Abstract image of a woman sitting on books and studying on a laptop

Overview on data privacy

A
Amiit Keshav Naik

- Data privacy refers to standards protecting personal data like names, addresses, and genetic information that can identify research subjects. It is an important human right and failure to comply can result in fines and legal consequences. - Key regulations and guidelines on data privacy include the EU Data Protection Directive, Clinical Trials Directive, General Data Protection Regulation, and ICH GCP guidelines. They require protecting subject confidentiality, obtaining consent, and having security measures for electronic and paper records. - Clinical data managers should be trained on privacy requirements and ensure access to data is restricted and minimum personal information is collected.

Healthcare
Related topics:
Business Process Outsourcing Data PrivacyClinical Trials Overview
1 of 31
1
2
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
Most read
16
17
18
19
20
21
22
23
24
25
26
27
28
Most read
29
30
31
Overview on Data Privacy (Clinical Data Manager’s Perspective) Vinayak Thorat Clinical Data Manager vinayak.thorat@ancillarie.com
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks. - Universal Declaration of Human Rights – Art. 12
“Everyone has the right to respect for his private and family life, his home and his correspondence. -European Convention for the Protection of Human Rights and Fundamental freedoms
“The confidentiality of records that could identify subjects should be protected, respecting the privacy and confidentiality rules in accordance with applicable regulatory requirement(s). -ICH Guideline for Good Clinical Practice (GCP)
TOC ▸Introduction ▸Scope of Topic ▸Minimum Standards ▸Best Practices ▸Important Considerations 5
Introduction Why is Personal Data Protection important? 6
Introduction Why is Personal Data Protection important? • It is an Universal Human Right • Possible damages to the business and the image of a company • Important financial & individual risks for non- compliance  Inability to perform research  Important fines  Legal consequences • Important risks for the data subjects  Identity theft and Fraud  Discrimination 7
• Data privacy refers to the standards surrounding protection of personal data. • Personal data can be defined as any information that can lead to identification, either directly or indirectly, of a research subject; e.g. Subject names, initials, addresses, and genetic information. Important Definitions 8
What Constitutes Private or Personal Information? According to EU Directive 95/46/EC, Private of personal information means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” 9
What Constitutes Private or Personal Information? Per HIPAA: 45 CFR Section 164.501: “Private or Personal Information that is a subset of health information, including demographic information collected from an individual and: • Is created or received by a health care provider, health plan, employer, or health care clearing house; • Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and  That identifies the individual; or  With respect to which there is a reasonable basis to believe the information can be used to identify the individual.” 10
How privacy protection gave to research subjects ? • Protocol review and approval by an Institutional Review Board (IRB) • Right to informed consent • Right of the subject to withdraw consent and have no further data collected • Right to notice of disclosure • Confidential collection and submission of data 11
Who are responsible? Primarily Site management or clinical monitoring team are responsible for subject data privacy; However, Data Management Personnel should be acquainted with common issues related to data privacy and should follow regulatory and organizational guidelines to ensure the privacy of research subjects. 12
SCOPE Important Considerations Minimum Requirements Glance on Regulatory Guidelines We will talk about!!! 13 Best Practices
Minimum Requirements • All personnel involved in handling (directly or indirectly) of Personal identifiable information (PII) must be trained on data privacy concepts & issues; company policy; regulatory agency policy and applicable local, state, federal, and international laws. • Data collection tools should capture minimum PII; e.g. CRF, clinical, laboratory, genetics database, data transfer specifications, ePRO etc. • Documents which are accessible to data management team should not content PII except subject identifier. • Timely review and updates of company privacy policy/ related SOPs. 14
Best Practices • Educate associated personnel regarding subject data privacy • Develop organization SOP for data privacy • Define internal and external accountability in the company policies • SOP should be present and implemented for data transfer. • All privacy considerations must be addressed and documented. • Setup internally or tie up with quality assurance department to ensure compliance with data privacy regulations. • Maintain proper physical and electronic security measures. e.g.: Storage of Paper CRFs should be stored in regulated access environment; for electronic records password authentication and firewall security must be present. 15
Legislation and Regulatory Guidance • EU Data Protection Directive 95/46/EC • EU Data Protection Directive 2001/20/EC • General Data Protection Regulation: Regulation (EU) 2016/679 16
EU Data Protection Directive 95/46/EC- 7 Principles • Notice: Data subjects should be given notice when their data is being collected; • Purpose: Data should only be used for the purpose stated and not for any other purposes; • Consent: Data should not be disclosed without the data subject’s consent; • Security: Collected data should be kept secure from any potential abuses; • Disclosure: Data subjects should be informed as to who is collecting their data; • Access: Data subjects should be allowed to access their data and make corrections to any inaccurate data; and • Accountability: Data subjects should have a method available to them to hold data collectors accountable for not following the above principles 17
Clinical Trials Directive (Directive 2001/20/EC) • The Clinical Trials Directive is a European Union directive that aimed at facilitating the internal market in medicinal products within the European Union, while at the same time maintaining an appropriate level of protection for public health. • It seeks to simplify and harmonize the administrative provisions governing clinical trials in the European Community, by establishing a clear, transparent procedure. • The Member States of the European Union had adopted and publish by 1 May 2003 the laws, regulations and administrative provisions necessary to comply with this Directive. • The Member States had applied these provisions at the latest with effect from 1 May 2004. 18
