Presentation about medical devices patient data management under the EU General Data Protection Regulation at the Medical Device Clinical Research Conference in November 2015
Call Girls Ahmedabad Just Call 9630942363 Top Class Call Girl Service Available
EU Medical Device Clinical Research under the General Data Protection Regulation
1. PATIENT DATA
MANAGEMENT
UNDER THE GDPR
8TH ANNUAL EU MEDICAL DEVICE
CLINICAL RESEARCH
6 November 2015
Erik Vollebregt
www.axonadvocaten.nl
2. General Data Protection Regulation
The current EU system is:
• Fragmented
• Outdated
• Unclear
Proposal for a new framework:
The General Data Protection Regulation.
• Regulation: direct effect in
member states (no national
legislation except
implementation)
• Requires significant work by
mHealth companies to implement
Looks to be finished end of 2015 –
in force 2016?
6. Background
• Proposed new General Data Protection Regulation on clinical
investigations and clinical data
• In Vitro Diagnostics Regulation
• Medical Devices Regulation
• To address national inconsistencies, each of the new laws will be a
Regulation rather than a Directive. While this is intended to harmonise
the approach to these issues, it will increase the compliance burden and
increases uncertainty
• Impact
• Practical preparations for the draft Regulations
7. Overview of Data Protection
• Significant Changes in Data Protection Regulation
• Consent
• Research
• Administratively burdensome bureaucracy
• Fines
• Collateral damage: ‘Potentially catastrophic’ effects on biobanks,
registries, personalised medicine, e-health and the development of new
therapies
• What we hate in marketing and social media, we actually want in
health care
• further processing, monitoring, profiling, predictions,
traceability, secondary processing
• Innovative and/or long-term uses of personal data are problematic
• known unknowns and unknown unknowns
• International transfers and sharing of personal data
8. What is the same
• “Personal Data” remains a cornerstone
• Reasonable likelihood of identification of an individual remains a dynamic test
– probably
• Data can still become “personal” as a result of technological or other reasons
(mosaicing)
• Privileged status of “data concerning health” (and data re racial or
ethnic origin) requires extra care
• Consent to processing (and purpose limitation) remains a cornerstone
• Capacity to consent remains a matter of national law
• Focus remains on each act of processing personal data rather than the
collection or holding of data. The data controller must verify that there is a
legitimate basis for the processing
• Even anonymising or pseudonymising data = processing
• Export of personal data outside EEA only permissible with adequate level
of protection
9. What Changes (or is clarified) (1)
• “Personal data” Likelihood of identification of data subject
• Deleted qualifier “by means reasonably likely” (but this may come back)
• Added a definition of “pseudonymisation” which appears to mean that
pseudonymised data remains personal data regardless of the number and
nature of steps taken to key code
• Consent requirements/invalidation
• Broad consent and “opt-out” consent explicitly rejected
• Biological samples should be considered identifiable data
• Definitions of Genetic data and Biometric data
• Scope of the Research derogation under threat
10. What Changes (or is clarified) (2)
• Data Protection becomes a fundamental right
• Access Rights
• Impact Assessments required
• Data Protection Officers
• Right to compensation for incompliant processing
• Fines
• staggered fines for violations depening on severity up to € 1 mio / 2%
world wide annual turnover but final percentage / threshold still under
debate (may go up to 5%)
11. Consent: Validity & Purpose
Limitation
• To be valid, consent to the processing of personal data must:
• be freely given, specific, informed and explicit
• be a clear affirmative action (no opt-outs)
• The use of default options which the data subject is required to modify to
object to the processing, such as pre-ticked boxes, does not express free
consent.
• cover all processing activities carried out for the same purpose.
• Once the original purpose ends, data subject must re-consent/ re-affirm.
• Consent shall be purpose-limited and shall lose its validity when the
purpose ceases to exist or as soon as the processing of personal data is
no longer necessary for carrying out the purpose for which they were
originally collected.
• Where the conclusion of the intended purpose is unclear, the controller
should in regular intervals provide the data subject with information about
the processing and request a re-affirmation of their consent.
12. Consent by persons lacking legal
capacity
• What is the best approach to re-consent from a person who loses capacity
as a result of a degenerative condition?
• Broad consent before the data subject loses capacity?
• Power of Attorney (or equivalent) before the data subject loses
capacity?
• “Delegated” or “surrogate” consent?
• Consent to such actions processing as is approved by the Registry’s Ethics
Committee (in line with Helsinki Declaration)
13. Impact Assessment: Art 33
• Data controller must conduct impact assessments on the rights and
freedoms of the data subjects, especially their right to protection of personal
data when processing:
• [personal data relating to more than 5000 data subjects during any consecutive
12-month period;]
• “special categories of personal data” - personal data revealing race or ethnic
origin; genetic or biometric data or data concerning health or sex life;
• [location data or data on children in large scale filing systems]; or
• personal data for the provision of health care, epidemiological researches, or
surveys of mental or infectious diseases, where the data are processed for
taking measures or decisions regarding specific individuals on a large scale.
• The good news is that a single assessment may suffice for similar
processing operations that present similar risks.
• The bad news is that the exact methodology will be implemented by
delegated act
14. Mandatory Data Protection Officer
(35)
• The data protection officer should have at least the following qualifications:
• extensive knowledge of the substance and application of data protection law,
including technical and organisational measures and procedures;
• mastery of technical requirements for privacy by design, privacy by default and
data security;
• industry-specific knowledge in accordance with the size of the controller or
processor and the sensitivity of the data to be processed;
• the ability to carry out inspections, consultation, documentation, and log file
analysis; and
• the ability to work with employee representation.
