PIPL Compliance of Coded Clinical Trial Data
In the scenario of a clinical trial[1], when a clinical trial site provides clinical trial data to a sponsor, the site will remove patients’ direct identifiers (e.g., name, ID number, phone number) and replace them with codes. There is a debate on whether the coded clinical trial data should be regulated as personal information under the Personal Information Protection Law(in Chinese“个人信息保护法”) (the "PIPL"). This article aims to analyze relevant issues and propose approaches to solve the issues.
Author:SHIHUI PARTNERS | Jing Lu |Raymond Wang
Data position of relevant stakeholders under the PIPL
In the scenario of a clinical trial, there are three major stakeholders, i.e., a sponsor (i.e., a pharmaceutical company), a clinical trial site (i.e., a hospital) and a contract research organization (CRO).
Contract readiness
Due to the controller-processor relationship between the sponsor and the CRO, the PIPL requires the sponsor to sign a Data Processing Agreement with the CRO, and such agreement shall contain necessary clauses under the PIPL.
As for the Clinical Trial Agreement between the sponsor and the clinical trial site, it is also important to incorporate some data compliance clauses to clarify each party’s rights and obligations in terms of personal information processing.
Notice to data subjects
For the purpose of the PIPL compliance, an informed consent form used for a clinical trial shall be revised to incorporate matters related to the following:
Processing sensitive personal information (e.g., patient's medical record information, etc.) Transfer of personal information to another data controller (assuming that the sponsor and the site are two independent data controllers) Cross-border transfer of personal information (if applicable)
Separate consent
In addition to obtaining a patient’s general consent on participating in a clinical trial and personal information processing, the PIPL requires a separate consent to be obtained from the patient for each of the above three items (i.e., processing sensitive personal information, transfer to another data controller, and cross-border transfer of personal information).
Personal information protection impact assessment (“PIA”)
A PIA shall be conducted prior to carrying out the following processing activities:
Collect, use or otherwise process clinical trial data involving sensitive personal information such as medical record information, etc. Transfer of personal information from a clinical trial site (as a data controller) to a sponsor (as another data controller). A sponsor contracts a CRO to process personal information. Cross-border transfer of personal information.
Cross-border data transfer
Assuming that the coded clinical trial data is subject to the PIPL, the cross-border transfer of such data shall comply with relevant statutory requirements, e.g., signing a standard contract with the overseas recipient, passing the security assessment conducted by the Cyberspace Administration of China (if applicable).
How to balance "effective utilization of clinical trial data" and "reasonable protection of personal information" is a common issue faced by supervisory authorities in many jurisdictions across the world. We set forth below a brief overview of regulatory approaches taken by the EU and the US.
The EU Approach
In the EU, coded clinical trial data is a type of pseudonymized data, and therefore is subject to the EU General Data Protection Regulation (the "GDPR").
In 2019, the European Commission published a Q&A guideline[2] on how to coordinate the interplay between the EUClinical Trial Regulation (the "CTR") and the GDPR. According to the Q&A guideline, the processing of personal information in clinical trials requires a lawful basis under the GDPR. However, it does not mean that each processing activity during a clinical trial must rely on a consent of data subjects. A data controller may choose an appropriate lawful basis depending upon each specific scenario. For instance, a data controller may process the data based upon necessity to comply with a statutory obligation (e.g., AE reporting or clinical trial data archiving as required under the CTR), necessity for the public interest, necessity for legitimate interest of a data controller, or a consent of a data subject.
Although the coded clinical trial data are subject to the GDPR, the impact of the GDPR on clinical trials may not be as far-reaching as that of the PIPL, because of the following:
As compared to the PIPL, the GDPR provides more types of lawful basis. A data controller has more flexibility to process relevant data in reliance upon a lawful basis such as “necessity for the public interest” or “necessity for legitimate interest of a data controller”.
The cross-border data transfer regime under the GDPR is more flexible than the PIPL. The GDPR does not require a government approval or review for the cross-border data transfer. Basically, a data controller can transfer the coded clinical trial data by signing the Standard Contractual Clauses under the GDPR.
Some obligations under the GDPR can be exempted in the case of processing personal information for a research purpose.
The US Approach
As compared with the EU approach, the US approach appears more flexible. The US Health Insurance Portability and Accountability Act (the "HIPAA") adopts a concept called "limited data set", which refers to a limited set of identifiable patient information upon removal of direct identifiers. According to the HIPAA, the limited data set can be disclosed by an organization to another without the patient’s consent, provided that the following conditions shall be met:
Certain types of direct identifiers (e.g., name, address, phone number, e-mail) must be removed from the original data set. A data processing agreement must be signed between the disclosing party and the recipient party. The limited data set can only be used for a research, public health or healthcare purpose.