The Articles of the Directive 2001/20/EC • Scope (Directive does not apply to non-interventional trials). • Definitions • Protection of clinical trial subjects • Clinical trials on minors • Clinical trials on incapacitated adults not able to give informed legal • Ethics Committee • Single opinion • Detailed guidance • Commencement of a clinical trial • Conduct of a clinical trial • Exchange of information • Suspension of the trial or infringements • Manufacture and import of investigational medicinal products • Labelling • Verification of compliance of investigational medicinal products with good clinical and manufacturing practice • Notification of adverse events • Notification of serious adverse reactions • Guidance concerning reports • General provisions • Adaptation to scientific and technical progress • Committee procedure • Application • Entry into force • Addressees 19
General Data Protection Regulation: Regulation (EU) 2016/679 • The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). • The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business. • When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) from 1995. • The regulation was adopted on 27 April 2016; It enters into application 25 May 2018 after a two-year transition period. 20
General Data Protection Regulation: Regulation (EU) 2016/679 • The regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU therefore, regulation also applies to organizations based outside the European Union if they process personal data of EU residents. • Valid consent must be explicit for data collected and purposes data used. Consent for children must be given by child’s parent or custodian, and verifiable. Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn. • Data Protection Officers are to ensure compliance within organizations. • Any incident related to data breach, is mandatory to notify the Supervisory Authority within 72 hours from the data breach. 21
Safe Harbor Principles • Notice: Subjects must be informed of how their data will be collected and used. • Choice: Subjects must be able to opt out of collection of their data and its transfer to third parties. • Data transfers: Any transfers of data to third parties must only be to other organizations that have rigorous data-protection policies. • Security: All reasonable efforts must be made to prevent the loss of any data collected. • Data integrity: Data must be reliable and relevant to the purpose for which it was collected. • Access: Subjects must be able to access information about them that is collected, and have an opportunity to have this data corrected or deleted if necessary. • Enforcement: A mechanism must be in place to effectively and consistently enforce these rules. 22
Clinical data managers should ensure that access to data is restricted to qualified and approved personnel Important Considerations 23
Central Committees • Reports to and meetings with various committees may necessitate presentation of some study data in the form of reports from database, original or copies of source data. • In any cases, personal subject identifiers should be removed prior to presentation of data to the committee, and in some cases, study identifiers may need to be added. • Independent committee should be present to ensure data anonymity. Important Considerations 24
Data Collection • Data collection instruments should be designed with subject identifiers which can be anticipated while designing CRF, Clinical database, laboratory database and data transfer specifications etc. • Subject genomic data should be handled with utmost care, which includes,  Storage of this data into completely independent data servers and physical locations  Independent qualified resources  Detailed and Specific SOPs dedicated to the processing and use of this data • Different data collection methodologies may required for different considerations: e.g. for Paper Based Studies: SOPs for redaction of personal identifier, handling, transfer and storage of documents required. Important Considerations 25
Data Transfers • Data transfer specification document should be produced prior to data transfer. • Data transfer process should be exhaustively tested to ensure transferred information could not jeopardize data privacy. • The planned data transfer should be reviewed to ensure all transferred data matches the database. Computer and Network Security • Any lapses in computer or network security may jeopardize the integrity of the database, and therefore, data privacy. • Organization’s information technology personnel develops SOPs for computer and network security • Data managers have a responsibility to use systems appropriately and responsibly. Important Considerations 26
Vendor Management & Lab Data Management • Different standards should be present depends upon level of access • Vendors having access to clinical database should be meet international standards. • Vendor facility audit should be conducted to ensure facility compliance & data transfer and reporting specifications should be compliant with respective regulatory guidelines. • Personal identifiers should be redacted & should not contain any subject-specific information prior to submission to data management e.g.: Mr. Mike became unconscious due to hypoglycemia. • If any deviation/violation in privacy policy observed by data management team, it should be addressed to appropriate internal or external clinical site management team for corrective and preventive actions or as per organizations SOPs/Policies. Important Considerations 27
Redaction (editing before presenting) of Personal Data • Redaction is the act of appropriately editing text from a document before releasing the document to other personnel or departments. E.g.: Mr. Mike became unconscious due to hypoglycemia change it to Subject felt unconscious due to hypoglycemia. • Organizations should have SOPs for redaction of personal data. • Primarily responsibility of redaction of personal data lies to site or monitor, however data managers should be mindful while performing data management activities to identify and rectify the data privacy issues. Important Considerations 28
Global studies should adhere to the most restrictive regu lation s of th e cou n tries in volved . 29
References • International Conference on Harmonisation. Harmonised Tripartite Guideline for Good Clinical Practice. 2nd ed. London: Brookwood Medical Publications; 1996. • European Parliament and Council of Europe. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Strasbourg, France: European Parliament and Council of Europe; 1995. Available at: http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm. Accessed November 10, 2008. • European Parliament and Council of Europe. Directive 2001/20/EC of the European Parliament and of the Council of 4 April 2001 on the approximation of the laws, regulations and administrative provisions of the Member States relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use. Strasbourg, France: European Parliament and Council of Europe; 2001. Available at: http://ec.europa.eu/enterprise/pharmaceuticals/eudralex/vol1_en.htm. Accessed November 10, 2008. • Antokol J. Protecting Personal Data in Global Clinical Research. The Monitor.2008:22;57–60. • Code of Federal Regulations, Title 45, Part 164.501, Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. Washington DC. US Government Printing Office; 2002. Available at: http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html. Accessed November 10, 2008. 30
THANK YOU! Visit us on www.ancillarie.com 31 copyright © ancillarie 001- 31JAN2017

