The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Similar documents
IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Interaction btw. the GDPR and Clinical Trials Regulation

The EFPIA Perspective on the GDPR. Brendan Barnes, EFPIA 2 nd Nordic Real World Data Conference , Helsinki

Guidance on the anonymisation of clinical reports for the purpose of publication in accordance with policy 0070

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

PRIVACY ANALYTICS WHITE PAPER

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

Justice Select Committee: Inquiry on EU Data Protection Framework Proposals

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health

Guidance on the anonymisation of clinical reports for the purpose of publication

ARTICLE 29 Data Protection Working Party

EU-GDPR The General Data Protection Regulation

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

European Union General Data Protection Regulation Effects on Research

BBMRI-ERIC WEBINAR SERIES #2

International Seminar on Personal Data Protection and Privacy Câmara Dos Deputados-BRAZIL

Robert Bond Partner, Commercial/IP/IT

ICC POSITION ON LEGITIMATE INTERESTS

Ocean Energy Europe Privacy Policy

European Regulatory Approach to Orbital / Spectrum Registrations

Privacy Policy SOP-031

DEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION

IN VITRO DIAGNOSTICS: CAPITA EXOTICA

Ethics Review Data Sharing Bridging Legal Environments

Data Protection Regulation: Keeping Health Research Alive in the EU. A Roundtable Event Hosted by Nessa Childers MEP. European Parliament, Brussels

Data Protection and Ethics in Healthcare

Legal Aspects of the Internet of Things. Richard Kemp June 2017

The General Data Protection Regulation

EMA Technical Anonymisation Group (TAG)

DERIVATIVES UNDER THE EU ABS REGULATION: THE CONTINUITY CONCEPT

HL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR)

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

Swedish Proposal for Research Data Act

Global Alliance for Genomics & Health Data Sharing Lexicon

GDPR Implications for ediscovery from a legal and technical point of view

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

Data Protection by Design and by Default. à la European General Data Protection Regulation

Preparing for the new Regulations for healthcare providers

EU Research Integrity Initiative

WEON 2018 COREON (1) Marjolein Timmers. What is COREON? CO = Commissie (Committee) RE = Regelgeving (Regulation) ON = Onderzoek (Research)

'INNOVATIVE SOLUTIONS FOR RESEARCH IN HEALTHCARE' Developing a novel approach to deliver better precision medicine in Europe The EMA standpoint

B) Issues to be Prioritised within the Proposed Global Strategy and Plan of Action:

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

Seminar on Consultation on. Review of the Personal Data (Privacy) Ordinance. Why the review is being conducted and what this means to you

User Privacy in Health Monitoring Wearables

Opinion of the European Data Protection Supervisor

12 April Fifth World Congress for Freedom of Scientific research. Speech by. Giovanni Buttarelli

Big Data and Personal Data Protection Challenges and Opportunities

CAMD Transition Sub Group FAQ IVDR Transitional provisions

ARTICLE 29 DATA PROTECTION WORKING PARTY

Big data: a complex and evolving regulatory framework

ENCePP Work Plan

Enpr EMA. Enpr-EMA. European Network of Paediatric Research at the European Medicines Agency

COUNCIL OF THE EUROPEAN UNION. Brussels, 19 May 2014 (OR. en) 9879/14 Interinstitutional File: 2013/0165 (COD) ENT 123 MI 428 CODEC 1299

An Essential Health and Biomedical R&D Treaty

European Law as an Instrument for Avoiding Harmful Interference 5-7 June Gerry Oberst, SES Sr. Vice President, Global Regulatory & Govt Strategy

ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?

BioTrade and the Implementation of the Nagoya Protocol

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

Commonwealth Data Forum. Giovanni Buttarelli

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

NAGOYA PROTOCOL ON ACCESS TO GR AND BENEFIT SHARING (ABS): CHALLENGES AND OPPORTUNITIES FOR MICROBIOLOGY DR. ALEJANDRO LAGO CANDEIRA

The new GDPR legislative changes & solutions for online marketing

What does the revision of the OECD Privacy Guidelines mean for businesses?

