Pharma insight on digital marketing, social media, mobile apps, online video, websites and interactive healthcare tools
by Dominic Tyer
The monitoring of the safety of medicines or pharmacovigilance requires adequate data protection and companies must ensure they meet the requirements under both pharmacovigilance and data protection legislation.
To guide companies through their obligations, the Association of the British Pharmaceutical Industry (ABPI), the Pharmaceutical Information & Pharmacovigilance Association (PIPA) and pvlegal have collaborated to publish guidance to support companies and promote consistent practice.
Pharmacovigilance is primarily governed by EU legislation that was updated in 2010, transcribed into UK law and began being implemented from July 2012.
Data protection is separate and involves compliance with the relevant EU Directive (Directive 95/46/EC), which is being revised, and with the UK Data Protection Act (DPA). In the UK, the Medicines and Healthcare Products Regulatory Agency (MHRA) is the regulator responsible for monitoring pharmacovigilance. The Information Commissioners Office (ICO) is responsible for monitoring data protection.
Ensuring compliance with both regulatory regimes when conducting pharmacovigilance can be challenging. Collection and transmission of personal data by companies is required by law to monitor medicine safety. Companies must also adequately notify individuals who report side effects of what will be done with their personal data and must ensure this data is adequately protected.
The guidance sets out the key steps companies should take when collecting and entering data concerned with medicine side effects.
Receipt of safety data
Although all reported side effects are collected and analysed by companies, an identifiable patient and reporter are required for a report to be considered valid for sending to the regulators. Companies must therefore attempt to collect this data when they receive a side effect.
Companies can process this data for pharmacovigilance but patients who have experienced a side effect should also be informed of the intended use of their data. Unfortunately, this can be difficult for companies to achieve as many reports are submitted by physicians or other healthcare professionals. The guidance proposes a reminder to the reporter to inform the patient that a side effect related to them has been submitted. This is consistent with the requirements of the relevant professional guidelines, such as guidance from the Royal Pharmaceutical Society guidance and the General Medical Council.
Safety data entry and transfer of data
This section reminds companies to only process the collected data for pharmacovigilance purposes and to ensure they have appropriate measures to protect against unauthorised or unlawful processing as well as accidental loss, destruction or damage of the data. This includes requirements for appropriate arrangements with third parties and training of staff.
As part of the data entry process, companies may need to transfer data outside the UK, or outside the European Economic Area (EEA). This section clarifies in which situations this should be considered a transfer outside the UK/ EEA (such as entering data into a database hosted outside the EEA). The European Commission only considers a small number of non-EEA countries to have adequate data protection and the guidance provides an annex to guide companies on establishing adequate protection for proposed personal data transfers (and the application of an exemption to the prohibition on international personal data transfers).
Access, rectification and objection rights
It is important that companies are aware of the rights of data subjects in relation to their data. The guidance provides an annex with information for companies on what rights a patient has in relation to their data. The guidance also explains how to respond to data access requests and provides sample language to assist companies in fulfilling these. Companies can charge an optional £10 fee, they must attempt to verify the identity of the person making the request and they have 40 days to respond from the date of receipt of the request. The guidance also provides advice on what to do if an individual challenges the accuracy of the information held about them or if they object to it being processed.
Retention and redaction of personal data
Companies should only hold the data they require and should identify the minimum set of data they need to process to achieve their legal obligations in monitoring the safety of their medicines. The document gives some guidance on what these data elements might be.
The retention period for this data is at least 10 years after the marketing authorisation has ceased to exist.
Protecting personal data is of paramount importance and the guidance provides examples of good practice to ensure both electronic and hard copy documentation is kept safe.
Companies must notify ICO of their personal data processing activities yearly - failure to keep this information up to date is a criminal offence. The document provides guidance for companies on how to do this for pharmacovigilance data.
• Read: the guidance notes on UK data protection in post-marketing pharmacovigilance in full
The aims of the ABPI, PIPA and pvlegal in drafting this document were twofold, to help companies be compliant with their legal obligations for both pharmacovigilance and data protection but also to promote examples of good practice which should lead to better, more consistent protection of patients' safety data in the UK.
If you have any questions on the content of the guideline, please contact Esteban Herrero-Martinez ABPI Head of Regulatory Affairs (EHerrero-Martinez@abpi.org.uk).