More Related Content

PPTX
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
PPTX
Data protection and privacy
himanshu jain
 
PDF
Privacy and Data Security
WilmerHale
 
PPS
Introduction to Data Protection and Information Security
Jisc Scotland
 
PPTX
Data protection ppt
grahamwell
 
PPTX
DATA-PRIVACY-ACT.pptx
JaeKim165097
 
PPTX
Privacy & Data Protection
sp_krishna
 
PDF
Data Protection and Privacy
Vertex Holdings
 
Data Privacy: What you need to know about privacy, from compliance to ethics
AT Internet
 
Data protection and privacy
himanshu jain
 
Privacy and Data Security
WilmerHale
 
Introduction to Data Protection and Information Security
Jisc Scotland
 
Data protection ppt
grahamwell
 
DATA-PRIVACY-ACT.pptx
JaeKim165097
 
Privacy & Data Protection
sp_krishna
 
Data Protection and Privacy
Vertex Holdings
 

What's hot (20)

PPTX
Presentation on Information Privacy
Perry Slack
 
PPTX
Data Security - English
Data Security
 
PDF
GDPR for Dummies
Caroline Boscher
 
PDF
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
PPTX
Data Privacy Introduction
Prachi Gulihar
 
PPTX
Data Privacy and Protection Presentation
mlw32785
 
PPTX
Gdpr presentation
Sudarsan Reddy
 
PPTX
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
PPT
Personal privacy and computer technologies
sidra batool
 
PDF
Data & Privacy: Striking the Right Balance - Jonny Leroy
Thoughtworks
 
PDF
GDPR Overview
Trish McGinity, CCSK
 
PPTX
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
PPTX
Information classification
Jyothsna Sridhar
 
