UK’s Data Protection in Post-Marketing PV Guidance of February 2013 (Worth reading for Americans & Canadians too!)

Mar 13, 2013
Bart Cobert

Pharmacovigilance, Drug Safety and Regulatory Affairs Author & Expert

In February 2013 the Association of the British Pharmaceutical Industry (ABPI), the Pharmaceutical Information and Pharmacovigilance Association (PIPA) and PV Legal in the UK issued an interesting document on data protection and Drug Safety/Pharmacovigilance (PV).  See: http://www.abpi.org.uk/our-work/library/guidelines/Pages/data-protection.aspx

Background

This is a guidance on how data privacy interacts with drug safety in the UK and in the EU.  Its provisions though have broad application in the US as many of the goals and procedures are similar or the same as the US. In addition,  many US companies do business in the EU.  So this is worth a read.

There are sections covering receipt of PV data and follow up; data entry and transfer; access, corrections & objections; retention and redaction, security and notification.  There are several annexes also.

The legal bases for data protection date back to the EU Data Protection Directive 95/46 and cover data processed in Britain.  Breaches may be prosecuted criminally with fines up to £ 500,000 (~$770,000).  The law refers to all data not just pharmacologic or drug safety data.

There is lots of data collected in PV including: age, sex, ethnic group, weight, height, family, medical and surgical history as well as patient identifiers including age and date of birth.  All of this information can be used to find out the identity of an individual using “reasonable means”. Thus, this PV data is considered protected personal data.  There must be adequate data protection in place in companies and it is recommended that all company staff involved in PV be trained in this.

This document covers post marketing data and not clinical trial data as there is usually explicit consent from the subject allowing their personal data to be used in various ways though that data too is protected in many ways.

Data Receipt and Follow-Up

It is legally permissible to collect personal data on both the patient/subject in question and the reporter (e.g. health care professional, relative etc.).  Both the subject and the reporter must be informed of what is being collected, by whom and for what purposes.  The purposes can be at a general level (e.g. health agencies) and need not specify in detail who that is.  This should be put into a written “Data Protection Notice”.  If such a written document is not provided to the subject, then a statement should be made to remind the reporter of his or her obligations to notify patients that “their” AE has been reported.  If a patient reports an AE and the company wants to follow up with the HCP, consent should always be obtained to do so.  Note that in the US the equivalent of the data protection notice is the HIPAA statement mailed or given to the public by many companies, organizations etc.

Comment:  Note that data protection covers not just the subject/patient but the reporter also.

Data entry and transfer

Data is entered into a safety database for safety reasons and should not be used  for other purposes unless the subject is so informed and (usually) signs consent for this other use.  The company employees handling this data must be “reliable” and trained.  Security measures must be in place particularly if the data entry is out-sourced.  The vendor must have adequate procedures for data protection in place too and the company sending the data out must ensure this.  There must be a written agreement in place covering and ensuring this.

Next the definition of data transfer is discussed.  Interestingly, under this definition, if data is entered into a database housed outside the EU (European Economic Area) or if it can be accessed outside the EEA, then this is considered data transfer.  That is, the simple act of data entry into a database that can be accessed outside Europe is considered to be data transfer.  Similarly, if the data is hosted or backed up outside the EEA (even if it can’t be viewed there) it is considered a data transfer.  The requirements also apply to a global safety database hosted outside the EU even if the company is in the EU.

Data cannot be transferred outside the EEA unless that outside country has adequate data protection.  If data is transferred to a country not considered to have adequate protection any organization receiving this data must put in place arrangements that provide adequate (at the EEA level) protection.  In the US, which is not considered to have adequate protection, this can be done with the “safe harbor” principles.  If such protection cannot be put in place then there are two choices: 1) either limit transfer so that no one outside the EEA can access the data or 2) anonymize it.

Interestingly, this applies to data sent to other health agencies (e.g. FDA) outside the EEA.

Access, rectification and objection rights

Subjects have the right to their data.  A written request (e.g. email) is sufficient and a small fee is permitted to get the data.  Of course, the person has rights to access only his or her own data and the company must insure they have verified the identity of the requestor or a duly permitted representative.  The information should be (made) understandable with technical terms and abbreviations explained.  Companies have 40 days to respond.  If the company does not have full information on the identity of the subject and if the reports are received via an HCP, then the subject should work through the HCP to request the information.

