Privacy & Data Security

On October 22, 2018, the European Federation of Pharmaceutical Industries in cooperation with the Future of Privacy Forum and the Center for Information Policy Leadership organized a workshop entitled “Can GDPR Work for Health Research.”  In the first session, the workshop discussed the implications of the General Data Protection Regulation
Continue Reading The Implications of the GDPR on Clinical Trials in Europe

The EU pharmaceutical industry landscape is in significant flux. There are many pressures to provide new therapies and to make them available more early and for as many qualifying patients as possible. In that context, the industry model and the role of exclusivity rights as a tool to stimulate innovation are being discussed. At the same time, discovering and developing new products is more complex and requires a collaborative effort. This happens against the background of new rules on medical devices and the protection of personal data, which are, for instance, relevant in assessing clinical effectiveness and relying on real world evidence.

Three members of the Covington European Life Sciences team will be speaking on these topics at the EU Pharmaceutical Law Forum being held in Brussels on 16-18th May.
Continue Reading Exploring the EU Horizon for Pharma

Article originally posted on our sister blog InsidePrivacy

The Article 29 Data Protection Working Party (Working Party), an independent EU advisory body on data protection and privacy, responded to a request from the European Commission made in the framework of the Commission’s  mHealth initiative to clarify the definition of data concerning health in relation to lifestyle and wellbeing apps.  (See more here, and here for our blog post on the European Commission’s Summary Report of the mHealth consultation.)

In its latest paper on health data in apps and devices, the Working Party supports a broad definition of health data, distinguishing the following three categories of health data:

  1. The data are inherently/clearly medical data, especially those generated in a professional, medical context.
  2. The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person.
  3. Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate, legitimate or otherwise adequate or not).
    Continue Reading Article 29 Working Party Clarifies Scope of Health Data in Apps and Devices

On 21 January 2015, the European Medicines Agency (“EMA”) launched a public consultation on how the transparency rules of Regulation EU No 536/2014 (the “Clinical Trials Regulation”) should apply to the new clinical trials database.  The consultation document of the EMA discusses the practical application of the new transparency rules, sets different options on the application of the exceptions to the disclosure of information, and invites stakeholders to comment.
Continue Reading EMA Transparency Policy – EMA Launches Public Consultation On The Publication Of Information Under The New EU Clinical Trials Regulation

 This post originally appeared on our sister blog, Covington eHealth.

The European Commission has finally published its summary of 211 responses to its mobile health (“mHealth”) consultation. The summary and original responses to the consultation have been made available on the Commission’s website at https://ec.europa.eu/digital-agenda/en/news/summary-report-public-consultation-green-paper-mobile-health
Continue Reading Summary Report of European Commission’s mHealth Consultation Published

The health sector handles substantial quantities of personal information, including information that is deemed to be “sensitive” under European data protection regimes.  For that reason, health care providers sometimes question their ability to take advantage of increasingly popular e-health cloud services.  While EU lawmakers are contemplating a “European Privacy Seal” – which could, if done properly, be useful for would-be cloud customers to assess the robustness of a cloud provider’s data protection measures – a leaked EU Council document revealed that discussions over the scheme are floundering.  We therefore learnt with interest from our colleagues at the InsidePrivacy blog that the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) jointly adopted a new standard this summer governing the processing of personal data in the cloud — ISO/IEC 27018 (“ISO 27018”).
Continue Reading E-Health Take Note: Standards Published For Personal Data In The Cloud

By Helena Marttila-Bridge and Oliver Grazebrook

Earlier this month, the UK’s Information Commissioner’s Office (“ICO”) released statistics showing that over 25% of the 335 data breaches reported between 1 April 2013 and 30 June 2013 came from the health sector.  This comes as no surprise considering that the last 12 months have seen a string of widely reported data breaches in the health sector that have resulted in the ICO issuing fines.  For example, in July, NHS Surrey was fined £200,000 for selling a laptop containing confidential patient details over eBay.

One explanation for these high figures is the fact that the English health sector, unlike many other sectors, is subject to mandatory reporting obligations following data breaches.  These reporting obligations have recently been updated, and from June 2013 onwards all public health sector bodies as well as their processors processing health and adult social care personal data have been required to use the Information Governance Toolkit Incident Reporting Tool (the Guidance for which is available here) administered by the Department of Health (“DoH”) to report certain data breaches to the DoH and the ICO.  The Guidance contains a checklist intended to help healthcare organisations decide whether the data breach needs to be reported, based on factors such as the number of people and the sensitivity of the clinical data involved.
Continue Reading New ICO Statistics Show an Unhealthy Rise in Data breaches in the Healthcare Sector

Privacy Impact Assessments (PIAs) or  data protection impact assessments used to be discussed in the context of specific technologies or industry sectors (see, for instance, the European Commission’s recommendations in relation to  applications supported by radio-frequency identification (RFID) and the development of smart grids). However, this situation is about to change. PIAs are increasingly being promoted by national data protection authorities as an element of controllers’ accountability and more importantly they also feature in the European Commission’s proposal for a new General Data Protection Regulation (see InsidePrivacy Vote on EU Data Protection Regulation Again Postponed, June 21, 2013).
Continue Reading Privacy Impact Assessments – Soon Compulsory for Companies in the Life Sciences Industry?

As reported in an earlier post, the European Commission (EC) is conducting a study of the top ten most burdensome EU laws for SMEs. This is part of an initiative – the Regulatory Fitness and Performance Programme (REFIT) – launched by the Commission in 2012 to ease the regulatory burden on SMEs in Europe. On 18 June 2013, the European Commission (EC) published the final results of its study and issued a number of recommendations to improve and simplify existing legislation, including onerous and costly employee-related legislation. The Commission recommendations in the employment context include:
Continue Reading Commission Issues Recommendations Aiming to Improve Costly Employee-Related Legislation for SMEs

Since Apple launched the first iPhone in 2007, the popularity of smart phones and tablets has sky-rocketed.  These devices, with their sleek design, touch screens and easy access to a myriad of entertainment options, have fast become the preferred method of communication for executives.

In recent years, a growing number of companies have allowed employees to forgo the less glamorous and often outdated technology assigned by their IT department and instead access corporate emails and data on their personal devices – a practice known as “bring your own device” to work, or “BYOD”.Continue Reading “Bring Your Own Device to Work” – Can Life Sciences Employers Safely Embrace the Trend?