Sri Lanka:
DPO Appointment Rules
Newsletter 66 Octobre 2024
Like other non-European countries*, the Data Protection Authority of Sri Lanka is working on the criteria and requirements for a data protection officer.
The Data Protection Authority of Sri Lanka is asking stakeholders to weigh in on draft regulations regarding the Appointment of the Data Protection Officer under Section 20 of the Personal Data Protection Act No. 9 of 2022. Feedback will be accepted until 15 Nov.
Access the press release here: https://dpa.gov.lk/newsregulat...
* all countries in the Balkans, Singapore, Moldova and many more now requestion organisations doing medical research to appoint a DPO, and in some cases, to appoint a local Data Protection Representative ('DPR'): we will provide more details in our next Newsletter.
EDPB made many comments on the EUCROF
Code of Conduct for Clinical Research
On 18 June 2024, the
European Data Protection Board ('EDPB') issued its Opinion 12/2024 on the draft decision on the
“Code of Conduct for
Service Providers in Clinical Research” submitted in 2022 by the EUCROF, the European Federation of CROs Associations.
In their opinion document, the EDPB made many comments on the Code of Conduct ('CC') that the EUCROF submitted to the French Data Protection Authority, the CNIL, several years ago.
A Code of Conduct ('CC') is a very powerful tool described in articles 40 and 41 of the GDPR. Once approved by a local DPA or by the EDPB, the CC can be used by small and midsize business to serve as a guide on their journey to complying with the EU Privacy regulation, the GDPR. It is NOT an automatic certification of compliance with GDPR, it is mere a guide.
In addition, if the CC has included this possibility, following a CC can make the transfers of personal data to a non adequate country outside of the EU/EEA compliant with the GDPR.
As of today, the only CC approved in the EU/EEA for clinical trials is the one submitted by the Spanish professional association Farmindustria to the local Spanish DPA, the AEPD. This CC is valid only for clinical trials recruiting patients in Spain.
The EUCROF submitted its CC with the goal to have it valid for all EU/EEA: this is why it takes so much time to have it approved, as it needs to be vetted by all 30 DPAs from EU/EEA, plus by the EDPB.
Lastly, another CC for clinical trials with a target validity for EU/EEA has been submitted a couple of years ago to a local DPA by the
EFPIA, the European association of drug manufacturers: for this one, we have no news at the moment.
You can download the opinion document here: https://www.edpb.europa.eu/sys...
For more information on Codes of Conduct and how they can be used to comply with Privacy laws, contact us at contact@pharmarketing.net
UK DPA
releases 9 Toolkits
On 7 October 2024 the UK Data Protection Authority ('DPA'), the ICO released 9 toolkits; the goal of these toolkits is to help organisations assess their compliance with key requirements under data protection law. These 9 toolkits are part of a framework which is an extension of the ICO's existing Accountability Framework.
These nine toolkits cover the following areas:
- Accountability
- Records management
- Information & cyber security
- Training and awareness
- Data sharing
- Requests for data
- Personal data breach management
- Artificial intelligence
- Age-appropriate design
Access these 9 toolkits here: https://ico.org.uk/about-the-i...
A question on UK data privacy law and guidelines? Contact our UK consultant
Dave Edwards at d.p.edwards ( at ) pharmarketing.net
US FDA released Q&A for Electronic
Signatures for Clinical Investigations
The US FDA released in October a Q&A for Electronic Systems, Electronic Records and Electronic Signatures for Clinical Investigations.
This guidance provides information for sponsors, clinical investigators, institutional review boards, contract research organizations, and other interested parties on the use of electronic systems, electronic records, and electronic signatures in clinical investigations of foods, medical products, tobacco products, and new animal drugs.
Among other things, you will learn that you are required to submit letters of non-repudiation to FDA, and if electronic signature based on biometrics are acceptable and how.
Download the Q&A here: Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers | FDA
For more information on Electronic Signatures in the US and in Europe, and how they can be compliant with Privacy laws and GxP, contact us at contact@pharmarketing.net
Penalties for Non-Compliance with Health
Data Privacy
European Data Protection Authorities
published several decisions related to the
processing of health data in the past months.
Such decisions shed light on
the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.
Many thanks to GDPR hub NOYB and to IAPP for all these valuable information!
