BMI SYSTEM interviewed Hazel Grant, an IT lawyer at Bristows LLP specialising in IT procurements and information law, to identify the issues that pharmaceutical manufacturers might face in order to comply with the UK Data Privacy Act.
1. In order to comply with the UK Data Privacy Act, what are the main challenges that healthcare manufacturers should be aware of when collecting data on HCPs/HCOs?
The main requirements are (a) transparency – i.e. healthcare companies must tell individuals how their information will be used, so this will require an updated or new privacy notice and (b) meeting a pre-condition for processing. This means that the company must justify its collection and use of personal information. There are many ways in which this can be done, but often consent is used and this is what the codes expect.
2. What information should privacy notices contain?
Privacy notices should contain the name of the company handling the information, plus the purpose for which the information will be used. This includes “any other information necessary to make the processing fair” – this is a catch all phrase which might require information on export of the data outside the EEA, or extra long retention periods, for example.
3. How useful would an IT system be that could check information on personal data to ensure the information recorded is correctly recorded: i.e. only the appropriate amount of data is recorded and the data is accurate and up-to date?
An IT system would assist in meeting other obligations under the UK’s Data Protection Act 1998 (on accuracy of information held).
4. Does the UK Data Privacy Act require that healthcare companies are responsible for archiving and deleting personal data information (HCP/HCO names, addresses, titles)?
Indirectly, yes. Under the Data Protection Act, UK companies are required to (a) keep information only for so long as is necessary and (b) handle it securely. In combination this means that companies should securely delete information once it is no longer necessary for their business use.
5. What are the requirements under the Act for ‘information security’: i.e. what actions do healthcare manufacturers have to carry out to ensure that all personal data is kept safe?
Under the UK act there are few specified requirements, as the requirements are more generic. The 7th data protection principle requires companies to take appropriate security measures to protect information and that might include organisational measures (such as training) or technical measures (such as encryption).
In the UK the regulator has required moveable data storage (e.g. laptops or data sticks) to be encrypted to industry standard. If not encrypted and then lost the regulator would expect to take enforcement action which is likely to include a fine.
6. What are the implications of the future publication of transfers of value between HCPs/ HCOs and healthcare manufacturers on a publicly available website? What should healthcare companies be made aware of? In particular, are there any issues with personal data from the UK being accessed through such websites in countries outside the EEA?
See above – the fact that the information on HCPs will be used for a new purpose (i.e. made publicly available) is the reason for the notice and the consent.
There is an additional potential issue, which is that personal data must not be exported outside the EEA without additional compliance measures being in place. Despite this being the case since 2000 (in the UK) there is a lack of clarity on what this means for information placed on a website (i.e. is this an export? Or is it only an export if someone outside the EEA accesses the data). The better view is that by placing the information on the website this enables an export and so the company uploading the information should make this clear to the individuals affected. This could form part of the consent given by the individuals (i.e. a consent to an export outside the EEA).
7. Are there any conflicts between European requirements for public disclosure (EFPIA Disclosure Code) and UK Data Privacy laws?
There are no direct conflicts – see above. However, the Code does restrict how companies should comply by forcing them down a route of obtaining consent from the affected individual HCPs. In the UK at least there would be options not to use consent (e.g. to say that the disclosure is in the legitimate interests of the healthcare company). However, due to the Code, it is likely that companies will try to use consent first.
Hazel is recognised as a data privacy expert with over 15 years’ experience of advising on UK and EU data protection law and is recommended by Chambers and Legal 500. She advises on data protection compliance strategies (including national filings and global data transfers), responses to data breaches, cloud computing, big data and data privacy litigation. Hazel is an editor of the Encyclopaedia of Data Protection and Privacy, as well as a contributor on UK data protection law to several other texts. She regularly speaks internationally on EU data privacy issues.