Around the Globe
BASE life science
he protection of natural persons in relation to the processing of personal data is a fundamental right in the European Union. Data privacy regulations support these fundamentals. However, the right to protection of personal data is not an absolute right: e.g., it must be balanced against other fundamental rights, in accordance with the principle of proportionality.
All Marketing Authorization Holders (MAHs) in the EU must comply with post-marketing pharmacovigilance (PV) requirements, including reporting of adverse events (AEs), and simultaneously ensure that personal data are processed only where necessary and only where the parties involved assess this necessity at every stage of the PV process. Based on the author’s experiences and observations, these can be viewed as currently emerging best practices.
Informed Consent and Data Privacy Statements
Since MAHs are legally obliged to record any AE brought to their attention, an informed consent is not required. However, the MAH must make the reporter aware of their own legal requirement to forward every AE (including the personal data) to a global safety database. If the MAH wishes to use these data beyond the scope of meeting PV requirements (e.g., for training purposes), they must receive the reporter’s informed consent.
When a patient or caregiver is reporting an adverse event and is forwarded from a main switchboard to a local safety or medical information center, this presents an opportunity to play a short, pre-recorded standardized data privacy statement providing the following at a minimum:
- PV data collection is a legal requirement for the MAH
- Data from global sources are recorded by the MAH
- Reference to the full data privacy statement in PV notice.
This short data privacy statement can also be placed on follow-up letters, product information cards, and similar materials.
If the patient does not want his or her contact details recorded as part of the AE report, the patient must be informed that the company is legally required to record an anonymized form of the AE report and that the patient will not be able to get a copy of the report if their contact details are redacted.
The referenced long data privacy statement must be available in all relevant languages and contain the following information:
- Details on how AE data are handled, including when and how these data are transferred and retained
- The rights of the data subject (the “natural person”)
- The legislation demanding AE recording
- The legal basis in GDPR that allows for AE recording
- Contact details of the Data Protection Officer.
It is also advisable to prepare a long list of questions and answers (Q&As) which represent the typical data privacy questions that reporters may ask and which the company representative must be able to answer.
Follow-up Requests
It is important to stress that pseudonymized data must be handled as private data, because it can be linked back to the actual patient. Pseudonymized data are data that have been processed to ensure that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately; e.g., if patient identifiers are replaced with a code when the data are forwarded, but the key to link the patient to the code is available only to the MAH.
Submission to Health Authorities
Record Retention
Data are better protected in validated, fit-for-purpose IT systems with strict user access controls than on shared drives and in mailboxes. Clear procedures must ensure that use of personal drives, network folders, and e-Mailboxes are minimized and that data which are no longer used are either archived or deleted.
Since the purpose of the EU legislation is to protect EU citizens, and safety data collected outside the EU may contain valuable information that protects EU citizens, the MAH’s PV data recording requirements apply globally for any product launched on the EU market. In contrast, the GDPR only applies to EU citizens.
If one MAH divests a marketed product to another MAH who keeps that product on the EU market, the new MAH assumes all the legal obligations of the marketing authorization and those PV data cannot be destroyed. Those source data should ideally be transferred to the new MAH during divestments. Alternatively, the divesting company may be contractually required to keep the source data and to provide it to the MAH upon a well-justified request; e.g., in connection with an inspection or an assessment of a safety signal. MAHs must retain PV data for at least 10 years after that product is no longer on the EU market unless stricter local requirements apply. For example, Finland requires that AEs gathered in Finland be kept for 50 years after the marketing authorization expires; this requirement applies to data gathered from Finland and from occurrences that took place in Finland. Different rules apply outside the EU; e.g., Health Canada requires keeping individual reports for 25 years from case creation.
Furthermore, data from other marketed products with the same active ingredient may add significantly to understanding a product’s safety profile. Personal data related to these similar products should not be destroyed until all products with the same active ingredient are no longer on the EU market and their Marketing Authorizations have been withdrawn.
Deleting private data also covers, in principle, audit trails and backups. However, since this may not be possible, companies must have clear procedures that ensure that these data are not accidentally restored and are again deleted after a total data restore.