Around the Globe

Ensuring Data Privacy in EU Pharmacovigilance
Gro Laier
BASE life science

he protection of natural persons in relation to the processing of personal data is a fundamental right in the European Union. Data privacy regulations support these fundamentals. However, the right to protection of personal data is not an absolute right: e.g., it must be balanced against other fundamental rights, in accordance with the principle of proportionality.

Since the General Data Protection Regulation (GDPR) became effective in 2018, pharmaceutical companies and regulatory authorities have struggled with aspects of its implementation. We have seen different implementation of these requirements, with different companies guided by different legal perspectives from different lawyers.

All Marketing Authorization Holders (MAHs) in the EU must comply with post-marketing pharmacovigilance (PV) requirements, including reporting of adverse events (AEs), and simultaneously ensure that personal data are processed only where necessary and only where the parties involved assess this necessity at every stage of the PV process. Based on the author’s experiences and observations, these can be viewed as currently emerging best practices.

Informed Consent and Data Privacy Statements

The patient/reporter must provide their informed consent to allow the collection of personal data that is “nice to have” or “nice to process.” Only the data needed for any individual subtask can be handled in a single work step. For example: The company department responsible for submitting follow-up to a reporter needs that reporter’s contact information, but the safety surveillance department does not. Therefore, the safety surveillance department should not have access to the reporter contact details.

Since MAHs are legally obliged to record any AE brought to their attention, an informed consent is not required. However, the MAH must make the reporter aware of their own legal requirement to forward every AE (including the personal data) to a global safety database. If the MAH wishes to use these data beyond the scope of meeting PV requirements (e.g., for training purposes), they must receive the reporter’s informed consent.

When a patient or caregiver is reporting an adverse event and is forwarded from a main switchboard to a local safety or medical information center, this presents an opportunity to play a short, pre-recorded standardized data privacy statement providing the following at a minimum:

  • PV data collection is a legal requirement for the MAH
  • Data from global sources are recorded by the MAH
  • Reference to the full data privacy statement in PV notice.

This short data privacy statement can also be placed on follow-up letters, product information cards, and similar materials.

If the patient does not want his or her contact details recorded as part of the AE report, the patient must be informed that the company is legally required to record an anonymized form of the AE report and that the patient will not be able to get a copy of the report if their contact details are redacted.

The referenced long data privacy statement must be available in all relevant languages and contain the following information:

  • Details on how AE data are handled, including when and how these data are transferred and retained
  • The rights of the data subject (the “natural person”)
  • The legislation demanding AE recording
  • The legal basis in GDPR that allows for AE recording
  • Contact details of the Data Protection Officer.

It is also advisable to prepare a long list of questions and answers (Q&As) which represent the typical data privacy questions that reporters may ask and which the company representative must be able to answer.

Follow-up Requests

The MAH does not need permission to collect follow-up information from the initial reporter if that reporter is a healthcare professional (HCP). However, if that HCP specifically requests not to be contacted for follow-up questions, this must be documented and respected. If the reporter is not an HCP, the company must request permission from the reporter to contact that patient’s HCP.

It is important to stress that pseudonymized data must be handled as private data, because it can be linked back to the actual patient. Pseudonymized data are data that have been processed to ensure that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately; e.g., if patient identifiers are replaced with a code when the data are forwarded, but the key to link the patient to the code is available only to the MAH.

Submission to Health Authorities

Unless special local requirements apply, the MAHs should limit the personal information/identifiers in their reporting to only those elements required by the implementing regulation.

Record Retention

If special categories of private data (e.g., racial or ethnic origin, genetic data, medical treatment data, or other data concerning health or sexual orientation) are required for a legitimate scientific or legal purpose, these data must be filed securely – ensuring not just that these data are not mistakenly disclosed beyond requirements but also that they are not lost.

Data are better protected in validated, fit-for-purpose IT systems with strict user access controls than on shared drives and in mailboxes. Clear procedures must ensure that use of personal drives, network folders, and e-Mailboxes are minimized and that data which are no longer used are either archived or deleted.

Since the purpose of the EU legislation is to protect EU citizens, and safety data collected outside the EU may contain valuable information that protects EU citizens, the MAH’s PV data recording requirements apply globally for any product launched on the EU market. In contrast, the GDPR only applies to EU citizens.

If one MAH divests a marketed product to another MAH who keeps that product on the EU market, the new MAH assumes all the legal obligations of the marketing authorization and those PV data cannot be destroyed. Those source data should ideally be transferred to the new MAH during divestments. Alternatively, the divesting company may be contractually required to keep the source data and to provide it to the MAH upon a well-justified request; e.g., in connection with an inspection or an assessment of a safety signal. MAHs must retain PV data for at least 10 years after that product is no longer on the EU market unless stricter local requirements apply. For example, Finland requires that AEs gathered in Finland be kept for 50 years after the marketing authorization expires; this requirement applies to data gathered from Finland and from occurrences that took place in Finland. Different rules apply outside the EU; e.g., Health Canada requires keeping individual reports for 25 years from case creation.

Furthermore, data from other marketed products with the same active ingredient may add significantly to understanding a product’s safety profile. Personal data related to these similar products should not be destroyed until all products with the same active ingredient are no longer on the EU market and their Marketing Authorizations have been withdrawn.

Deleting private data also covers, in principle, audit trails and backups. However, since this may not be possible, companies must have clear procedures that ensure that these data are not accidentally restored and are again deleted after a total data restore.

A manuscript describing the full results and detailed methodology of this study has been submitted for peer review.