Newsletter 68 December 2024- January 2025


Welcome to Jules Kovacevic, 


Senior Consultant in Serbia!


Jules Kovacevic,  a British-Serbian citizen will act as Data Protection Representative in Serbia for a US clinical stage biotech.


As you might know, it is now mandatory for any organisation in the world collecting or processing personal data from people based in Serbia to appoint a local Data Protection Officer ('DPO') and a local Data Protection Representative ('DPR'). This also applies to redacted personal data ('pseudonymised'). 


Jules has 19+ years of experience in Medical Writing, Regulatory, Pharmacovigilance, Clinical Trials, and Data Compliance. She knows GxP and GDPR and speaks Serbian and English. 


After working as Senior Director for a global US CRO, Jules joins PharMarketing to bring her expertise in Medical Writing and in local Serbian regulations and guidelines in privacy and the life science industry.


With the recruitment of Jules, our Magic Team is now made of 28 experienced Scientific Consultants!


Contact Jules at j.x.kovacevic ( at ) pharmarketing.net


IT Security for Dummies: 


Best Practices with an 


External Hard Disk


At PharMarketing, we appreciate that most of our readers are versed in biology, medical, chemistry, manufacturing, legal, regulatory, clinical operations, but few of them feel comfortable with IT:


So, we decided to start a series on 'IT Security for Dummies', to help you grasp key and useful facts about IT security in a simple way.


This month, we talk about the Best Practices with an External Hard Disk.


Why buy an external hard disk?


A hard disk is a very cheap and convenient device to store documents and data that you don't need to access every day. It's a good and safe way to back-up your data and take it with you on the road (or not).


How to buy an external hard disk?


Select one with a capacity of 1 TB (Terabyte) (or To Terraoctects, it's nearly the same) at the minimum. They come at around 60-80 USD/euros/GBP at this time; choose a realiable brand. (we won't recommend any as we are not here to advertise any). If your work involves making lots of videos, you will probably need much more than 1TB. To give you an idea, a video recording of one hour with Microsoft Teams is about 1GB (Giga Bites), which is one thousandth of 1TB.


Size: an external hard disk of 1 Tb is typically about 6*5*1 in centimeters.


Disks with more capacity are somewhat bigger in size.


Buy also a case for your hard disk: it is key to protect it from breaks, humidity etc.


What about USB keys (or sticks)?


A USB key or stick is a form of external hard drive. it's usually limited in capacity and is not as robust as a 'real' external hard drive.


Usually, an external hard drive is sold with a software allowing to program automated backups, and other features depending on the brand and model, which a stick doesn't have, as a stick is very small.


What to do the first time you use your external hard disk?


First thingencrypt your drive and put a strong password!


Second thingtest it! try to copy a document from your laptop or the internet onto your external hard drive, and try also to do the reverse operation (copying from the external drive to internet/laptop)


Third steplaunch your first backup of files/documents to your external drive


Fourth step: put your external drive in the case


Fith step: store your external drive in a secure place, see in the section below


Where should I store my external drive?


Store your external drive in a different place than your laptop; for example, at your home if your laptop is in your office room, store your external drive in the sleeping room; you should store it in a dry area, and if possible in a locked cabinet.


The best is to store external drives in a firesafe and flood resistant safe: and your safe should be fixed to the floor or to the wall. Usually such safes keep away from fire during one hour: this gives time for firemen to arrive and save the content of your safe hopefully.


How long can I use my external hard drive?


Experts recommend not to keep an external drive for more than a couple of years: after that delay, buy a new one. It's a principle of planned maintenance, like for changing your oil filter on your car every year.


Is that all?


In addition, a best practice is to test your external drive every year: check that you can restore the documents that you have copied there some time ago, and that you can open them and that they are readable.


For any question on IT security, contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net






Looking back at 2024

Several key things happened in 2024 regarding Privacy and Life Sciences:


January 2024:

  • Planned Revision of the Declaration of Helsinki 1964;
  • First GDPR Code of Conduct approved for Clinical Trials in Spain;
  • New Guidance from FDA on Race and Ethnicity.


