27001 and other similar guidelines.

Fact: Finland Authority ordered a Life Insurance company to implement additional security measures because it was #non compliant in processing Health Data of applicants
https://gdprhub.eu/index.php?t...(Finland)_-_117/2024&mtc=today

Takeaway: always conduct a risk analysis to make sure you have appropriate Technical and Organisational security Measures ('TOMs') in place; refer to article 28 of GDPR and to ISO 27001 and other similar guidelines.

France:

Fact:
On the basis of Article 36 GDPR, the French DPA issued an opinion finding a scientific research survey project to be implemented by a data controller legitimate as its processing of sensitive personal data was necessary for scientific research purposes in the public interest. Read more or edit on GDPRhub...

Takeaway: article 9.2.j of GDPR is a correct waiver to use to run a 'commercial' medical research. 9.2.a (explicit GDPR consent from the patient) can also be used, but then it brings a risk to the sponsor of the research, in case in the future the patient decides to remove its consent, or if the sponsor wants to reuse the clinical data for another objective.

Italy:

Fact: the Italian DPA authorised a hospital to conduct medical research relating to personal data of contactable and uncontactable (deceased) data subjects. Read more or edit on GDPRhub...

Takeaway: when you are unsure whether you can launch a personal data processing because the risk to the privacy of the adta subjects could be important, for example when you collect personal data from special category of people, it's always a good practice to ask the opinion of the local data protection authority.

Fact: The Garante reprimanded a medical doctor who the patient data collected during health care in a clinical study relating to , in her final thesis in Osteopathy at a specialized school. 

Key takeaway: Personal data collected lawfully for one objective cannot be reused for another objective, UNLESS the data subject has been informed or has consented to the reuse.

https://gdprhub.eu/index.php?t...(Italy)_-_9954241&mtc=today

Fact: the Italian DPA authorised a Hospital in Torino to process the health data of deceased patients in two clinical research studies. The hospital had drafted a DPIA and had sent a request for prior consultation to the Garante as per best practices under the GDPR (article 36).

https://gdprhub.eu/index.php?t...(Italy)_-_9963509&mtc=today

Takeaway: see similar case above

Fact: The Garante fined a a health care provider, €40,000 - since some of its employees were able to access other colleagues’ health files without consent while also breaching some of the principles of data processing pursuant to Article 5(1) GDPR. Read more or edit on GDPRhub...

Takeaway: your organisation should implement a standard operating procedure ('SOP')  describing how accesses to business systems are granted to people, are changed, and are revoked when people leave the organisation. Then people should be trained to such SOP.

Fact: The Italian DPA fined a medical center €10,000 after a complaint was lodged by the data subject. It was found that the PCR test results of the data subject contained incorrect personal data, breaching Article 5(1)(a) GDPR and Article 5(1)(d) GDPR. Furthermore, since the result was first mistakenly sent to the e-mail address of an unauthorized third party, the controller also breached Article 9 GDPR, as well as Article 5(1)(f) GDPR and Article 32 GDPR. Read more or edit on GDPRhub...

Takeaway: organisations should have SOIPs and security measures in place to prevent and mitigate personal data breaches.

Spain:

Fact: The Spanish DPA , the AEPD, reprimanded the City Council of Zaragoza for sending health data of an employee without adequate security measures, violating Article 5(1)f GDPR and Article 32 GDPR. Read more or edit on GDPRhub...

Takeaway: you should review all transfers of personal data done either internally or externally by your organisation, even if the personal data are pseudonymised, and make sure there are appropriate security measures in place to protect the data transferred. In addition, your organisation should review these data transfers at regular intervals, for example every 2 or 3 years.

Fact: The Spanish DPA issued a reprimand to Servicio Canario De La Salud. Medical records had been improperly accessed and the diagnosis disclosed to third parties, violating Article 5(1)(f) and Article 32 GDPR. Read more or edit on GDPRhub...

Takeaway: as already indicated above, organisations should draft and regularly reevaluate a procedure for granting access rigts to business applications and databases.

On 8 January 2024 the French Data Protection Authority, the CNIL, launched a call for public comments for Transfer Impact Assessment ('TIA').

The deadline for comments is 12 February 2024.

A Transfer Impact Assessment might be required, as part of the new EU Standard Contractual Clauses (SCCs), when an organisation is transferring personal data (even redacted) to a non-adequate country. 

If the exporter of the personal data (for example an hospital in the EU thinks that there might be a risk to the privacy of people dur to specific laws in the destination country, then the data exporter should ask the data importer to draft a TIA.

A TIA is a risk assessment for the transfer of personal data, from the point of view of the data subjects. 

Read the call for comments from the CNIL here: https://www.cnil.fr/en/transfe...

If you are looking for an example of TIA, contact us at contact ( at ) pharmarketing.net

1 - As part of a clinical study, a French hospital will transfer redacted patient data to a US CRO. The US CRO say they don't need to put in place a data transfer agreement with the hospital, because they implemented Binding Corporate Rules: Is this true? 

No: as per article 47 of the GDPR, Binding Corporate Rules cover only the personal data processings that take place within the Corporation to which they apply. article 47 states that in some situations, onward transfers (e.g. outbound) might be covered. But inbound data transfers are not: in such case, if it is a data transfers to a non adequate country, a Data Transfer Agreement must be drafted, with the EU SCCs in it (unless another waiver from articles 46 or 49 is used to make the transfer of personal data compliant with privacy laws, or unless the corporation is registered with the Data Privacy Framework).

2 - In the question above, the US CRO tells the French Hospital that they are registered to the EU-US Data Privacy Framework: does it make to the transfer of healthcare data compliant with privacy laws? 

Yes: in such case, the transfer from the French hospital to the corporation in the US is compliant with GDPR.

A question on Binding Corporate Rules or Data Transfers? contact us at contact ( at ) pharmarketing.net