• The controller should enable the data protection officer to take part in advanced
training measures to maintain the specialized knowledge required to perform his or
her duties.
• The designation as a data protection officer does not necessarily require fulltime
occupation of the respective employee.
15. Consent: Procedural aspects
• To be valid, consent to the processing of personal data must:
• be separated from other matters (eg consent to treatment)
• If the data subject's consent is given in the context of a written declaration
which also concerns another matter, the requirement to give consent must
be presented clearly distinguishable in its appearance from this other
matter. Provisions on the data subject’s consent which are partly in
violation of this Regulation are fully void.
• comply with national laws if given on behalf of a child or someone lacking
capacity
• In case of a child or a person lacking legal capacity, relevant Union or
Member State law should determine the conditions under which consent is
given or authorised by that person.
16. Scenarios re Validity of Consent
• Status of valid consent given under the existing DP Directive?
• Valid if consent was a condition of entry into a clinical investigation?
• Not freely given if the data subject would suffer detriment by refusing or
withdrawing consent
• Will consent given in a clinical investigation of product X be valid if it leads
to a new product Y?
• What if X was a HPV diagnostic and Y a new “morning after” pill?
• Valid when given by a patient to a doctor (power imbalance)?
• Valid if given in a single document with the consent to treatment?
• Valid if given in the same consultation as the consent to treatment?
• What if consent will skew (or invalidate) the results of the study?
17. Consent in the context of a clinical
trial
• Difficult to be certain that consent obtained in a clinical context (trial,
investigation or other) will satisfy data protection requirements
• Consent ceases to legitimise once processing is no longer necessary
• Secondary purposes must be compatible with the original purpose or
“re-consent”
• Consent rigor makes these derogations more important:
• Medical treatment privilege - Article 81(1)(a)
• Public health purposes – Article 81(1)(b)
• Genetic data – Article 81a
• Research Purposes – Article 83
• Parliament, Commission and Council vary considerably in position on
derogations
18. Derogations from consent
requirement
• In the absence of explicit consent, unless the processing is necessary to
protect the vital interests of the data subject, processing of sensitive data
concerning health is only permitted for:
• tasks carried out in the substantial public interest;
• health purposes subject to the conditions and safeguards (e.g.
obligations of professional secrecy); or
• scientific research subject to the adequate legal safeguards.
• When relying on derogation, should still disclose the possible or proposed
processing in the interests of “fairness” (a fundamental Data Protection
Principle)
20. Derogation for Research
Purposes
• Commission, Parliament and Council propose different standards for
the derogation
• Export of personal data outside Europe for research purposes probably
requires explicit consent or other derogations – no recognition of the
value of international research
24. Exporting personal data
• Can only transfer personal data outside the EEA:
• to a country whose DP laws have been approved by the EC; or
• if there is an adequate level of protection for the rights of data subjects
• The United States does not offer “adequate protection”
• The data controller may:
• carry out his own assessment of the adequacy of the protection
• use contracts to ensure adequacy
• obtain EC approval for a set of Binding Corporate Rules governing intra-group
data transfers
• rely on one of the exceptions to the prohibitions on transfers of personal data
outside the EEA
• Use “Safe Harbours” [Schrems vs Facebook]
• Where the data controller has found a basis to legitimise the transfer, this
must be disclosed for “fairness”
25. Exporting personal data (2)
• While the data controller could ask the data subject to consent to the export
of personal data to a country that does not have adequate protection, the
data subject must have consented unambiguously to the proposed
transfer: Art. 26(1)
• To be valid, this consent must be a freely given, specific and informed: Art.
2(h)
• Hence, consent is rarely used as the sole criteria to justify exports of
personal data on an ongoing basis: e.g. heuristic systems
• Most data controllers take the view that the proposed “export” must be
disclosed to the data subject to satisfy the requirement of fairness
26. Data Subject’s rights
• Data subjects are granted a right of access – a right to obtain a copy of
data concerning them provided in a commonly used electronic format.
• Data subjects have rights to have data corrected or erased
• The right, where personal data are processed by electronic means
and in a structured and commonly used format, to obtain a copy
of the data concerning them also in commonly used electronic
format. The data subject should also be allowed to transmit
those data, which they have provided, from one automated
application, such as a social network, into another one.
• Data controllers should be encouraged to develop interoperable
formats that enable data portability.
• These requirements are challenging in clinical contexts or in the context
of Big Data.
| 26
27. In conclusion
• Consent alone will be a “brave” justification for data processing
• Articles 81 and 83 become crucial for secondary processing
• If Parliament amendments are accepted, it will be VERY difficult to justify
many registry studies, retrospective studies or health technology
assessments under the research derogation
• Article 83 will only be available for the processing of sensitive personal
data (broadly defined) if:
• There is an exceptionally high pubic interest
• The research cannot be conducted data cannot take place in any other way
• The data is anonymised or pseudonymised to the highest technical standards
• Even if Parliament amendments are not accepted, significant work will be
needed to justify many studies (particularly any study re label extensions,
comparisons with competitors, health economics or retrospective studies)
29. www.axonlawyers.com
THANKS FOR YOUR ATTENTION
Erik Vollebregt
Axon Lawyers
Piet Heinkade 183
1019 HC Amsterdam
T +31 88 650 6500
F +31 88 650 6555
M +31 6 47 180 683
E erik.vollebregt@axonlawyers.com
@meddevlegal
B http://medicaldeviceslegal.com
READ MY BLOG:
http://medicaldeviceslegal.com
Editor's Notes
Parties propose the concept of one-time consent instead of re-consent to every use of their data