Spain:
Fact:
The Data Protection Authority ('DPA') of Spain, the AEPD, fined a plastic surgery clinic €10,000 after it unlawfully shared before and after pictures of a data subject on its social media account. The DPA highlighted that the pictures contained health data under Article 9(1) GDPR. Read more or edit on GDPRhub...
Takeaway:
Always inform and ask the consent of the data subject before sharing their personal data on social media. For a photo, video or voice recording, in addition to the consent above, your organisation needs to ask the data subject to sign a 'right to image' document.
US:
Fact:
The U.S. Department of Health and Human Services Office for Civil Rights ('HHS') announced a
USD 250,000 settlement with
health care provider Cascade Eye and Skin Centers after a
ransomware attack
breached sensitive patient information. The organization allegedly violated the Health Insurance Portability and Accountability Act's
('HIPAA')
breach notification rules and has agreed to increase its cybersecurity efforts.
Full story
Takeaway:
It is interesting to see that the healthcare provider was find not because of the personal data breach, but because they failed to notify the HHS.
In the US, each and every personal data breach of healthcare data needs to be notified to the HHS: if it is an important data breach, the deadline is 60 days. For a minor breach, the deadline is end of calendar year + 60 days.
Fact:
In a report to the U.S. Department of Health and Human Services ('HHS'),
Change Healthcare Inc., a provider of revenue and payment cycle management that connects payers, providers, and patients within the U.S. healthcare system. claimed the cyberattack it experienced in
February breached the data of
100 million Americans, CyberScoop reports. The new figure sets the incident as
largest breach to ever be reported to U.S. regulators. The breach, which impacted patients' personally identifiable data and health insurance information, remains under HHS investigation. the company paid a
$22 million ransom, resulted in estimated losses of more than
$1 billion.
Full story
Takeaway:
There is no miracle solution against cyberattacks; that said, in our experience with clients or sub-contractors which experienced a cyberattack, in most cases the cause is human error, like leaving an IT server with 'admin/admin' as user/passcode.
This is why it so important to put appropriate data privacy language and IT security wording in all the contracts with sub-contractors and with employees. It is also key to train all staff regularly to data privacy and IT security basic principles, and to check that all sub-contractors do the same. And of course your organisation needs to implement organisational and technical security measures as the Privacy laws, and according to guidelines like ISO 27001.
It will be interesting to hear the conclusion of HHS's investigation, it it is ever made public.
On another note, it's surprising that HHS/FBI/CIA let Change Healthcare pay the ransom. Usually they recommend not to pay.
Japan:
Fact:
Japan's Personal Information Protection Commission published
guidance
on how to handle personal information compromised in
data breaches at health care
facilities such as
hospitals, clinics and pharmacies. The PPC's recommended remedies include conducting
regular training and ensure enough staffing during busy hours to avoid mistakes.
Full story
Takeaway:
It is a good practice to train employees to privacy regularly, especially in organisations processing healthcare data.
For more information on the organisational and technical security measures to avoid Healthcare Data Breaches and what to do if you experience a data breach, contact us at contact@pharmarketing.net
1. Can the Data Protection Officer ('DPO') and the Data Protection Representative ('DPR') roles be performed by the same company? yes / no
No: the GDPR states clearly that it would be a conflict of interest. So, if today the DPO and DPR role are performed by the same company, you should assign of the two to another company to stay compliant.
2. A US start up biotech ran a phase 2 clinical trial in the EU and UK. They know that they must store the clinical data and the TMF for 25 years after publication of the Clinical Study Report ('CSR'): They would like to store for 50 years in case they need to run a supplementary analysis in the future. Do the EU and UK Privacy laws allow them to keep the personal data for such a long period? yes / no
Yes: as we say at PharMarketing GDPR Life Sciences, Privacy laws don't prevent you from working as you were before, as long as/
- you inform people and
- you put in place sufficient security measures to protect the personal data.
So, here, you can keep the clinical database and the EMF files for 50 years as long as:
- you inform the patients in the ICF that their personal data (encoded) will be kept for 50 years
- you document why you want to keep the data for more than the storage time mandated by EU CTR 2024/536, and
- you explain in the document why you think you have enough security measures in place to protect the clinical data and the documents. You should keep this analysis document as an evidence in case of inspection.