Research exemption
Personal information protection during a clinical trial has always been a focus of a sponsor and a clinical trial site. Relevant stakeholders in the industry have established a set of internal policies and procedures to protect personal information from the perspective of medical ethics. Even before the PIPL, there was no material data breach event related to personal information in the context of a clinical trial.
Therefore, we may borrow the concept of "limited data set" from the US HIPAA, and get coded clinical trial data processing for a scientific research purpose (including clinical trials) from complying with the PIPL. Meanwhile, in order to balance the protection of personal information rights, supervisory authorities may formulate specific guidance on how to remove direct identifiers from the original clinical trial data as well as other security measures that should be taken (e.g., a data protection agreement).
It is worth noting that China's recommended national standard Guide for Health Data Security (GB / T 39725-2020) (the “Guide”), which came into effect on July 1, 2021, also adopted the concept of "limited data set". Under the Guide, "limited data set" refers to the personal health data set that has been de-identified partially but still can identify individuals and hence need to be protected. The limited data set can be used for scientific research, medical / health education and public health purposes without a data subject’s consent. Unfortunately, it is clearly specified in the Guide that such rule does not apply to clinical trials for the purpose of obtaining a product registration.
Reasonable standard for anonymization
The coded clinical trial data will not be subject to the PIPL if they are anonymized data. Therefore, it will be helpful if a reasonable standard for data anonymization can be established to make the coded data regulated as anonymized data. We proposed two approaches for the reasonable standard, i.e., relative standard, or specific guidance for clinical trial data.
Relative standard
In the context of a clinical trial, the key to decode these data is in the possession of a clinical trial site, and a sponsor usually does not have sufficient technical capability to re-identify relevant patients through the coded data.
Moreover, the sponsor has no motivation to identify each individual patient when processing the coded data. Generally speaking, the sponsor cares more about the overall effect of a study drug, e.g., the overall cure rate, remission rate, instead of individual behavior of each patient.
Specific guidelines for clinical trial data
Establish exemption rule for coded clinical trial data. Meanwhile, in order to protect data subjects’ rights, supervisory authorities may further require what direct identifiers must be removed as well as other security measures that should be taken (e.g., data protection contract).
Establish reasonable anonymization standards for clinical trial data, such as relative anonymization standard or specific guidelines for clinical trial data, so that the coded clinical trial data can be deemed as anonymized data.
[1] In this article, we will only discuss the clinical trial conducted for the purpose of obtaining a product registration.
[2] Questions and Answers on the Interplay between the Clinical Trials Regulation and the General Data Protection Regulation.
[3] External Guidance on the Implementation of the European Medicines Agency Policy on the Publication of Clinical Data for Medicinal Products for Human Use.
Jing Lu Partner
luj@shihuilaw.com
Jing Lu is specialized in data compliance, anti-bribery compliance as well as various life sciences related transactions and collaboration projects.
Mr.Lu has abundant experience in the life sciences industry. His clients include both foreign-invested enterprises (e.g., Pfizer, Bayer, AstraZeneca, Gilead, Medtronic, Olympus) and China-based innovative companies (e.g., BeiGene, Overland Pharma, Adagene, Evaheart). Mr. Lu advised clients on data compliance and anti-bribery compliance system readiness, assessment of compliance system effectiveness, conducting compliance due diligence for M&Adeals, conducting internal investigations against employees, and representing companies in business negotiation, due diligence, contract drafting as well as legal and compliance advice in connection various transactions and collaboration projects (e.g., productlicense-in deals, contract sales organization deals, broad market projects, retail collaboration projects, patient assistance programs, digital platform programs).
Before joining Shihui, Mr. Lu was a Counsel at Sidley Austin LLP, and acted as a core member of its China Life Sciences team for many years.
Raymond Wang Partner
wangxr@shihuilaw.com
Raymond’s focus is on cybersecurity and data protection and frequently advises leading multinational and domestic technology companies and ministries and local governments with respect to legislative and regulatory programs.
Raymond sits on the expert panel for the ICC’s Data Governance Working Group and the B20 Organization Compliance Working Group. He is one of the key authors of the monograph “International Comparative Study on Personal Information Protection" and “Data Service Framework". He has published many articles, reports and translation works in the field of personal information protection, and also has taught courses related to data protection and cyber law in Peking University and Tsinghua University.
He was listed as one of the 2021 ALB China Top 15 Lawyers in TMT area by Asian Legal Business and as "Leading Indiviual in data protection area" by The Legal 500. The awards he has gained also include China Top 15 Lawyers– Cybersecurity and Data Protection (Tier one) by LEGALBAND in 2019, 2020 and 2021.
往期推荐