PPT
“Privacy Today” Slide Presentation
tomasztopa
 
PPTX
Presentation on GDPR
DipanjanDey12
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
PDF
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
PPTX
what is data security full ppt
Shahbaz Khan
 
PPTX
GDPR Presentation slides
Naomi Holmes
 
PDF
Privacy & Data Protection in the Digital World
Arab Federation for Digital Economy
 
Presentation on Information Privacy
Perry Slack
 
Data Security - English
Data Security
 
GDPR for Dummies
Caroline Boscher
 
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
Data Privacy Introduction
Prachi Gulihar
 
Data Privacy and Protection Presentation
mlw32785
 
Gdpr presentation
Sudarsan Reddy
 
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Personal privacy and computer technologies
sidra batool
 
Data & Privacy: Striking the Right Balance - Jonny Leroy
Thoughtworks
 
GDPR Overview
Trish McGinity, CCSK
 
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Information classification
Jyothsna Sridhar
 
“Privacy Today” Slide Presentation
tomasztopa
 
Presentation on GDPR
DipanjanDey12
 
Introduction to GDPR
Priyab Satoshi
 
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
what is data security full ppt
Shahbaz Khan
 
GDPR Presentation slides
Naomi Holmes
 
Privacy & Data Protection in the Digital World
Arab Federation for Digital Economy
 
Ad

Viewers also liked (20)

PDF
Data management plan (important components and best practices) final v 1.0
Amiit Keshav Naik
 
PDF
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Gohsuke Takama
 
PDF
Security and Privacy on the Web in 2015
Francois Marier
 
PDF
Overview of Information Security & Privacy (August 10, 2016)
Nawanan Theera-Ampornpunt
 
PDF
HotPotatoes Presentation
ChanHan Hy
 
PDF
Data privacy and digital strategy
Prof. Jacques Folon (Ph.D)
 
PPTX
Présentation : Edward Snowden
Nicolas G
 
PPTX
Ich gcp
Khushbu Shah
 
PPTX
Online Privacy and Security
Alex Hyer
 
PDF
Cyber Bullying
Quirky Kid
 
PPTX
How to create edit checks in medidata rave painlessly
Weihong Yang
 
PPTX
Database security
Software Engineering
 
PPTX
Snowden slides
David West
 
PDF
SureSkills GDPR - Discover the Smart Solution
Google
 
PPTX
DICOM Structure Basics
Gunjan Patel
 
PPTX
Clinical research and clinical data management - Ikya Global
ikya global
 
PPTX
Clinical Data Management: Strategies for unregulated data
IUPUI
 
PDF
Flexible Study Design in Oracle Clinical and Remote Data Capture 4.6
Perficient
 
PPTX
Protocol Understanding_ Clinical Data Management_KatalystHLS
Katalyst HLS
 
PPT
india elections
Sumit Malhotra
 
Data management plan (important components and best practices) final v 1.0
Amiit Keshav Naik
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Gohsuke Takama
 
Security and Privacy on the Web in 2015
Francois Marier
 
Overview of Information Security & Privacy (August 10, 2016)
Nawanan Theera-Ampornpunt
 
HotPotatoes Presentation
ChanHan Hy
 
Data privacy and digital strategy
Prof. Jacques Folon (Ph.D)
 
Présentation : Edward Snowden
Nicolas G
 
Ich gcp
Khushbu Shah
 
Online Privacy and Security
Alex Hyer
 
Cyber Bullying
Quirky Kid
 
How to create edit checks in medidata rave painlessly
Weihong Yang
 
Database security
Software Engineering
 
Snowden slides
David West
 
SureSkills GDPR - Discover the Smart Solution
Google
 
DICOM Structure Basics
Gunjan Patel
 
Clinical research and clinical data management - Ikya Global
ikya global
 
Clinical Data Management: Strategies for unregulated data
IUPUI
 
Flexible Study Design in Oracle Clinical and Remote Data Capture 4.6
Perficient
 
Protocol Understanding_ Clinical Data Management_KatalystHLS
Katalyst HLS
 
india elections
Sumit Malhotra
 
Ad

Similar to Overview on data privacy (20)

PPTX
Critical regulations governing data privacy and data protection 20 dec2018
Surabhi Jain
 
PPTX
Governance And Data Protection In The Health Sector - Billy Hawkes
healthcareisi
 