Comment: This may not be too feasible; putting the HCP in the middle is not something the HCP will be happy to do at all.

The data held by a company must be accurate and up to date.  If an individual challenges the accuracy of the information, the company should amend the information if there is no reason to question the accuracy of the new data.  If there are issues, an individual can go to court to rectify, block, erase or destroy the information.

Comment: Again this may not be too feasible for the average patient.

A person can object to the data being processed if it is likely to cause unwarranted substantial damage or distress.  However, if the PV data processing is required of the company by law, the company can refuse to comply with the subject’s objection.  The subject must be so informed within 21 days one way or the other if a protest is lodged.  The document gives suggested wording:

“The company is required by law to collect certain minimum information relating to persons who have suffered an adverse event or potential adverse reaction to the company’s medicinal product in order to monitor the safety of its medicinal products.”

Retention and Redaction

Companies should not hold more data than is needed to fulfill the PV function required nor should the data be held for longer than is necessary for processing.  Data should not be redacted or de-identified if that compromises PV obligations.

The document recommends the following be retained for effective PV:

  • Patient initials or ID
  • Age/age group
  • Ethnicity
  • AE: symptoms, outcome, duration, suspect drug, medical history, concomitant meds.
  • HCP data should be retained even after the activities are complete, just in case.

Recommendations for data that can be redacted as this data is “not usually required for effective PV”):

  • Patient name & contact details
  • Hospital number
  • Names and addresses should not be entered into the database unless the patient is also the reporter.
  • Redaction can be done by removing the information with a black marker for paper and the Adobe Redact function for scanned records.

Comment: This contradicts to a certain degree other PV regulatory requirements which include getting “complete” data by doing follow up querying.  Since one never knows where the case will lead, the normal tendency is to collect as much data as possible.  This is usually good medical practice as it helps to find the “needle in the haystack”.  In addition many jurisdictions mandate holding safety data for 10 or 25 years or even forever.  Others require that the data be held until the NDA/MA is closed plus a certain number of additional years.  In the UK: till the MA is closed and at least 10 more years.  What this means, in practice, is that no safety data is ever thrown away.

As noted above, some data is not to be entered into the database. This is problematic; it is very difficult to keep track of information if it is not entered into the database.  Paper is often archived or gets lost.

Black marker redaction is often ineffective.  Sometimes you can read through the marker by holding the page up to a strong backlight.

Data sharing with business partners and vendors should be limited to what is reasonably needed.  “Reasonably needed” is not defined.

Retention Period

As noted these periods can be very long and, in practice, are usually forever.  Data held outside the PV department or by third parties should also follow these data protection requirements.

Security

Companies must take appropriate measures against unauthorized use or illegal processing of data and against loss, destruction and damage.  Fireproof cabinets should be used.  Companies should adopt a “clear desk” policy at the end of each business day as documents should not be left unattended.   PV databases should be “fully validated or tested” to ensure protection and limited access.

Comment: Don’t know about you but my desk is never really clear….

Notification

The appropriate authorities in the UK are identified and the notification requirements discussed.  See the document for details.

Sample Notices

The appendices contain sample phraseology for written and oral notices or communications to outsiders about these requirements for telephone calls, email, sales force customer meetings, digital media, enquiries and follow up information.

There is also advice given on model contracts, the US Safe Harbor, binding corporate rules, subject consent, how to determine whether a third party to whom data is being transferred is “adequate” and access to personal data.  See the document for details.

Comments: Although these requirements are UK-centric they are very similar for most of the countries of the world that have enacted data protection regulations.  The US HIPAA rules are similar in many ways in terms of limited data, source protection, redaction etc.  This document gives a very good summary of the broad state of the art with particulars for the UK.

No doubt the intentions of this document and all data protection regulations and guidances are well meaning and meant to protect the public.  In practice, it is not clear that these very complex rules (which vary from country to country even within the EU) will really achieve what is intended in this age of social media, transparency, enormous data uploading by others (have you googled your own name recently?), hacking, data theft and leaving thumb drives, laptops or smartphones on the subway/underground/metro!  Nonetheless, this set of protective measures must be put in place in companies (and governments).