Data privacy and protection
Jean Samuel
STEP-IN Management Ltd
(Continued from Joint working)
The temptation is to mentally yawn and assure yourself, with some gratitude, that someone in legal must be covering this as it is governed by law. Indeed, your legal department will be informed on data privacy (DP) legislation, but there are duties and requirements that need to be set out and followed in the operational arena (SOPs) to ensure your organisation is compliant.
GCP controls are well established. As personal communication resources (email, texts, Facebook message, Tweets, and so on) allow more direct and intimate contact, increasing care is needed in the sales and marketing operations, for example in patient support programmes and partnerships between pharmaceutical companies, the NHS and others.
DP has popped up in some of my previous articles and I promised to expand on them, namely:
• EU 'right to be forgotten' – user control over their own information in the social media arena. If a pharmaceutical company is the host of such information and a participant wants their contributions removed, then the company’s data controller must ensure that happens or prove that the company needs to keep the data,
• Third parties – when a service provider is collecting and using personal data on your behalf, any contract should make it clear which party is the data controller, where and under which jurisdiction the data will be held,
• Cloud computing – special attention is needed where a supplier uses cloud computing to store personal data for you or your supplier,
• Joint working – does the project need a single data controller who will address data privacy breaches and liaise with the Information Commission, if necessary?
I will be looking at these issues in the light of the following DP key principles:
1. Information must be processed for the specific purpose or purposes given,
2. The information being processed is adequate, relevant and not excessive,
3. That information is accurate,
4. Information must be kept no longer than is necessary,
5. Information is processed in accordance with the subject’s rights,
6. Information is kept secure at all times,
7. Information is not transferred to countries or territories outside the EEA or to countries or territories without adequate protection unless 'safe harbour' or similar agreements are in place and operating.
"What if a patient wants to continue with the support elements but not receive any communications from the company?"
Which data?
It is not uncommon that launche of a new medicine is accompanied by a patient support programme. Here are some areas to watch out for:
• Although a programme may be across multiple European countries, the data server will be located only in one of them. The programme’s data controller is likely to be designated from that country. If a patient makes a Freedom of Information request, it will go to an address in their country and be made in local language. You will need agreed processes in place to respond in line with the laws and timeframes of both the local data controller countries (see principle number 5 above).
• A patient support programme is never altruistic, and as well as the education, nurse access or other practical support, marketing data will be gathered that looks at such factors as future take-up or prescribing trends (for example, why doses are not taken, prescription problems, concerns regarding a delivery mechanism, and so on) or which is used to send information to share experiences and encourage continued participation.
Is the non-medical/marketing purpose for data collection transparent? What if a patient wants to continue with the support elements but not receive any communications from the company? Is the data being shared with US colleagues? (see principles 1 and 7).
• Why is ‘date of birth’ a required field? If it is merely to confirm a patient is over 18, then a tick box would do. If it is to analyse by age groups then only ‘year’ is needed (see principle 2).
• Can the internal or outsourced data storage and management group actually destroy/delete data if required or does it merely remove a link? (see principle 4).
Data controller when partnering (joint working or third parties)
All data controllers have a responsibility under the Data Protection Act 1998 to ensure appropriate and proportionate security of the personal data they hold. (Seventh principle of the DPA 1998.)
In agreeing your joint working/service contract has your company established the relevant other party has adequate processes to deal with breaches? Is the data controller for these data in your company or theirs?
"Having clarified when a breach should be reported, if the data controller is in the other company, what is your company’s participation?"
Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to the attention of his Office (ICO). The potential harm to individuals is the overriding consideration in deciding this. Ways in which harm can occur include (my italics emphasising where patient or healthcare professional data might fit):
• …information about the private aspects of a person’s life becoming known to others…
• The extent of harm, which can include distress, is dependent on both the volume of personal data involved and the sensitivity of the data. (As few as 10 records could be the trigger if the information is particularly sensitive.)
• Where there is significant actual or potential harm as a result of the breach, whether because of the volume of data, its sensitivity or a combination of the two, there should be a presumption to report.
Having clarified when a breach should be reported, if the data controller is in the other company, what is your company’s participation? What if you disagree about the need to report? Can they report and not tell you?
Having agreed notification is needed, it is important to understand it is not merely a matter of the obvious details, any notification should include process and operational information – items which fall firmly into compliance. They include:
• Action taken to minimise/mitigate the effect on individuals involved, including whether they have been informed,
• Details of how the breach is being investigated,
• Whether any other regulatory body has been informed and their response,
• Remedial action taken to prevent future occurrence.
"In some areas the Bribery Act goes further than FCPA…"
In addition, if you are working with the NHS, in a joint working project, say, there should also be a Caldicott guardian identified. It is now a requirement for every NHS organisation to have a Caldicott guardian but there may also be registered Caldicott guardians (former NHS medics) in your own or supplier/partner companies.
In summary, it is really important that your company clearly establishes where responsibility and duty to act lies between you and the other party or parties.
Jurisdiction
As with other EU directives, DP is implemented in each country under local law, with consequent local variances. Does your company know where and under which jurisdiction the data (servers) will be held?
This is made more challenging if the service provider or partner charged with this responsibility is using cloud computing for the data storage.
Cloud computing
Cloud computing turns information technology into a utility, consumed on demand, as with electricity. It is the ability to access a pool of computing resources that are owned and maintained by a third party via the internet. Organisations that plan to implement cloud computing will need to pay particular attention to data protection issues in order not to breach the legislation.
So now we have another player involved and pharmaceutical companies should take care to know whether third parties or joint working business partners are using cloud computing to support the shared enterprise or service. It is vital that governance sections in agreements and project plans define who is responsible for what and the procedures that your company and your service provider/partner will follow.
"The cloud requires vigilance about security, manageability, standards, governance, and compliance."
The cloud requires vigilance about security, manageability, standards, governance, and compliance.
Cloud computing uses infrastructure that an organization does not totally control, but they still need to apply governance. If the cloud is used to store and manage personal data then data security and privacy is vital. Who is responsible if there is a breach? Who in the cloud computing company will inform the other party or your company data controller?
With data in the cloud moving form server to server to optimise efficiency, which country’s jurisdiction applies (principle 6). Which nation’s official data privacy body should be informed? If there are breach-related fines, who pays? If there is breach-related legal enforcement action, on whose processes will they apply and who is responsible for seeing that remediation is carried out?
As with any data storage service, can the cloud computing company delete and or produce specific data to set timelines? There have been some recent examples of cloud computing services going down (principle 5).
Can the cloud computing services keep the data secure? There have been some recent allegations of cloud computing services being hacked (principle 6).
As always, the best way forward is to include your compliance/data privacy officer, explore the issues with your partners and confirm your ability and theirs to comply with DP using test scenarios before you start and document your compliance thinking and plans so that you can defend your actions if necessary.
About the author:
Jean is currently engaged in the development, with EverydayAssess, of an objective web-based tool for ABC that can be used to assess both the readiness of an organisation’s ABC programme and processes. plus the capability of its people against adequate processes. See everydayassess.com
Are you clear on data privacy and protection?