PPTX
Presentation gdpr ahti
Sofie van der Meulen
 
PPTX
Seminar General Data Protection Regulation
Axon Lawyers
 
PPTX
EU Medical Device Clinical Research under the General Data Protection Regulation
Erik Vollebregt
 
PPTX
Medical device data protection and security
Erik Vollebregt
 
PPTX
Pdpa presentation
Alan Teh
 
PPTX
Data protection and data integrity
Axon Lawyers
 
PPTX
Data Protection & Data Security in Clinical Trials
ClinosolIndia
 
PPTX
Technology, policy, privacy and freedom
Prachi Gulihar
 
PPT
Merit Event - Understanding and Managing Data Protection
meritnorthwest
 
PPTX
GDPR and eHealth for the pharma industry (VFenR presentation)
Erik Vollebregt
 
PPTX
Protection of patient data in EU vs. US
Erik R. Ranschaert, MD, PhD
 
PPTX
Paperless Lab Academy 'legal aspects of big data analytics'
Axon Lawyers
 
PPTX
PLA Legal aspects of Big Data analytics final
Sofie van der Meulen
 
PPTX
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Axon Lawyers
 
PDF
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
PDF
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
PPTX
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
Upekha Vandebona
 
PDF
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
Critical regulations governing data privacy and data protection 20 dec2018
Surabhi Jain
 
Governance And Data Protection In The Health Sector - Billy Hawkes
healthcareisi
 
Presentation gdpr ahti
Sofie van der Meulen
 
Seminar General Data Protection Regulation
Axon Lawyers
 
EU Medical Device Clinical Research under the General Data Protection Regulation
Erik Vollebregt
 
Medical device data protection and security
Erik Vollebregt
 
Pdpa presentation
Alan Teh
 
Data protection and data integrity
Axon Lawyers
 
Data Protection & Data Security in Clinical Trials
ClinosolIndia
 
Technology, policy, privacy and freedom
Prachi Gulihar
 
Merit Event - Understanding and Managing Data Protection
meritnorthwest
 
GDPR and eHealth for the pharma industry (VFenR presentation)
Erik Vollebregt
 
Protection of patient data in EU vs. US
Erik R. Ranschaert, MD, PhD
 
Paperless Lab Academy 'legal aspects of big data analytics'
Axon Lawyers
 
PLA Legal aspects of Big Data analytics final
Sofie van der Meulen
 
Hacking Health Camp Strasbourg health data & data protection in the Netherlands
Axon Lawyers
 
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
Upekha Vandebona
 
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 

Recently uploaded (20)

PPTX
Medical Legal issues in Psychiatry Final.pptx
Ahemigisha
 
PDF
Liver Cirrhosis: Causes, Symptoms, Stages & Expert Treatment in Pune
https://www.kaizengastrocare.com/
 
PPTX
INTRODUCTION TO BIOLOGY AND THE BRANCHES OF BIOLOGY
MuabshirAmjad
 
PDF
CSF rhinorrhea its cause management .pptx
samimmondal27
 
PPTX
Case report session Apendisitis Akut people.pptx
gopikumaraveloo1995
 
PPTX
Emotional Well Being & Conflict Resolution_VKV.pptx
pinaradhruma
 
PPTX
Oncological Emergencies in hospital setting
ajit952192
 
PPTX
Maternal and child health. The normal new born.pptx
MutegekiAdolf1
 
PPTX
MONOCHORIONIC TWIN PREGNANCY detailed.pptx
jigneshgamot1990
 
PPTX
Head Spine trauma assesment and managementATLS Final.pptx
premrajSingh6
 
PPT
NIPT panel discussion HHI 09.12.2017 modified.ppt
tulipj9
 
DOCX
Advanced Nursing Procedures.....realted to advance nursing practice M.Sc. 1st...
Shivani Thakur 02
 
PPTX
health care concerns.pptx by hemant kumari
hemantmeena97
 
PPTX
4. Musculoskeletal X ray For health student
jehovajudy2001
 
PDF
CASE PRESENTATION1.pdf bipolar disorder in which both mania and depression h...
sheetal1011kumari
 
PDF
Key Updates for Pulmonary Tuberculosis Multiple Drug Resistance
GenGen40
 
PPTX
Biomechanical preparation in primary teeth – Instrumentation and seminar 5 (2...
ThoiSingh1
 