High Holborn, London ETI ID Number: Ave des Nerviens 85 B 1040 Brussels Belgium

Privacy Procedure SOP-031. Version: 04.01

EN Official Journal of the European Union L 117/176 REGULATION (EU) 2017/746 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT. pursuant to Article 294(6) of the Treaty on the Functioning of the European Union

EUROPEAN COMMISSION Information Society and Media Directorate-General

LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

Lecture 7 Ethics, Privacy, and Politics in the Age of Data

2

Ethical Governance Framework

Triennial Review of the Medicines and Healthcare Products Regulatory Agency. Call for Evidence

Pharmacovigilance System - EU

MONETARY AGREEMENT between the European Union and the Vatican City State (2010/C 28/05)

Position Paper.

Finn Børlum Kristensen, MD, PhD Director, EUnetHTA Secretariat Danish Health and Medicines Authority (EUnetHTA Coordinator) Copenhagen, Denmark

19 Progressive Development of Protection Framework for Pharmaceutical Invention under the TRIPS Agreement Focusing on Patent Rights

What Makes International Research Ethical (Or Unethical)? Eric M. Meslin, Ph.D Indiana University Center for Bioethics

At its meeting on 18 May 2016, the Permanent Representatives Committee noted the unanimous agreement on the above conclusions.

having regard to the Commission proposal to Parliament and the Council (COM(2011)0295),

Standing Committee on the Law of Patents Twenty-Sixth Session

Council of the European Union Brussels, 8 March 2017 (OR. en)

EN Official Journal of the European Union L 117/1 REGULATION (EU) 2017/745 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.

EUROPEAN CENTRAL BANK

Proposal for a COUNCIL REGULATION. on denominations and technical specifications of euro coins intended for circulation. (recast)

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Privacy by Design with or without information security? Kirsten Bock CPDP

Reforming the Data Protection Package

The concept of transfer of data under European data protection law

OMCL Network of the Council of Europe GENERAL DOCUMENT

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

EU s Innovative Medical Technology and EMA s Measures

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

Official Journal of the European Union L 117. Legislation. Legislative acts. Volume May English edition. Contents REGULATIONS

Transcription:

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation ENCePP Plenary Meeting- London, 22/11/2016 Alessandro Spina Data Protection Officer, EMA An agency of the European Union

Disclaimer The views represented in this presentation are the personal opinion of the author and do not necessarily reflect the position of the European Medicines Agency or any other EU institution. 1

Introduction Reform of data protection legislation (GDPR) Consent Other legal grounds for processing health data Pseudonymisation/Anonymisation Data Protection Governance 2

1/ Reform of EU data protection legislation Milestones of the data protection reform: 25 January 2012 Commission proposed reform of data protection legislation: repeal of Directive 95/46/EC; a General Data Protection Regulation (GDPR) and a Directive for the police and criminal justice sectors; 12 March 2014 European Parliament voted in support of the amended proposal for the GDPR; 15 June 2015 Council agreed a on a general approach on the GDPR; 15 December 2015 Trialogue agreement on the final text of the GDPR followed by vote in the LIBE Committee (17 Dec) and COREPER (18 Dec) Regulation (EU) 679/2016 adopted 24 May 2016- entry into force 25 May 2018 3

1/ Reform of data protection legislation Facts: A thick legislative instrument; ~ 170 recitals; ~ 100 articles; 200 pages. Structure: General provisions, Rights of Data Subjects Obligations of Controllers and Processors Regulatory governance aspects (EDPB/ Co-operation and Consistency) Specific data processing situations 4

1/ Reform of data protection legislation- General principles of EU data protection law remain the same but Territorial scope : Article 3(2) (b) This Regulation applies to the processing of personal data. by a controller or processor not established in the Union ; Right to erasure ( to be forgotten ) (Article 17) including withdrawal of consent; Right to Data Portability (Article 18)..in a structured and commonly used and machine-readable format Definition of health data personal data related to physical or mental health [ ] which reveal information about his or health status 5

