Data Protection

The European Data Protection Board (“Board”) released an opinion on January 23, 2019, on the intersection between the EU General Data Protection Regulation (“GDPR”) and the Clinical Trials Regulation (“CTR”).  The opinion considers a Q&A on this topic prepared by the European Commission’s Directorate General for Health.  The Directorate General decided to create this Q&A because of perceived contradictions between the GDPR and the CTR, in particular in relation to the legal basis (e.g., the use of consent) and the further use of clinical trial data. (See also here).
Continue Reading European Data Protection Board releases Guidance on Intersection of the GDPR and the Clinical Trials Regulation

The EU pharmaceutical industry landscape is in significant flux. There are many pressures to provide new therapies and to make them available more early and for as many qualifying patients as possible. In that context, the industry model and the role of exclusivity rights as a tool to stimulate innovation are being discussed. At the same time, discovering and developing new products is more complex and requires a collaborative effort. This happens against the background of new rules on medical devices and the protection of personal data, which are, for instance, relevant in assessing clinical effectiveness and relying on real world evidence.

Three members of the Covington European Life Sciences team will be speaking on these topics at the EU Pharmaceutical Law Forum being held in Brussels on 16-18th May.
Continue Reading Exploring the EU Horizon for Pharma

Article originally posted on our sister blog InsidePrivacy

The Article 29 Data Protection Working Party (Working Party), an independent EU advisory body on data protection and privacy, responded to a request from the European Commission made in the framework of the Commission’s  mHealth initiative to clarify the definition of data concerning health in relation to lifestyle and wellbeing apps.  (See more here, and here for our blog post on the European Commission’s Summary Report of the mHealth consultation.)

In its latest paper on health data in apps and devices, the Working Party supports a broad definition of health data, distinguishing the following three categories of health data:

  1. The data are inherently/clearly medical data, especially those generated in a professional, medical context.
  2. The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person.
  3. Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate, legitimate or otherwise adequate or not).
    Continue Reading Article 29 Working Party Clarifies Scope of Health Data in Apps and Devices

 This post originally appeared on our sister blog, InsideMedicalDevices.

The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps.

The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance and incident response processes, and an “end of life” policy for defunct/decommissioned devices.
Continue Reading UK Data Protection Regulator Surveys Use Of Smart Medical Devices

By Helena Marttila-Bridge and Oliver Grazebrook

Earlier this month, the UK’s Information Commissioner’s Office (“ICO”) released statistics showing that over 25% of the 335 data breaches reported between 1 April 2013 and 30 June 2013 came from the health sector.  This comes as no surprise considering that the last 12 months have seen a string of widely reported data breaches in the health sector that have resulted in the ICO issuing fines.  For example, in July, NHS Surrey was fined £200,000 for selling a laptop containing confidential patient details over eBay.

One explanation for these high figures is the fact that the English health sector, unlike many other sectors, is subject to mandatory reporting obligations following data breaches.  These reporting obligations have recently been updated, and from June 2013 onwards all public health sector bodies as well as their processors processing health and adult social care personal data have been required to use the Information Governance Toolkit Incident Reporting Tool (the Guidance for which is available here) administered by the Department of Health (“DoH”) to report certain data breaches to the DoH and the ICO.  The Guidance contains a checklist intended to help healthcare organisations decide whether the data breach needs to be reported, based on factors such as the number of people and the sensitivity of the clinical data involved.
Continue Reading New ICO Statistics Show an Unhealthy Rise in Data breaches in the Healthcare Sector

Privacy Impact Assessments (PIAs) or  data protection impact assessments used to be discussed in the context of specific technologies or industry sectors (see, for instance, the European Commission’s recommendations in relation to  applications supported by radio-frequency identification (RFID) and the development of smart grids). However, this situation is about to change. PIAs are increasingly being promoted by national data protection authorities as an element of controllers’ accountability and more importantly they also feature in the European Commission’s proposal for a new General Data Protection Regulation (see InsidePrivacy Vote on EU Data Protection Regulation Again Postponed, June 21, 2013).
Continue Reading Privacy Impact Assessments – Soon Compulsory for Companies in the Life Sciences Industry?

Since Apple launched the first iPhone in 2007, the popularity of smart phones and tablets has sky-rocketed.  These devices, with their sleek design, touch screens and easy access to a myriad of entertainment options, have fast become the preferred method of communication for executives.

In recent years, a growing number of companies have allowed employees to forgo the less glamorous and often outdated technology assigned by their IT department and instead access corporate emails and data on their personal devices – a practice known as “bring your own device” to work, or “BYOD”.Continue Reading “Bring Your Own Device to Work” – Can Life Sciences Employers Safely Embrace the Trend?

In its recent Opinion 03/2013 on purpose limitation (the “Opinion”), the Article 29 Data Protection Working Party, an EU advisory body on data protection, comprised of representatives of the Member States’ supervisory authorities, the European Data Protection Supervisor and the European Commission, analyzes the principle of purpose limitation and provides guidance for its practical application.  The principle of purpose limitation is one of the key data protection principles of the EU Data Protection Directive, requiring that personal data be collected for:
Continue Reading What You Need to Know about the Article 29 Working Party’s Opinion on Purpose Limitation

By Helena Marttila-Bridge and Oliver Grazebrook

In recent years healthcare providers around the world have been looking into mobile health or “mHealth” solutions to increase productivity and reduce costs.  Examples of mHealth practices include the increased use of mobile devices by doctors and nurses to access and transmit patient health data and the use of mobile health apps by patients.

Earlier this year, the NHS published a report on mHealth, which shows the potential savings that could be achieved through the widespread adoption of mHealth applications.  According to the report, the trial use of mobile technology by a selection of UK hospitals showed an “improvement in general communication, improved access to clinical information and improved access to IT equipment.”  Importantly, users also showed a greater confidence in the security of the health data and an improvement in clinical safety due to the ready availability of up to date data.
Continue Reading The Rise of mHealth and Privacy Considerations

By Chris Bracebridge

In March 2013, the European Commission published preliminary results of its study of the top ten most burdensome EU laws for SMEs.  Employee-related legislation forms a significant part of that list, and is among the most costly and onerous.

The “top ten” study is part of an initiative — the Regulatory Fitness and Performance Program (REFIT) — launched by the Commission back in December 2012 to ease the regulatory burden on SMEs in Europe.  REFIT aims to scrutinize the European legislative and regulatory framework for gaps, burdens and inconsistencies in order to correct them.  The final results and any recommendations to improve and simplify existing legislation will be announced in June 2013.

In the employment context, the Commission is currently taking the following steps:
Continue Reading European Commission Set to Ease Regulatory Burden on SMEs: Key Implications for Life Sciences Employers