PDF
Dental Implants Review : A detailed Review
Dr. Abhishek Ashok Sharma
 
PPT
NEPHROTIC SYNDROME POWER POINT PRESENTATION
Rekhanjali Gupta
 
PPTX
Single Visit Endodontics.pptx root canal treatment in one visit
KarishmaThakur35
 
Medical Legal issues in Psychiatry Final.pptx
Ahemigisha
 
Liver Cirrhosis: Causes, Symptoms, Stages & Expert Treatment in Pune
https://www.kaizengastrocare.com/
 
INTRODUCTION TO BIOLOGY AND THE BRANCHES OF BIOLOGY
MuabshirAmjad
 
CSF rhinorrhea its cause management .pptx
samimmondal27
 
Case report session Apendisitis Akut people.pptx
gopikumaraveloo1995
 
Emotional Well Being & Conflict Resolution_VKV.pptx
pinaradhruma
 
Oncological Emergencies in hospital setting
ajit952192
 
Maternal and child health. The normal new born.pptx
MutegekiAdolf1
 
MONOCHORIONIC TWIN PREGNANCY detailed.pptx
jigneshgamot1990
 
Head Spine trauma assesment and managementATLS Final.pptx
premrajSingh6
 
NIPT panel discussion HHI 09.12.2017 modified.ppt
tulipj9
 
Advanced Nursing Procedures.....realted to advance nursing practice M.Sc. 1st...
Shivani Thakur 02
 
health care concerns.pptx by hemant kumari
hemantmeena97
 
4. Musculoskeletal X ray For health student
jehovajudy2001
 
CASE PRESENTATION1.pdf bipolar disorder in which both mania and depression h...
sheetal1011kumari
 
Key Updates for Pulmonary Tuberculosis Multiple Drug Resistance
GenGen40
 
Biomechanical preparation in primary teeth – Instrumentation and seminar 5 (2...
ThoiSingh1
 
Dental Implants Review : A detailed Review
Dr. Abhishek Ashok Sharma
 
NEPHROTIC SYNDROME POWER POINT PRESENTATION
Rekhanjali Gupta
 
Single Visit Endodontics.pptx root canal treatment in one visit
KarishmaThakur35
 

Overview on data privacy

  • 1. Overview on Data Privacy (Clinical Data Manager’s Perspective) Vinayak Thorat Clinical Data Manager [email protected]
  • 2. “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks. - Universal Declaration of Human Rights – Art. 12
  • 3. “Everyone has the right to respect for his private and family life, his home and his correspondence. -European Convention for the Protection of Human Rights and Fundamental freedoms
  • 4. “The confidentiality of records that could identify subjects should be protected, respecting the privacy and confidentiality rules in accordance with applicable regulatory requirement(s). -ICH Guideline for Good Clinical Practice (GCP)
  • 5. TOC ▸Introduction ▸Scope of Topic ▸Minimum Standards ▸Best Practices ▸Important Considerations 5
  • 6. Introduction Why is Personal Data Protection important? 6
  • 7. Introduction Why is Personal Data Protection important? • It is an Universal Human Right • Possible damages to the business and the image of a company • Important financial & individual risks for non- compliance  Inability to perform research  Important fines  Legal consequences • Important risks for the data subjects  Identity theft and Fraud  Discrimination 7
  • 8. • Data privacy refers to the standards surrounding protection of personal data. • Personal data can be defined as any information that can lead to identification, either directly or indirectly, of a research subject; e.g. Subject names, initials, addresses, and genetic information. Important Definitions 8
  • 9. What Constitutes Private or Personal Information? According to EU Directive 95/46/EC, Private of personal information means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” 9
  • 10. What Constitutes Private or Personal Information? Per HIPAA: 45 CFR Section 164.501: “Private or Personal Information that is a subset of health information, including demographic information collected from an individual and: • Is created or received by a health care provider, health plan, employer, or health care clearing house; • Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and  That identifies the individual; or  With respect to which there is a reasonable basis to believe the information can be used to identify the individual.” 10
  • 11. How privacy protection gave to research subjects ? • Protocol review and approval by an Institutional Review Board (IRB) • Right to informed consent • Right of the subject to withdraw consent and have no further data collected • Right to notice of disclosure • Confidential collection and submission of data 11
  • 12. Who are responsible? Primarily Site management or clinical monitoring team are responsible for subject data privacy; However, Data Management Personnel should be acquainted with common issues related to data privacy and should follow regulatory and organizational guidelines to ensure the privacy of research subjects. 12
  • 13. SCOPE Important Considerations Minimum Requirements Glance on Regulatory Guidelines We will talk about!!! 13 Best Practices
  • 14. Minimum Requirements • All personnel involved in handling (directly or indirectly) of Personal identifiable information (PII) must be trained on data privacy concepts & issues; company policy; regulatory agency policy and applicable local, state, federal, and international laws. • Data collection tools should capture minimum PII; e.g. CRF, clinical, laboratory, genetics database, data transfer specifications, ePRO etc. • Documents which are accessible to data management team should not content PII except subject identifier. • Timely review and updates of company privacy policy/ related SOPs. 14
  • 15. Best Practices • Educate associated personnel regarding subject data privacy • Develop organization SOP for data privacy • Define internal and external accountability in the company policies • SOP should be present and implemented for data transfer. • All privacy considerations must be addressed and documented. • Setup internally or tie up with quality assurance department to ensure compliance with data privacy regulations. • Maintain proper physical and electronic security measures. e.g.: Storage of Paper CRFs should be stored in regulated access environment; for electronic records password authentication and firewall security must be present. 15
  • 16. Legislation and Regulatory Guidance • EU Data Protection Directive 95/46/EC • EU Data Protection Directive 2001/20/EC • General Data Protection Regulation: Regulation (EU) 2016/679 16
  • 17. EU Data Protection Directive 95/46/EC- 7 Principles • Notice: Data subjects should be given notice when their data is being collected; • Purpose: Data should only be used for the purpose stated and not for any other purposes; • Consent: Data should not be disclosed without the data subject’s consent; • Security: Collected data should be kept secure from any potential abuses; • Disclosure: Data subjects should be informed as to who is collecting their data; • Access: Data subjects should be allowed to access their data and make corrections to any inaccurate data; and • Accountability: Data subjects should have a method available to them to hold data collectors accountable for not following the above principles 17
  • 18. Clinical Trials Directive (Directive 2001/20/EC) • The Clinical Trials Directive is a European Union directive that aimed at facilitating the internal market in medicinal products within the European Union, while at the same time maintaining an appropriate level of protection for public health. • It seeks to simplify and harmonize the administrative provisions governing clinical trials in the European Community, by establishing a clear, transparent procedure. • The Member States of the European Union had adopted and publish by 1 May 2003 the laws, regulations and administrative provisions necessary to comply with this Directive. • The Member States had applied these provisions at the latest with effect from 1 May 2004. 18
  • 19. The Articles of the Directive 2001/20/EC • Scope (Directive does not apply to non-interventional trials). • Definitions • Protection of clinical trial subjects • Clinical trials on minors • Clinical trials on incapacitated adults not able to give informed legal • Ethics Committee • Single opinion • Detailed guidance • Commencement of a clinical trial • Conduct of a clinical trial • Exchange of information • Suspension of the trial or infringements • Manufacture and import of investigational medicinal products • Labelling • Verification of compliance of investigational medicinal products with good clinical and manufacturing practice • Notification of adverse events • Notification of serious adverse reactions • Guidance concerning reports • General provisions • Adaptation to scientific and technical progress • Committee procedure • Application • Entry into force • Addressees 19
