Personal data protection and compliance with the European Code for Pharmaceutical Industries
by Ruth Knowles
Data protection across Europe
It has been recognised by the European Federation of Pharmaceutical Industries and Associations (EFPIA) that pharmaceutical companies wishing to comply with the European Code of Conduct may face issues with local data protection laws. The stipulation in the Code for healthcare manufacturers to publicly declare the individual names of all health care professionals (HCPs) by 2016, raises data protection issues, because HCP names and affiliations are recognised as personal data. Data protection law will therefore apply, however it is important that there is compatibility between the Code and local laws in each European country.
Throughout Europe, data protection laws set out roughly the same conditions regarding the use of personal data. In this article we take a closer look at the interaction of transparency and data protection rules in three European countries: UK, France and Germany and address what steps pharmaceutical companies need to take to ensure they remain compliant.
Data protection in the UK: Justifying the use of personal data
The 1998 UK Data Protection Act requires the ‘justification’ of the processing of personal data. This can be done in a number of ways; however the UK pharmaceutical code of conduct places heavy reliance on ‘consent’ of the individual. Consent is not a great solution, however, as, according to law it should be freely given, informed and easily revoked by individual without any detriment.
Another way of justifying the use of personal data is through what is known as ‘legitimate interest’. Although this is frequently and widely used, it is unfortunately not available throughout Europe as it can only be used in countries where national law enforces disclosure. In countries such as the UK, where self-regulation is used to regulate pharmaceutical companies, there is, however, no condition to comply with a legal obligation.
Data protection in France: where stringency is key
French law makes transparency rules very stringent and takes the level of disclosure above the required level by the EFPIA. A decree published in 2013 requires that all manufacturers and providers of healthcare services are involved in disclosure, which includes associations of healthcare professionals, hospitals, foundations, societies and non-regulated consultants. In France, all healthcare products are included in the national disclosure regulation, not just the prescription medicines defined by the EFPIA code: this includes devices, cosmetics and over-the-counter drugs.
Although in France the law requires healthcare manufacturers to tell the contractor that their details will be published, consent is not required for the publication of this information: clashes with the Code and data protection law is less of an issue therefore. The French Ministry of Health, is responsible for creating a public website where information is stored and benefits must be disclosed twice a year: on the 1st of April and the 1st of October.
In France, as in other countries across Europe, questions remain about who is responsible for disclosure for cross-border transfers of value: the French equivalent of the UK’s ABPI (the LEEM) has said that only companies established in France are subject to disclosure and when a practitioner is working in France.
Another difference between the EFPIA Code and the French national law is in the scope of transparency: the EFPIA concept of transfers of value does not fit with the French concept of ‘benefit’. In France there is a much broader definition of what constitutes a benefit – and this does not need to have a monetary value. A good example of this is an in–house private database, which would have value to the receiving party.
Data protection in Germany: overcoming issues of consent
Regarding transparency in Germany, no legal provisions have been made to date. A draft law was intimated in 2013 but legislative procedure was not finished before the end of the current election period. The German industry relies therefore on voluntary self-regulation and the Freiwillige Selbstkontrolle für die Arzneimittelindustrie e.V (FSA) is currently updating its code to fall in line with the recommendation from EFPIA.One of the main differences to the EFPIA code is that financial support for external training events should be disclosed by organisers not only at announcement of event but also when an event takes place.
German data protection law is stringent and the names and addresses of HCPs that are collected by the FSA code are protected by law. There are therefore two possibilities to deal with this according to the German data protection act: by legitimate processing or consent. Legitimate processing is not applicable, however, there is no legal requirement to collect information on HCPs: therefore it seems the only way to agree with German data law is to get prior consent, however, as with the UK data protection law, this needs to be given freely and voluntarily and should be revocable at any time.
In Germany, as we have seen in the UK, there are many open issues on this regard. What happens if the recipient was not asked for consent or if it is not given? Is a transfer of value therefore not allowed or are aggregate disclosures permitted in such cases? In case of a revocation of consent, the FSA proposes an anonymised disclosure without the individual name of a recipient mentioned.
Are there any other issues associated with disclosure?
Throughout Europe, national laws and any decrees taken by government or codes of conduct prepared by national organisations have precedence over any European codes: therefore data protection law should be taken seriously by pharmaceutical companies. Issues that need careful consideration include:
- Fair processing of data: Data protection law requires the fair processing of data, which involves being transparent to affected individuals about the disclosure of their personal data. Therefore, however the disclosure of transfers of value to individual HCP’s is justified, it will be important that individuals are informed about how the data is going to be used.
- Purpose limitation: data protection legislators like to minimise and limit the use of information. This is because of the problem of ‘big’ data’, where companies amass large bodies of data that are then used later for a different purpose. It is important for pharmaceutical companies to understand therefore that if personal data is used, the purpose for use should be clear and well set out: data cannot be used for a secondary purpose later on if this has not been clearly explained in advance.
- Retention periods: Data protection law requires that personal data must not be kept for longer than is necessary. If there is a limited period linked to a self-regulatory code this is deemed as acceptable and should be adhered to by pharmaceutical companies.
What are the next steps for pharmaceutical companies?
- Jurisdictional issues: In the UK for example, the ABPI code and the 1998 Data Protection Act need to sit side by side to ensure information on HCPs is correctly collected, stored and used. Potential issues may arise when disclosure is for individuals based outside of the UK: in this case, the UK pharmaceutical company will still need to ensure its processes are in line with the pharmaceutical regulatory code and data protection laws in the country in question.
- The challenge of freely given and informed consent: One of the biggest challenges that will face pharmaceutical companies are situations where a doctor will not agree to consent or may remove consent that has been given on a previous occasion. In the UK, data protection regulators do not like conditional consent – it is a potential issue as consent should be freely given. One solution may be to get the consent from a third party. Or, if this is not possible and disclosure cannot happen for legal reasons, an anonymised disclosure may be possible, as in Germany, or disclosure on an aggregate basis.
- Re-negotiation of contracts: Since the EFPIA regulatory Code expects consent, there should be a re-negotiation of contracts.
- Good record keeping: It will be important to have a well-developed and robust system of record keeping in place and a well-designed IT system may a helpful solution. This is critical to be able to show that consent has been given.
Updating policies and training: So that employees are aware of the data protection issues involved and how they need to inform individuals and HCOs about the use of their data. Data retention policies also need updating.
To finish this article, here is a video published this week by EFPIA about its “Disclosure code”. To view it, please click the play button on the player below.
Ruth Knowles is a freelance science writer who has written articles and press releases on a range of life science and health topics. She received her MSc in Science Communication from the University of the West of England, Bristol.