1/ Reform of data protection legislation Profiling (Article 20); which produces legal effects concerning him or her or significantly affects him or her Data Protection Impact Assessment (Article 33); DP by design and by default; DPO (Articles 35-37) Notification of Personal Data Security breaches (Articles 31-33) Sanctions (up to 4% company annual global turnover) and new legal remedies (class actions); EDPB which can adopt binding decisions, ensures consistency among DPAs. 6

2/Consent Consent remains cornerstone of DP law as main legal basis for the processing of personal data. There are important clarifications on the characteristics of valid consent, either in general (Article 7) Recital 42: For consent to be informed, the data subject should be aware at least of the identity of the Controller and the purposes for which the personal data are intended ; It requires an affirmative action, silence or inactivity should not constitute consent. Or with regard to the processing of personal data concerning health Article 9 : the data subject has given explicit consent to the processing of those personal data 7

2/Consent With regard to consent in the field of clinical trials/scientific research/patient registries, the final text contains other important indications: Recital 161 For the purpose of consenting to the participation in scientific research activities in clinical trials the relevant provisions of Regulation (EU) No 526/2014 should apply. Interpretative issues between provisions of CT reg and GDPR on consent Recital 33 It is often not possible to fully identify the purpose of data processing for scientific purposes at the time of data collection. Therefore data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. 8

3/Other legal grounds for processing health data There are legal grounds other than consent for processing health data: Article 9 (2) (i): processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member States law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subjects, such as professional secrecy. Highly relevant in the case of pandemic crisis or with regard to the obligations related to pharmacovigilance. Not clear whether only public bodies could rely on this provision. 9

3/Other legal grounds for processing health data Article 83 Processing of personal data for...scientific and historical research purposes shall be subject to appropriate specific safeguards provided by Union or Member States law and where possible to pseudonymisation/anonymisation. Recital 157 on patient registries: By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression. [ ] In order to facilitate scientific research, personal data can be processed for scientific research purposes, subject to appropriate conditions and safeguards set out in Union or Member State law. 10

3/Other legal grounds for processing health data Other provisions of the GDPR give a special protection to the use of health data in the context of public health activities: Article 17 (3) (c) Limitation of the right to erasure in case of withdrawal of consent for reasons of public interest in the area of public health Article 9 (4) Member States may maintain or introduce further conditions, including limitations with regard to the processing of genetic data, biometric data or health data 11

4/Pseudonymisation/Anonymisation There is a definition of pseudonymisation cfr. Article 4 (5) e.g. key-coding data from electronic health records. means the processing of personal data in such a manner that the pesonal data can no longer be attributed to a specific data subject without the use of additional information Recital 26 Data which has undergone pseudonymisation, but still could be attributed to a natural person by the use of additional info should be considered personal data. It is a security measure not a way to anonymise data, in line with Article 29 WP Opinion 5/2014 on anonymisation techniques. 12

4/Pseudonymisation/Anonymisation There remains the challenge of the anonymization of datasets in particular for clinical trials: No personal data of trial participants shall be recorded in the EU database (Recital 67 of Regulation (EU) 536/2014). EMA published an External Guidance on anonymisation of clinical reports for the purpose of Policy 70- non-binding guidance presenting a set of different approaches to the anonymisation of CSR based on masking (redaction) but also other techniques (randomization, generalization) in order to increase the usefulness of published information. 13

5/New Data Protection Governance The GDPR introduces a shift in paradigm about compliance: The Data Controller has to adopt suitable measures to ensure and demonstrate compliance (Article 24). Examples: Documentation (Article 30); Implement security requirements (Article 32); Data Protection Impact Assessment (Article 32)+ privacy by design and by default Designation of a DPO (Article 37) 14

Thank you for your attention alessandro.spina@ema.europa.eu

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback