Processing of medical data by pharmaceutical companies
The Data Protection Authority's answers to a questionnaire on the processing of medical data by pharmaceutical companies concerning conditions under which clinical trials, safety surveys and post-market studies are allowed:
1. What is the approximate percentage of notifications made by pharmaceutical companies to the DPA:
A: Of all notifications received by the DPA approximately 5-10 % come from pharmaceutical companies
2. Has the DPA issued opinions or guidelines on the subject?
A: Yes the DPA has issued various public guidelines and rules. Among those are rules concerning which processing of sensitive data is subject to the DPA's authorization and in which instances such processing is subject to a duty of notification.
3. Is there a specific/simplified system of authorization foreseen when a company notifies a processing of medical data for the purpose of clinical trial? In addition can general authorizations be given "a priori" to a company for any future project (clinical trial) it would conduct?
A: Yes. We distinguish between: a specific system of authorization and a simplified system of notification. In the latter the controller can begin the processing after the DPA has confirmed that the notification has been received, but never later than 10 days after it being sent, unless the DPA has indicated otherwise.
If a written consent is obtained from the data subjects, on the processing of medical data in connection with a clinical trial, then it suffices to notify the processing to the DPA.
Clinical trial can however be subject to a specific system of authorization, e.g. if it involves processing of genetic data or if it does involve access to existing health records. In the latter instance, the handling of requests follows a specific procedure prescribed by rules no. 340/2003, on the DPA's rules of procedure regarding access to medical data for retrospective medical research.
The DPA has never given a general authorization "a priori" to a company for any future project (clinical trial) it would conduct.
4. Has the DPA already faced problems linked with the transfer of medical data by pharmaceutical companies to third countries?
A: The DPA has not experienced any substantial difficulties regarding transfer of medical data by pharmaceutical companies to third countries. The DPA has however noticed that many data controllers are not familiar with the "safe harbor" principle, and that in some cases the data subjects are not sufficiently informed about the controllers intention to transfer the data to a third country.
5. Would the DPA consider that the processing can be based on the consent of the data subject, or are there other justifications in Icelandic legislation that could be considered to be appropriate?
A: Yes, we consider that the processing can definitely be based on consent of the data subject. However there may be cases when that is not appropriate, e.g. if the data subject is mentally incompetent, but that must be decided upon on a case by case basis.
6. Q: Consent must be freely given, specific and informed. It should not present a problem if the data are collected directly from healthy volunteers. But there would be a problem if the patient is ill: would the situation of dependency towards the medicine in the DPA's opinion invalidate his consent?
A: We are of the opinion that the validity of the patients consent depends both on the type and degree of his illness and must be decided upon on a case by case basis.
7. Q: The EU Directive foresees other basis for processing of medical data (art. 8 §2):
- to protect the vital interests of the data subject
- for preventive medicine
8. The Directive foresees that Member states can add exceptions: is this the case in Iceland? If yes, please indicate the exceptions
A: Yes. Article 9 of act no. 77/2000, which implements directive 95/46/EC, provides for further exceptions. Paragraph 1 point 9 reads: "The processing is necessary for the purposes of statistical or scientific research, provided that the privacy of individuals is protected by means of specific and adequate safeguards." Paragraph 3 reads: "The Data Protection Authority can permit the processing of sensitive personal data in other instances than those articulated in [Paragraphs 1 and 2] if it considers that to be of urgent public interest. The Authority issues such permits on any conditions that it deems necessary in each case in order to protect the interests of the data subjects."
9. Very often, the "European good clinical practices" (1990) or the "International Conference of harmonization" (1997) are invoked to legitimate the processing. Does the DPA have any experience with these instruments or have you taken any position in relation to them?
A: The DPA does issue authorizations with many conditions. When laying down those conditions the DPA has sometimes taken the former instrument into consideration, e.g. when deciding the maximum time for retention of the data. The DPA has not had experience with the latter instrument.
10. Doctors play a decisive role in the collection of data for pharmaceutical companies. It may sometimes be difficult to state whether the doctor acts as a processor for the company (independently of being a controller in his relation to his patients), or if he/she acts only as a controller, who then transmit the medical data to another controller (the pharmaceutical company). Does the DPA have a position on this issue?
A: The DPA has not developed a general position on this issue. It is considered as something that has to be solved on a case by case basis, but mainly according to how closely the doctor is involved in the decision making regarding the processing of the data.
11. Many other parties intervene in a clinical trial and consult the personal data: third companies ensuring the monitoring of the study or the processing of the database, ethical committees, etc. It is very difficult to require a detailed list of all "specialists" involved in a trial, especially when the trial is at international scale.
Is the DPA competent to request such information and to determine who could or not get access to the medical data?
A: Yes, our DPA is competent if the processing of personal data is conducted on behalf of a controller who is established in Iceland. The same applies to processing of personal data if the controller is established in a country that is outside the European Economic Area, if he makes use of equipment and facilities situated in Iceland. It is important that the DPA can evaluate various factors which determine the legality of the processing, such as jeopardy to the data.