  • 20. General Data Protection Regulation: Regulation (EU) 2016/679 • The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). • The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business. • When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) from 1995. • The regulation was adopted on 27 April 2016; It enters into application 25 May 2018 after a two-year transition period. 20
  • 21. General Data Protection Regulation: Regulation (EU) 2016/679 • The regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU therefore, regulation also applies to organizations based outside the European Union if they process personal data of EU residents. • Valid consent must be explicit for data collected and purposes data used. Consent for children must be given by child’s parent or custodian, and verifiable. Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn. • Data Protection Officers are to ensure compliance within organizations. • Any incident related to data breach, is mandatory to notify the Supervisory Authority within 72 hours from the data breach. 21
  • 22. Safe Harbor Principles • Notice: Subjects must be informed of how their data will be collected and used. • Choice: Subjects must be able to opt out of collection of their data and its transfer to third parties. • Data transfers: Any transfers of data to third parties must only be to other organizations that have rigorous data-protection policies. • Security: All reasonable efforts must be made to prevent the loss of any data collected. • Data integrity: Data must be reliable and relevant to the purpose for which it was collected. • Access: Subjects must be able to access information about them that is collected, and have an opportunity to have this data corrected or deleted if necessary. • Enforcement: A mechanism must be in place to effectively and consistently enforce these rules. 22
  • 23. Clinical data managers should ensure that access to data is restricted to qualified and approved personnel Important Considerations 23
  • 24. Central Committees • Reports to and meetings with various committees may necessitate presentation of some study data in the form of reports from database, original or copies of source data. • In any cases, personal subject identifiers should be removed prior to presentation of data to the committee, and in some cases, study identifiers may need to be added. • Independent committee should be present to ensure data anonymity. Important Considerations 24
  • 25. Data Collection • Data collection instruments should be designed with subject identifiers which can be anticipated while designing CRF, Clinical database, laboratory database and data transfer specifications etc. • Subject genomic data should be handled with utmost care, which includes,  Storage of this data into completely independent data servers and physical locations  Independent qualified resources  Detailed and Specific SOPs dedicated to the processing and use of this data • Different data collection methodologies may required for different considerations: e.g. for Paper Based Studies: SOPs for redaction of personal identifier, handling, transfer and storage of documents required. Important Considerations 25
  • 26. Data Transfers • Data transfer specification document should be produced prior to data transfer. • Data transfer process should be exhaustively tested to ensure transferred information could not jeopardize data privacy. • The planned data transfer should be reviewed to ensure all transferred data matches the database. Computer and Network Security • Any lapses in computer or network security may jeopardize the integrity of the database, and therefore, data privacy. • Organization’s information technology personnel develops SOPs for computer and network security • Data managers have a responsibility to use systems appropriately and responsibly. Important Considerations 26
  • 27. Vendor Management & Lab Data Management • Different standards should be present depends upon level of access • Vendors having access to clinical database should be meet international standards. • Vendor facility audit should be conducted to ensure facility compliance & data transfer and reporting specifications should be compliant with respective regulatory guidelines. • Personal identifiers should be redacted & should not contain any subject-specific information prior to submission to data management e.g.: Mr. Mike became unconscious due to hypoglycemia. • If any deviation/violation in privacy policy observed by data management team, it should be addressed to appropriate internal or external clinical site management team for corrective and preventive actions or as per organizations SOPs/Policies. Important Considerations 27
  • 28. Redaction (editing before presenting) of Personal Data • Redaction is the act of appropriately editing text from a document before releasing the document to other personnel or departments. E.g.: Mr. Mike became unconscious due to hypoglycemia change it to Subject felt unconscious due to hypoglycemia. • Organizations should have SOPs for redaction of personal data. • Primarily responsibility of redaction of personal data lies to site or monitor, however data managers should be mindful while performing data management activities to identify and rectify the data privacy issues. Important Considerations 28
  • 29. Global studies should adhere to the most restrictive regu lation s of th e cou n tries in volved . 29
  • 30. References • International Conference on Harmonisation. Harmonised Tripartite Guideline for Good Clinical Practice. 2nd ed. London: Brookwood Medical Publications; 1996. • European Parliament and Council of Europe. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Strasbourg, France: European Parliament and Council of Europe; 1995. Available at: http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm. Accessed November 10, 2008. • European Parliament and Council of Europe. Directive 2001/20/EC of the European Parliament and of the Council of 4 April 2001 on the approximation of the laws, regulations and administrative provisions of the Member States relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use. Strasbourg, France: European Parliament and Council of Europe; 2001. Available at: http://ec.europa.eu/enterprise/pharmaceuticals/eudralex/vol1_en.htm. Accessed November 10, 2008. • Antokol J. Protecting Personal Data in Global Clinical Research. The Monitor.2008:22;57–60. • Code of Federal Regulations, Title 45, Part 164.501, Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required. Washington DC. US Government Printing Office; 2002. Available at: http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html. Accessed November 10, 2008. 30
  • 31. THANK YOU! Visit us on www.ancillarie.com 31 copyright © ancillarie 001- 31JAN2017