TrustArc Blog

Important Privacy Shield Requirements for Pharma & Medical Companies

March 28, 2017

By Emily S. Yu, Privacy Solutions Manager, TRUSTe

The EU-US Privacy Shield framework is an approved transfer mechanism for personal data from the EU to the United States, meaning that once self-certified, companies have “adequate” protections in place when transferring personal data. Businesses involved in clinical, medical and other forms of scientific research may not be aware that there are specific requirements under Privacy Shield that apply to those fields. The requirements may create the need for additional privacy policy controls, so companies in those fields should check to ensure that all requirements are being met.

These requirements are addressed in the supplemental principles of Privacy Shield and can be found here on the Department of Commerce’s website.

Collection and Processing Before Onward Transfer

Pursuant to Privacy Shield Supplemental Principles III Section 14.a which discusses “Pharmaceutical and Medical Products”, EU Member State laws apply to the collection of personal data and to any processing that takes place for pharmaceutical research and other scientific or medical purposes prior to the data’s transfer to the United States. Anonymization of that data is also required where appropriate and if the Member State requires it. Companies will need to determine whether personal data needs to be transferred in an identifiable form or if the data should instead be pseudonymised or anonymized prior to transfer. Appropriate situations for anonymization may include any circumstance that does not require personal information, such as using the information for historical or scientific research purposes. For more information on anonymization techniques, please see Article 29 Working Party’s Opinion 05/2014 on Anonymisation Techniques.

Additional Notice Requirements

There are several disclosures that a company will need to provide to patients prior to the collection of their personal data for scientific research purposes.

Notice should be provided to a patient prior to personal data collection if a company will use that personal data in new and future research studies. This will give the company permission to use an individual’s personal data without additional permissions if the collection of the data is consistent with its original purposes.

In general, the notice must include information regarding any future specific uses of the data, such as periodic follow-up, related studies, or marketing.

The notice provided must also explain that personal data may be used for future research that may be unanticipated but is consistent with the original research study’s purposes.

If, however, there are new research purposes that are not consistent with why the patient’s personal data were originally collected, companies would need to obtain consent for those new purposes.

It is also recommended that companies disclose to the patient that the company may still use the data even if the patient decides or is asked to withdraw from a clinical trial. This disclosure should also take place prior to any personal information collection, and it ensures that the company will still have a right to process any personal data they have collected prior to the patient’s withdrawal for the company’s research.

Access and Notice Requirements for “Blinded” Studies

The nature of blinded studies doesn’t always permit companies to provide individuals access to their personal data. Providing information about medication or other test factors to a patient may jeopardize the results of these studies.

In order to ensure that companies who participate in Privacy Shield can also meet access requirements under these conditions, notice must be provided to the patients that disclosure of this information may jeopardize the integrity of the research effort. At the conclusion of the trial and analysis of the study’s results, participants should have the right to request access to their data. Usually, this access would be provided through their healthcare physician or treatment facility.

Transfers for Regulatory and Supervision Purposes

Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials in the EU to regulators in the US. This transfer must specifically be for regulatory or supervision purposes. Similar transfers for the same purposes are also permitted to other parties, such as other company locations or other researches, but they must be consistent with Privacy Shield Principles, in particular Notice and Choice.

Under Certain Circumstances, Privacy Shield Principles Not Required for Product Safety and Efficacy Monitoring

Under some circumstances, a pharmaceutical company may be required to provide reports for adverse events or safety reporting requirements. Pharmaceutical companies may have information that identifies an individual (such as gender, medical condition, age, etc.), but they do not have a direct means of receiving consent from that individual under these circumstances.

Fortunately, a pharmaceutical or medical device company does not have to comply with the Privacy Shield Principles if the purpose of the data is for product safety or efficacy monitoring activities and that the Principles (Notice, Choice, Accountability for Onward Transfer and/or Access) interfere with a company’s compliance with regulatory requirements. This exception includes reports from healthcare providers to pharmaceutical and medical device companies, as well as reports by pharmaceutical and medical device companies to government agencies, such as the US Food and Drug Administration.

Key-Coded Data is Not Personal Data

Key-coded data is not considered personal data if:

  1. The research data was uniquely key-coded by the principal investigator;
  2. The key-coded data does not reveal the identity of any individuals;
  3. The sponsor pharmaceutical company does not receive the key; and
  4. The unique key is held only by the researcher so that she can identify research subjects under special circumstances only.

If all of these elements are met, then the key-coded data is not subject to the Privacy Shield Principles.

TRUSTe offers a comprehensive Privacy Shield Assessment and Verification program. To schedule a consultation and learn how Privacy Shield can help your organization, contact us.

Subscribe to Blog