February 2024:

  • New US law "MyHealth MyData";
  • New Contractual Clauses for the transfer of personal data with Asia;
  • HIPAA Audits;
  • FDA's new guidance on Data Monitoring Committees in Clinical Trials;
  • How to Build a New Quality Management System ('QMS');
  • Bio samples are personal data and fall under the GDPR and other privacy laws;
  • US President Joe Biden issued Executive Order protecting US citizens' sensitive data from 'countries of concern':  China, Cuba, Iran, North Korea, Russia and Venezuela.


March 2024:

  • Interplay between EU Data Governance Act, the European Health Data Space, the GDPR and Guidelines for Clinical Research.


April 2024:

  • New FDA Guidance on Informed Consent;
  • US BIOSECURE Act;
  • Risk Analysis for Automated Decisions; 
  • European Health Data Space (EHDS) rules on Secondary Use of Health Data;
  • DPIA Guideline in New Zealand ;
  • Updates to Data Privacy Law in Turkey;
  • Updates from China on Data Transfers.


May 2024:

  • AI versus Classic data bases.
  • New version of ICH M14 for Pharmacoepidemiological Studies that utilize Real-World Data (RWD);
  • Rules in Thailand for DPO and DPR;
  • Redacted Patient Data fall under HIPAA;
  • France revises its local Methodologies of Reference (MR);
  • EMA's Public Consultation on Non-Interventional Studies using RWD.


June 2024:

  • New Swiss Data Protection Representative obligation;
  • Healthcare Data Warehouses and Healthcare Data Hosting in France;
  • The FDAHealth Canada and the MHRA issued Guiding Principles for Transparency of Machine Learning-Enabled Medical Devices;
  • The European Data Protection Supervisor (EDPS) released a publication on NeuroData, when service companies put sensors in the brain of subjects to analyse their reactions to adverts and other things.


July/August 2024:

  • New Privacy Laws in AlgeriaChile and Moldova;
  • EU Cyber Scheme;
  • Korea new rules for foreign organisations.


September 2024: 

  • Clarification of the privacy rules on the EU CTIS portal;
  • Adequacy of the Data Privacy Framework between Switzerland and the US;
  • Home Trial Visits and Confidentiality;
  • New FDA Guidance on Decentralised Clinical Trials.


October 2024: 

  • 9 UK toolkits;
  • Sri Lanka issued DPO appointment rules.


November 2024: 

  • Local DPOs and local DPRs are now mandatory in several Non-EU Countries;
  • EUCROF Code of Conduct for Clinical Trials in review by EU/EEA Data Protection Authorities;
  • What to do with personal data when a biotech / medtech dissolves?.


All these items have been detailed and analysed in PharMarketing's free Newsletters released in 2024: you can access them by clicking here: https://www.pharmarketing.net/...


For questions on these items, contact our team at contact ( at ) pharmarketing.net



EU Cyber Resilience Act


 was Enacted!


The EU Cyber Resilience Act ('CRA') was published in the Official Journal of the European Union on 23 October 2024 and entered into force 20 days afterward. The act creates cybersecurity and transparency requirements on some Internet of Things and connected products.


Reporting obligations will go into effect 21 months after entry into force, likely in the summer of 2026, and the remaining provisions 36 months after entry into force, likely in the fall of 2027.


The full name of the EU Regulation is "Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements.

This regulation is amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)


This regulation applies also for EEA.


The CRA will likely include the following: end devices like laptops, mobile devices, smartphones, microprocessors, routers and smart home devices; stand-alone software like identity, privileged access and mobile device management software, as well as firewalls, mobile apps, video games and desktop applications.


Medical devices are excluded from the scope.


Fines can amount to up to 15 million euros or 2.5% of global annual turnover of the preceding year, whichever is higher.


Download the regulation here.






EFPIA published


 a Position Paper on AI

The EFPIA, the European Federation of Pharmaceutical Industries and Associations published a Position Paper on Artificial Intelligence (AI) in October 2024.


AI is seen as having a transformative impact at every state of a medicines development from discovery to improved pharmacovigilance.


EFPIA sees the European Medicines Agency (EMA) as the most appropriate body to provide oversight of the application of AI, but seeks greater clarity on its approach to risk assessment. 


In this position paper, EFPIA is presenting policy recommendations in relation to the use of AI in the medicines lifecycle (defined as including research and development (R&D), manufacturing and post approval activities), such as EMA regulatory oversight, applicability of existing regulatory frameworks, and global harmonization.


In the context of using AI for medicines development, EFPIA considers that when used solely for the purpose of medicines R&D, AI systems are exempt from the requirements of the EU AI Act. Moreover, EFPIA considers that [AI in medicines R&D] cannot legally qualify as high-risk under the AI Act. 


EFPIA is proposing six key recommendations:


  1. Existing EU regulations, guidance and frameworks for medicines to be leveraged when applying AI.
  2. The regulatory oversight for the application of AI in medicine development to be within the remit of the European Medicines Agency (EMA).
  3. Clarity to be provided on EMA’s risk-based approach to the use of AI in the context of the regulatory framework for medicines.
  4. AI policies that balance transparency and protection of innovation when sharing information related to AI models and datasets.
  5. Globally aligned regulatory approaches through collaboration among health authorities to foster innovation and support development of safe and efficacious medicines.
  6. Fostering trust and capability in AI use in medicines research and development through close collaborations among industry, regulators, patients and other stakeholders.


Download the position paper here.


A question on AI in Life Sciences? Contact our AI expert Bertrand at b.p.lebourgeois (at) pharmarketing.net




Examples of Non-Compliance 


with Health Data Privacy

Data Protection Authorities published several decisions related to the processing of health data in the past 2 months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.


For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisation: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).


Many thanks to GDPR hub NOYB for all this valuable information!


Croatia:


Fact:


A court ordered the DPA to decide on a complaint involving the loss of the data subject’s medical records by a hospital within 60 days. The DPA had failed to resolve the complaint within the time limit imposed by national law. Read more or edit on GDPRhub...


Takeaway:


Even authorities need to comply with deadlines for Privacy. This is a guarantee for citizens.


Germany:


Fact:


A court granted €2,500 in non-material damages under Article 82 GDPR because a municipality had unlawfully disclosed a civil servant's health data in an e-mail inviting staff members to apply for the data subject's position. Read more or edit on GDPRhub...


Takeaway:


We recommend organisations to implement a small software which systematically puts emails in hold for 30 seconds or so, before actually sending the email. Another interesting software feature is to, when the email is sent outside the organisation, that the email software asks the sender to proof read the email and confirm that it is ok to send it.


Fact:


A court awarded €10,000 in non-material damages for unlawfully disclosing health data of an employee to thousands of recipients within a sports association. The sharing of special categories of data in itself constituted a damageRead more or edit on GDPRhub...


Takeaway:


Same comment as above.


Greece:


Fact:


The DPA ordered a doctor to rephrase their consent form as the purpose of promoting the doctor's services on social media was not clearly listed for the processing of data subjects’ pictures. Such processing without valid consent was deemed unlawful. Read more or edit on GDPRhub...


Takeaway:


Consent forms and information notices must contain all elements as mandated by articles 13 and 14 of the GDPR, in particular the objective  of the personal data processing.


Fact:


The DPA fined a doctor €15,000 for sending election advertisements to patients in violation of the principles of lawfulness, fairness, and transparency in data processing. Read more or edit on GDPRhub...


Takeaway:


Same as above: the patients were not informed and never consented, so this processing was illegal.


Italy:


Fact:


Additionally, the DPA fined a university hospital €25,000 after a ransomware attack exposed personal data, including health data, of patients, employees and consultants. The hospital had failed to implement appropriate security measures. Read more or edit on GDPRhub...


Takeaway:


All organisations collecting or processing sensitive personal data (especially health data) should implement the basic IT security measures as recommended by all EU/EEA/UK Data Protection Authorities, and described also in ISO 27001  or by the guidelines from the ISACA Association. For example, if your organisation doesn't train employees regularly to IT security and privacy, you have no excuse in case of a data breach. 

Same if you didn't draft a policy for when employees are travelling and how they should connect to the internet, protect their screen with a confidentiality filter, etc.


Fact:


The DPA fined a health agency €17,000 after it provided the data subject's employer with a sick note disclosing the specific hospital wards the data subject was treated in, thus violating the principle of data minimisation. Read more or edit on GDPRhub...


Takeaway:


The fact that the health agency shared the names of the hospital wards was disproportionate, as it was not required to inform the employer that its employee was sick. the takeaway here is that your organisation should collect and share only the personal data that are actually necessary to fulfill the objectives of the processing. So, here, it's a violation of the principle of data minimisation and of proportionality.


Fact:


Due to human error, a clinic disclosed personal data of a patient undergoing IVF treatment to another patient. The clinic notified the DPA who found it sufficient and appropriate to reprimand the controller. Read more or edit on GDPRhub...


Takeaway:


Human error can always happen. But organisations need to demonstrate that they trained their personnel to privacy and that they have Technical and Organisational security Measures (TOMs) in place.


Romania:


Fact:


The DPA imposed a fine of RON 9,953 (€2,000) to the largest private healthcare network in Romania after the credentials to access a data subject´s e-mail account were publicly exposed by displaying them on the computer monitorRead more or edit on GDPRhub...


Takeaway:


Same as for the cyberattack of the Italian University Hospital above.


Fact:


The DPA fined a medical center RON 10,000 (€4,972) as it forced users to accept cookies to access its website. These cookies collected and stored personal data of the data subject. Read more or edit on GDPRhub...


Takeaway:


As per the GDPR, users must have the option to decline cookies and still access their personal data. So, the medical center will need to implement this feature.


United Kingdom:


Fact:


The DPA issued a reprimand to a hospital trust for failing to adequately track data access requests and for not responding to approximately 32% of those requests in due time. Read more or edit on GDPRhub...


Takeaway:


Organisations must respond to Data Subject Access Requests (DSARs) within one month. They can ask for 2 more months if they can demonstrate that it is complicated for them to extract the personal data from their system. If not, the requester is entitled to log a complaint with the Data Protection Authority, which is probably what happened in this case. Also, organisations must have a log of all DSARs received with the date of reception and the data when it was answered. They need to be able to show the log to authorities whenever they are requested to. The log can be a simple Excel sheet for a small organisation with few DSARs. For a hospital, it's better if someone from IT can develop a small software to track DSARs. Feel free to contact us at PharMarketing if you are looking for a simple template of DSAR log.

USA:


Fact:


The U.S. Health and Human Services Office for Civil Rights fined Children's Hospital Colorado USD548,265 over alleged violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules. The OCR claimed the hospital disabled multifactor authentication and employees allowed third-party access to their email accounts during a phishing attack.

Full story


Takeaway:

As said above for an Italian University Hospital, organizations processing sensitive personal data should have all the basic Technical and Organizational security Measures (TOMs) in place as per privacy laws and per ISO 27001 or ISACA. Multifactor authentication is a very powerful security measure and should not be deactivated without permission from the CIO.

And allowing third party access to emails is a professional error. If employees had been regularly trained to privacy and IT security every year ('refresher training'), this would probably not have happened.

  1. An Israeli pharma company with only one office in Israel processes personal data from patients based in EU/EEA, UK and Switzerland: ? Can they appoint one global Data Protection Officer (DPO) for all these regions? yes / no


Answer: yes, the Israeli company can have one global DPO covering EU/EEA, UK and Switzerland; such DPO can be based anywhere in the world, for example in Israel; that said, several EU Data Protection Authorities said that they prefer the DPO to be based in the EU, but it is not mandatory.


   2. Same question for Data Protection Representative ('DPR'): can the Israeli company have only one DPR for these 3 regions? yes / no

Answer: no, the Israeli company must have one DPR in EU/EEA, another DPR in UK and another DPR in Switzerland; and these 3 DPRs must be independent from the DPO; in particular, the DPR and the DPO should not belong to the same company, otherwise there would be a conflict of interest.


You had both answers correct? Congrats! Feel free to apply for a job at PharMarketing GDPR Life Sciences!


Share by: